ID Theft, Porn, and Profit: My 2:00am Dumpster Dive
So… last night I was taking out my trash.
Part 1: The Find
As I hurled the bag towards the dumpster, my 6’2″ stature allowed me to catch a glimpse of some electronic devices. Never one to pass up a good offering, I climbed up the side and leaned in to view my catch.
Sure enough, along the piles of trash bags was an old HP desktop, some accessories, and (as you can see from the picture) someone’s collection of Playboy magazines. Underneath the Playboys was a rather nice collection of college textbooks, still in pretty good shape. Worth trying to re-sell at the ISU bookstore? You bet.
It was very apparent that whoever had dumped the computer was also responsible for the simultaneous dumping of the other items; they were pretty much the only things not in trash bags in the entire dumpster, with exception of a mattress that smelled like it was once a surgical experimentation table.
I grabbed the books and desktop, and assessed my new collection.
Side thought to the person who threw this stuff out: nothing attracts women like a man who studies public policy, is sensitive to economic conditions, and keeps a fairly impressive stash of Playboy magazines in his dorm.
Not that I care if you believe me, but I tossed the Playboys back in and promptly washed my hands. Because really… who is going to keep someone’s used Playboy magazines? Exactly. Besides, I don’t think the girlfriend would have approved.
I pulled the hard drive and a PCI graphics card; the latter of which I often need, yet never seem to have.
The hard drive was quite chilly (it was about 40°F outside), so I let it warm up a little and worked on slightly more pressing matters (like studying for final exams).
Because of my unequivocal laziness I simply stuck the drive in my coffee mug rather than actually installing it properly. You might attribute this carelessness to the fact that the drive wasn’t mine, so I had nothing to lose if it should fall. I hate to admit to you that I do this with my expensive drives on occasion too, though.
Once powered on, the hard drive began spilling its secrets. Within minutes I had gleaned enough information to steal two identities and ruin the owner’s reputation. I’m not interested in doing either here though, so I’ve censored my findings, shown below.
Part 2: The Results
Cory, this PC’s previous owner, had scanned his Iowa Driver’s License and saved it to his My Documents folder. Big, big no-no. Keep information like this off your electronic devices. Even though the License itself isn’t the jackpot for an identity thief, the information gleaned would be invaluable for a social engineering attack.
Jackpot; this is what an identity thief is looking for. Loan application, scanned in with social security numbers, addresses, and full names of two individuals, the owner of the computer and a family member. It’s always best to never store electronic documents with sensitive information on them in the first place, but if you have to, be sure you properly remove them before discarding the computer. How does one properly remove them? We’ll cover that in just a bit.
The “Remember password” feature on Chrome, Internet Explorer, and Firefox are a hacker’s best friend. With freely available utilities, these passwords can be stolen almost instantly. Our target, Cory, only has Internet Explorer installed, so I ran Nirsoft’s IE Pass View utility to recover the passwords stored with his account.
One result came back. It seems that Cory has a membership to an “Ultimate BBW” site. I, being completely naive, figured that BBW stood for something sports-related (I have no understanding of anything in the sports world), so I browsed to the website. Well… I assure you that “BBW” has nothing to do with sports.
Apparently “BBW” stands for “Big Beautiful Women”, and this website caters to individuals who have a sexual fetish for very, very large women. Of course I didn’t happen to know this beforehand, so now “what has been seen cannot be unseen”, as they say.
But anyway, do yourself a favor and don’t type that into your address bar. I cannot be held liable for if you are emotionally damaged by the material contained within.
Now back on topic: Cory (or someone using his computer) has a thing for the larger ladies, it seems. And to him I say, “To each, their own”, but often times people aren’t so lucky.
Time and time again, we’ve seen hackers or dumpster divers recover potentially embarrassing information, only to turn around and use it as blackmail against the individual. This is especially true of “sexted” pictures, when the sender or receiver isn’t careful about how those items are stored. So remember kids, wipe your sensitive data from your drives before disposing of them (or even lending them to others).
Part 3: The Wrap-Up
Remember how I found those books along with the computer? The next day I took them to the university’s book store, hoping that I’d get a few dollars out of them. To my delight, the pile had a total value of $57. On top of that, I won a candy bar!
Day == Made.
The money went to a nice dinner at our local pizza place, and it was delightful.
Additionally, if I were a real identity thief, I would have done pretty well with minimal effort. I had obtained:
- The social security numbers, full names, addresses, and phone numbers of two individuals
- The driver’s license number of the owner, Cory
- Potentially embarrassing personal data for blackmailing purposes
- $57 from re-sold books
I’m not going to count the Playboy magazines or the membership information for the porn website, but perhaps for a small subset of thieves this accomplishment would be note worthy. Personally, I don’t wish to have either.
Alright, from here on we’re getting helpful and preachy. Don’t mind my tangents.
Part 4: Destroying Your Data
To ensure your data is destroyed, I encourage you to seek help from someone who is tech-savvy if you don’t feel comfortable doing these things yourself.
Here’s the deal: when you tell your computer to delete something, it doesn’t actually remove that file. Instead, it just tells the drive that if needed, that space can be utilized later by a new file. This is a simplification of a complex process, but we’re just on the basics right now. So, even if you delete “super_secret_nude_picture_of_myself.jpg” from your computer, it takes all of two seconds for someone with the right know-how to get it back.
So how do we solve that issue? Well instead of just deleting the file, you can use special programs that actually write random data to where the file used to be located on the memory, effectively rendering the file’s recovery impossible. Had Cory done this to his desktop, I would not have ever known about his social security number or sexual fetishes. Sounds like a good idea now, doesn’t it?
One great utility for destroying your data is Kill Disk, a free CD-bootable software package that can completely erase your drive’s contents. Just download the software, burn to CD, and reboot. But remember, once you’ve started the process, there’s no turning back.
But perhaps you want to destroy personal data without erasing the entire drive? Give the free utility Eraser a try. Eraser adds an option to your right-click menu, so all you have to do is right-click on a file or folder, and eraser will take care of the rest. It fills the memory back up with random data and prevents prying eyes from ever recovering the information.
Part 5: Sexting
If you have pictures of yourself or a loved one that you’d rather not have other people see, take a moment to just delete them (securely!) right now. The longer you hold on to them, the more likely it becomes that eyes other than yours will be viewing them as well. It’s not worth risking your reputation, so just don’t do it.
I’m always amazed when I hear about people sending nude photos via MMS (cell phone “picture messaging”). Have any of these people stopped to think about the sheer number of server administrators who have access to those files at the cell phone companies? That’s right, 47 year old Ned (who isn’t really a “people person”) has probably already lifted that picture of you without underwear on and copied it to his flash drive. Have fun sleeping with that thought tonight.
Additionally, most young-adult relationships have a shelf-life shorter than skim milk. So once you break up in a week, what’s he/she going to do with those pictures? I’ll put down a few hundred that the answer is not a secure deletion using proper data destruction methods. Unless you count posting the picture on a porn website as secure deletion… but I don’t.
Part 5: If You Are A Victim
If you have reason to believe your identity or credit card information has been stolen, be sure you notify the appropriate agencies and continue to watch your credit. The FTC has a great website for anyone who has questions about any part of the process as well.
If you are being blackmailed, just contact the police. If you give in once, the attacker will just keep pressing harder; it’s a vicious circle.
Alright, that’s all I’ve got. Have fun, kids.
I did not, at any point, log into this person’s online accounts. All of my actions were legal, as anything you throw in a dumpster forgoes an expectation of privacy (see California v. Greenwood). The line of illegality would have only been crossed if I had I used the information I gleaned. I am a strong advocate for responsible disclosure, hence my censoring of the subject’s full name and personally identifiable details.
Additionally, I zeroed the drive with a three-pass erasure before disposing of it to ensure that this individual’s personal information would be protected in case anyone else were to come across the drive.