Security Through Education

A free learning resource from Social-Engineer, Inc

Home

The Social Engineering Framework

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering. Please use the index below to find a topic that interests you.

Framework Sections

Section Articles

General Discussion

Select a topic from the index below

Information Brokers

The Federal Trade Commission (FTC) defines data brokers as “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.” Protecting Consumer Privacy in an Era of Rapid Change (March 2012) at page 68. Information or data brokers are also sometimes called information resellers, data vendors, or information brokers.  

An information broker can also be an individual who searches for information for specific clients. Information brokers may use various resources such as the Internet, online databases, public libraries, books and telephone calls.  

The FTC divides the data broker industry into three broad categories based upon the type of product that they sell: (1) marketing products, (2) risk mitigation products, and (3) people search products. Section IV page 23 of the FTC’s report Data Brokers: A Call for Transparency and Accountability (May 2014). Examples of risk mitigation and people search products are: 

 

How Information/Data Brokers Find Information

Information/data brokers use various sources to find their information. These may include the following:

  • Consumers may directly provide information either online or offline through warranty cards, sweepstakes entries, contests, and surveys
  • Government and public records. These could include, census demographic information, motor vehicle records, driver’s license records, telephone directories, voter registrations, court filings, real property and tax assessor records; court filings, recorded liens and mortgages, real estate listings, birth, marriage, divorce and death records, professional license filings, and recreational licenses
  • Purchase or licensing of information from other data brokers, retailers, and financial institutions
  • Social media platforms such as Facebook, LinkedIn, WhatsApp and others. Information including names, gender, location colleges/universities attended, and employment history is just some of the information that can be collected  

Data exploitation is part of the very DNA of  Facebook, as the recent scandal with Cambridge Analytica spotlighted. Here’s what happened as reported by Time.com/money, “A few years ago, a researcher put together a Facebook personality quiz that asked participants to download an app and give him access to their friends’ data. About 270,000 people consented, which ultimately led to some 50 million profiles being scraped for information. The researcher then gave to Cambridge Analytical, and the company used it to build profiles it sold to clients as political research.”   

As this example highlights, once information has been collected and analyzed, it is then packaged and sold to businesses and other organizations, government agencies, or other individuals.  

How Information Brokers Use Social Engineering

Information Brokers use elicitation, scams, courting, and pretexting to gather data about personal information.  

The following excerpt from the book, Information Risk and Security: Preventing and Investigating Workplace Computer Crime, provides an example of the tactic known as courting. “Information brokers and other determined social engineers often use a technique known as courting. Seemingly random or chance meetings that build a rapport and a level of trust between the social engineer and the target. Over time a relationship is built and subtly pressure is applied, and information gathered.” 

Example  

Docusearch 
On July 29, 1999, Liam Youens contacted Docusearch, requesting the date of birth for his former classmate, Amy Lynn Boyer.  Youens, contacted Docusearch again requesting Boyer’s Social Security number and her employment information. Docusearch obtained Boyer’s Social Security number from a credit reporting agency and sold it to Youens.  However, Youens still wanted Boyer’s work address. To obtain it, Docusearch hired Michelle Gambino to place a “pretext” call to Boyer. Under the pretext of working for Boyer’s insurance company, Gambino convinced Boyer to verify her work address so that an overpayment refund could be issued. In an article printed by the Chicago Tribune, Docusearch owner Daniel Cohn acknowledged that Gambino used a ruse to get the information.  Ms. Boyer’s mother also received a call from a woman claiming to be an insurance company official searching for someone entitled to a refund, a ploy Mr. Cohn said is typical. Tragically, Liam Youens used the information he purchased from Docusearch to fatally shoot Ms. Boyer as she was leaving her workplace.  

Information Brokers Who Were Social Engineered 

Examples 

ChoicePoint 
ChoicePoint approved as customers individuals who lied about their credentials and used commercial mail drops as business addresses. The applicants also reportedly used fax machines at public commercial locations to send multiple applications for purportedly separate companies. Despite these obvious “red flags” the fraudsters passed ChoicePoint’s screening process to become subscribers. Now, posing as legitimate subscribers, the criminals purchased an estimated 163,000 financial data profiles from ChoicePoint. At least 800 cases of identity theft were reported as a result of this data breach.   

Lexis-Nexis via The New York Times 
Adrian Lamo aka the “homeless hacker” gained access to the New York Times database that contained the personal information for more than 3,000 contributors to the newspaper’s Op-Ed page. Mr. Lamo then created a fake identity and in three months’ time conducted over 3000 searches using the New York Time’s account with Lexis-Nexis. 

What You Can Do 

Collecting, analyzing, packaging and selling consumer information is nothing new. Information/Data brokers have been around for a long time. However, the speed and extent of data collection has certainly increased due to the advent of the internet, social media and the “always online” culture. 

Currently there is no Federal law that allows consumers to either see, correct or opt out of information compiled by data brokers. However, if the data broker engages in activity that causes it to become a Credit Reporting Agency (CRA), then consumers gain certain rights under the Fair Credit Reporting Act.  

The recent data breaches that have occurred within the information/data broker business emphasize the need to understand how and what information is collected. While it’s true that you may have little control over how your information is used, learning how it is obtained may affect the choices you make. If you are curious about how you may unknowingly give away information during a typical day, then please watch this video provided by The Federal Trade Commission.


Sharing Information: A Day in Your Life. Original Source: YouTube

There are some people search sites that offer an “opt-out” feature. You may need to read the fine print in the ‘privacy policy’ or ‘terms of service’ section of the specific search site. Privacy Rights Clearinghouse maintains a list of people search sites and corresponding opt out links.  

 

 

Looking for a Good Book?

  

Become a newsletter subscriber