Sunday, 13 March 2005

Why spend money on schools, police or hospitals when you can spend it on insecure web services?

I recently got a letter from the council, saying they've set up a web site to access your council tax details - presumably to cut the cost of their staff answering simple enquiries. Sounds like a good idea in theory, until you remember who you're dealing with.

They gave me a password by post. They told me my account number was on my bills. The password was a f***ing 6 digit numeric code! It looks like everyone in town must have got one of these letters and I'm guessing each one of them has their own easily-crackable 6 digit password. When I got around to reading the damn thing, I logged on in a panic and changed it but I wonder how many other people would actually be bothered?

What's to stop me (if I where so inclined) using a brute force attack to access somebody's account details? Of course, I'd hide this attack using proxies and maybe space it out over a period of time to hide the traffic boost - but what's the likelihood of the council being competant enough to be checking their logs for attacks anyway?. Alright, I'd need the account number - the easiest way to do that is probably just to ring the council, pretend to be the target and just ask for it! There are other ways of course - read Kevin Mitnick's 'The art of deception' if you're interested.

From this attack, I've gained the following information:

Their name, address, council tax account number, the complete details of their council tax payments and perhaps whether or not they live alone (if they claim the single occupant's discount).

Then unless their telephone number is X-Directory (not listed) -maybe even if it is- I could find out their telephone number and social engineer my way to their bank account details, like so...

Social Engineer: 'Hello Mr/Mrs X, I'm Bob from the local council, you're account no. 5687458743 right?'
Victim: 'Erm... yeah. right.' (would you even check?)
SE: 'Great, we're having some computer problems right now and the engineers are repairing some damaged tax records, mind if I just double check that we've got our records straight for your account?'
Victim: 'Yeah, ok, if it's quick.'
SE: 'Great, thanks, shouldn't take long. First, can you just confirm your address.. is it [reads out full address]'
V: 'Yeah'
SE: 'right, that's a band B property?'
V: 'Yes'
SE: 'Ok, so you made the following payments on this date right....[lists recent payments]'
V: 'Sounds about right'
SE: 'great, thanks, oh... and can you just confirm your bank account and sort-code payment details please?'

Now I have your personal details, your martial status, your phone number and your bank account details. Scared yet? Wait until I phone you back three months later when you've forgotten the sound of my voice claiming to be 'Fred' from your bank who's having difficulty with our 'on-line banking service' and needs your current bank password so they can log in and 'reset it' (empty it into my Swiss bank account).

Banks loose millions of pounds a year from social engineering and identity theft and it's all thanks in part to incompetent idiots like the local council. Nice work, idiots. It's good to see that my annual council-mugging of £683 a year is well spent! I mean, why spend that money on the schools, police or hospitals when you can spend it on insecure web services?