Identity Theft
29 October 2004 in .Net | Comments enabled

Been a while since I last posted so I thought I’d dump something I’ve done recently.

I’m on holiday at the moment so this afternoon I decided that I would order a pizza. Decided to go with X pizza company (lets keep them anon. for now). They have an interesting site where you can signup and get the “Managers Special” which allows you to print out an online-only vocher and claim your discount.

What was interesting was that while looking at this page my flatmate and I had a poke around and found that with some very simple URL manipulation you can get the name and email address of everyone that has ever signed up with X Pizza Company of New Zealand.

This lead me to think, how hard would it be to harvest these details? Within about 10 minutes I had a C# application that was dumping the details to a csv file (I only got a few – don’t want any calls from my ISP to complain about DOS attacks coming from our IP :-) ). It was somewhat scary at how easy this was to do.

My flatmate then made an interesting observation – most of the email addresses were hotmail accounts. Sure enough, if you plug these into the MSN site we had about an 80% strike rate for getting the persons profile.

So now, from this we could effectively build up:

  • Name
  • Email address
  • Likes / Dislikes*
  • Photo*
  • Age*
  • Marital Status*
  • Location in NZ*
  • Gender* (if you couldn’t guess from the name)
  • Favourite Quote*
  • Occupation*
  • Link to personal website*

*Information from the MSN profiles. Some of these fields may not be completed.

What makes this a little worrying is that it would probably only take about another 30 minutes of coding to build up a lot of information about all the people on the list we gathered from X pizza company.

When you really start to think about it further and imagine that you could automate a google search on the email address or name (and possibly limit it to New Zealand sites only) you could build a huge database of information about people who have never met you in their entire life.

The amount of information on the net that could be used to exploit people through Identity threft is enormous – and, as you can see, can be automated rather easily.

Obviously, while I mentioned that the details can be gathered from an exploit in a website, you could do it just fine without an exploit through things such as dating sites, message boards etc.

Makes you think about what you put online

- JD


1 comment. Add your own comment.

Pizza Eater says 17 January 2005 @ 14:45

It wouldn’t be the company with the managers special that says

“X pizza company undertake to respect your right to privacy and protect all information collected. At no time will your details be shared with a third party. Such information will only be used by us for customer communication and market analysis purposes.”

Kinda scary…how many sites actually “protect” information collected?

Leave a Comment

Name (required)

E-mail (required - not published)

Website

Your comment: