Security Through Education

A free learning resource from Social-Engineer, Inc

Home

The Social Engineering Framework

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering. Please use the index below to find a topic that interests you.

Framework Sections

Section Articles

General Discussion

Select a topic from the index below

Information Brokers

The Federal Trade Commission (FTC) defines data brokers as “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud.” Protecting Consumer Privacy in an Era of Rapid Change (March 2012) at page 68. Information or data brokers are also known as, information resellers, data vendors, or information brokers.

An information broker can also be an individual who searches for information for specific clients. Information brokers may use various resources such as the Internet, online databases, public libraries, books and telephone calls.

Three Broad Categories

The FTC divides the data broker industry into three broad categories based upon the type of product that they sell. These categories are; (1) marketing products, (2) risk mitigation products, and (3) people search products. Examples of risk mitigation and people search products are:

How Information/Data Brokers Find Information

Information/data brokers use various sources to find their information. These may include the following:

  • Consumers may directly provide information either online or offline through warranty cards, sweepstakes entries, contests, and surveys.
  • Government and public records. These could include:
    • census demographic information,
    • motor vehicle records, and driver’s license records,
    • telephone directories, voter registrations, and court filings,
    • real property and tax assessor records,
    • court filings, recorded liens and mortgages, real estate listings,
    • birth, marriage, divorce and death records,
    • professional license filings, and recreational licenses.
  • Purchase or licensing of information from other data brokers, retailers, and financial institutions
  • Social media platforms such as Facebook, LinkedIn, WhatsApp and others.

Packaged and Sold

After information is collected and analyzed, it is then packaged and sold to businesses. Government agencies, as well as other individuals, may also purchase data sets.

An example of harvesting, analyzing, packaging, and selling information is seen in the recent scandal involving Facebook and Cambridge Analytica. In fact, it illustrates that data exploitation is part of the very DNA of  Facebook. Here’s what happened, according to Time.com/money,  “A few years ago, a researcher put together a Facebook personality quiz that asked participants to download an app and give him access to their friends’ data. About 270,000 people consented, which ultimately led to some 50 million profiles being scraped for information. The researcher then gave to Cambridge Analytical, and the company used it to build profiles it sold to clients as political research.”

How Information Brokers Use Social Engineering

Information Brokers use elicitation, scams, courting, and pretexting to gather data about personal information.

The following excerpt from the book, Information Risk and Security: Preventing and Investigating Workplace Computer Crime, provides an example of the tactic known as courting. “Information brokers and other determined social engineers often use a technique known as courting. Seemingly random or chance meetings that build a rapport and a level of trust between the social engineer and the target. Over time a relationship is built and subtly pressure is applied, and information gathered.”

Docusearch and Pretexting

Liam Youens was looking for information on a former classmate. He, therefore, contacted Docusearch for the first time on July 29, 1999.  His initial request was for the birth date of his former classmate, Amy Lynn Boyer.  However, Youens was after more information. So, he got in contact with Docusearch again. This time, Youens was after Boyer’s Social Security number, as well as, her employment information. Docusearch obtained Boyer’s Social Security number from a credit reporting agency and sold it to Youens.  However, Youens still wanted Boyer’s work address. Therefore, Docusearch hired Michelle Gambino to place a “pretext” call to Boyer, in order to obtain this information. By pretexting as an employee for Boyer’s insurance company, Gambino convinced Boyer to verify her work address so that an overpayment refund could be issued.

In an article printed by the Chicago Tribune, Docusearch owner Daniel Cohn acknowledged that Gambino used a ruse to get the information.  Ms. Boyer’s mother also received a call from a woman claiming to be an insurance company official searching for someone entitled to a refund, a ploy Mr. Cohn said is typical. Tragically, Liam Youens used the information he purchased from Docusearch to fatally shoot Ms. Boyer as she was leaving her workplace.

Social Engineering Information Brokers

At times, information brokers become the targets of bad actors. Lexis-Nexis and ChoicePoint are two examples.

ChoicePoint

ChoicePoint approved as customers individuals who lied about their credentials and used commercial mail drops as business addresses. The applicants also reportedly used fax machines at public commercial locations to send multiple applications for purportedly separate companies. Despite these obvious “red flags” the fraudsters passed ChoicePoint’s screening process to become subscribers. Now, posing as legitimate subscribers, the criminals purchased an estimated 163,000 financial data profiles from ChoicePoint. At least 800 cases of identity theft were reported as a result of this data breach.

Lexis-Nexis via The New York Times

Adrian Lamo aka the “homeless hacker” gained access to the New York Times database that contained the personal information for more than 3,000 contributors to the newspaper’s Op-Ed page. Mr. Lamo then created a fake identity and in three months’ time conducted over 3000 searches using the New York Time’s account with Lexis-Nexis.

What You Can Do

Collecting, analyzing, packaging and selling consumer information is nothing new. Information/Data brokers have been around for a long time. However, the speed and extent of data collection has certainly increased due to the advent of the internet, social media and the “always online” culture.

Currently there is no Federal law that allows consumers to either see, correct or opt out of information compiled by data brokers. However, if the data broker engages in activity that causes it to become a Credit Reporting Agency (CRA), then consumers gain certain rights under the Fair Credit Reporting Act.

The recent data breaches within the information/data broker business emphasize the need to understand how  data brokers collect information. And, what information is collected. While it’s true that you may have little control over how your information is used, learning how it is obtained may affect the choices you make. If you are curious about how you may unknowingly give away information during a typical day, then please watch this video provided by The Federal Trade Commission.


Sharing Information: A Day in Your Life. Original Source: YouTube

Additionally, there are some people search sites that offer an opt-out feature. You may need to read the fine print in the privacy policy or terms of service section of the specific search site. Privacy Rights Clearinghouse maintains a list of people search sites and corresponding opt out links.

Â