This summer I needed to have some questions answered at the local Social Security office. I was greeted by a guard who told me I should use the automated check in station to make an appointment. This was an ATM looking device that asked for my personal information and the reason for my visit. I have to admit that some of the questions were a bit unclear, but I managed to get my ticket for an appointment.
I happened to be sitting next to this machine and realized that I could easily see people entering their personal information, including their Social Security numbers. It was clear that this would be a perfect hacking opportunity. I could write down their personal information as they entered it and use it for nefarious purposes. Actually, I only needed to get their Social Security number (SSN). I could always get their names when they were called for their individual appointments. Although phone calls were not allowed, most people in the waiting room were toying with their cell phones. If I had had hacking plans, I could have probably turned on my camera and discretely videoed people entering their personal information. I wondered why no one else had noticed this… or maybe they had.
No, I did not gather anyone’s personal information, but I did wonder what I could do if I had their names and Social Security numbers. Here’s what I found out I could do.
Apply for a Credit Card
If I had someone’s name and SSN, I could apply for a credit card. Here is the application for a Visa card.
But what about the address, you may ask. Well, I could be pretty sure that the people using this office probably lived in the local area. If I wasn’t sure, the first three digits of the SSN would give me area information. This is where (what state or territory) their number was originally issued. This changed to randomized numbers in 2011, but, how many people born in 2011 are applying for credit cards? A background check performed using a SSN could also give me more information.
After getting my credit card in the victim’s name, I could buy anything I wanted online. I could use the card for anything the actual user could. I could do this until the victim realized something was wrong. I could even use 2fa (two factor authorization) but I would have to use a number or email that could not be traced, after all, I wouldn’t want to be caught.
Get Medical Care
With a little work, it may be possible to get a Medicare card, but I would have to get enough personal information to do so. I could also get medical care and drugs. The victim would not know about this unless notified by getting a bill or other information from a hospital or clinic. If you think this is a small problem, think again. Take a look at this chart from AARP showing how tax losses to medical fraud compare to the budgets of major government agencies.
Apply for a Tax Refund
Another way I could make money from your SSN is to apply for your tax refund. This, in fact, has been happening quite a lot. Fraudsters with PII (Personally Identifiable Information) generally file for tax refunds before the actual person does. When the real person finally applies, they are told that their taxes have already been filed and their refund has been sent. Billions of dollars of refunds are lost in this way every year.
Open Utility Accounts
It is becoming more common for hackers to use stolen personal information to open utility accounts. In some cases, utility companies will open an account with a phone call and a SSN. In other cases, such as with cable TV, the fraudster may have to give a credit card number as well, which would be no problem if they have already made a credit card in the victim’s name. Keep in mind that family members may have access to your SSN and may use it for their personal ends. It may not be pleasant to think about, but it happens far more often than you may think. There is also something known as ‘ghosting’, which is using the SSN of a dead person to get services.
Sell Personal Information on the Deep Web
The most common way for hackers to make money from personal information is to sell it on the deep web. That said, I wouldn’t make much money selling a few SSNs there. At best, I would get $5 for each number. Even credit card data would only net me $25. Why so little? Basically, after the Equifax and other hacks, there is an over abundance of personal information for sale on the deep web. The only way a hacker can make money is to sell this information in big lots. On the positive side, at least for the hacker, it lowers the chances of ever being caught and prosecuted. Dealing with stolen information on a personal level would expose the hacker to risks, even though few criminals doing this are actually caught.
I did not tell the office about the exposure they had to a possible hack. Why? Because from my experience in cybersecurity, I realized no one would take me seriously. They may pretend to listen, but that’s as far as it would go. It’s a common complaint among those in the cybersecurity game. No one really cares about cybersecurity until they are a victim. The best I could have done is to perform a proof-of-concept hack. That is, I could have gathered some personal information and showed it to someone in authority. I would give this a 50% chance of getting a reaction.
Look at it this way. The Equifax breech exposed the personal information of 147 million Americans, each of whom could have suffered serious economic losses. Equifax agreed to a $700 million settlement, with $425 million going to victims who applied for compensation. So if all of the 147 million victims applied for compensation, each one would get 21 cents. And you wonder why no one takes cybersecurity seriously. After all, did Equifax suffer as much as the poor sap who lost all of his/her savings?
If anyone from the Social Security Administration is reading this, you may want to contact your field offices and let them know about this vulnerability. If you visit a Social Security office, check your surroundings. If the check in machine is exposed to public view, try blocking your data entry with your body and, if you want to waste your time, inform those in charge about your concerns.