A renowned cybersecurity consultant, Reetwika warns us against dumpster divers, who collects discarded items from a garbage bin (dumpster) and makes money by vending them to a reseller. A cybercriminal gathers information about his victims in a similar way. She offers invaluable tips to safeguard against such crimes, in the weekly column, exclusively for Different Truths.
Wondering, how a poor dumpster diver can bankrupt you so easily? Let’s first understand who is a dumpster diver and how he performs his work. Any person who collects discarded items from a garbage bin (dumpster) and makes money by vending them to a reseller is called a dumpster diver. In Asian countries, it’s a very common scene where poor children and women often hunt from waste bin to bin, collecting abandoned materials.
But have you ever thought if a cybercriminal does the same to gather information about his victims, what will be the amplitude of consequence? He does not need to be an intelligent techie to hack your systems. Just pay some liquid bucks to your maid and make her deposit all your discarded paper stuffs and electronic wastes to him once a week. Not sure how much will she earn out of the deal, but the attacker will definitely dig out treasure from your trashes.
I am sharing few real-life case studies below which will make your legs tremble in trepidation.
Theft of Rejected Resumes
Here’s an interesting case study from the recruitment sector. Let us assume, you are looking for a job switch and getting face to face interview calls from multiple companies. As a common practice, they asked you to bring a copy of your updated resume (with coloured photo, email ID, phone no, address, nationality, previous employment history, educational background, current salary, expected salary etc.), last six months payslip and other credentials including government photo ID proofs.
Whatever, be the result of the interview, do you know what will the recruiters do with the papers submitted after your interview is over? If you are selected, still may have a better luck. What if rejected? Are they going to preserve your documents in locked safe? In the majority of the cases, the rejected candidatures are dumped without scrubbing and later sold off to the scrap buyers on a dry weight basis.
Later someday, while enjoying roadside snacks with your beloved, you suddenly discover being served on a photocopy of your passport. Can you imagine the risk posed to you? How easy it was for the cybercriminal to get access to your salary account and personal information, and create havoc with those – upon investigation, all proofs get directed to you. No way would you be able to trace back to the evil mind. It really happened with an unfortunate Indian software engineer during his job hunt phase.
Faulty Bank Machines: Dumpster Diver’s Paradise
You might like to give a read to a shocking case study from the banking sector. Let’s say you are one of the premium customers of a bank with whom you have your salary account, three credit cards, an international debit card, PPF account, and investment deposits of Rs. 50 lakhs. Recently you are in touch with their loan officer for a big housing loan. You have been asked to mail scanned copies of various sensitive documents for CIBIL (a Mumbai-based credit information company) score calculation and you gave your best to get a good score.
To check the loan approval status, one fine morning you log in to your online banking profile and discover that all your deposits have been liquidated with zero cash left in salary account. Shockingly, you did not receive any message or email to track the account operations. When you report to the bank, they simply deny to even give a look at it and simply put the entire fault on you. However, that does not mean the bank cheated on you. Then what made all these possible? The answer is dumpster diving with unauthorized access to any of the bank’s machines.
Some popular nationalised banks, trusted to be otherwise very secure, have the worst of cybersecurity standards implemented. Most of the physical maintenance of their devices including desktops, hard drives, CPUs, servers, network links, cables, etc. are all randomly outsourced to local engineers. In case of any downtime, someone from the respective branch gives a personal call to the engineer. Majority of the times, he sends a mechanic to look into the issue.
Let’s say, he came and discovered that your loan officer’s machine’s hard drive has crashed which cannot be repaired on site. So, he was allowed to dismantle the system to segregate the faulty hard drive out and replace with a new one so that there is minimum downtime. Bank did not care about the damaged item. They get rid of it happily against a trivial scrap recycle amount when the mechanic offered to take it away with him. The issue is fixed quickly. The bank is happy.
But what about the customers? Did bank verify if there were any customer or bank info stored in the rejected hard drive? Was the USB drive disabled for the machine before the mechanic accessed it? Did any of the employees escort him physically during his work inside the bank premises? Did bank do a background verification of the engineer before giving him the contract? Can he be tracked now for an investigation?
It was so easy for him to get unauthorized physical access to your loan officer’s machine connected to the bank’s network, copy and dump all prospective borrowers’ data including yours from the system onto a personal USB, take it away with him and replace with a fresh one. It takes hardly a day’s effort to retrieve information from a crashed hard drive for a software engineer. The bank could never detect where it went wrong. The customer is ravaged.
Rejected Print Outs at Cyber Cafés
Let us now zoom into our personal habits. Have you ever been to a cyber café to take print out of your personal documents like travel tickets, bank statements, cancelled cheques, government ID proofs, doctor prescriptions, claim bills for reimbursements etc.? Well who does not!
Or do you have an easy unmonitored printer access at your home or office? If yes, how often do you or your kiddo take print outs of your personally identifiable documents? Another common scene for any household.
Now comes the most important question. Once the job is done, how do you handle the disposal of those papers? Most of us just simply throw them out to the dustbin for the housekeeping to dump it. Have you ever thought whether the housekeeping guy is a dumpster diver in disguise or a compromised chap himself?
Selling off the waste paper is absolutely legal, and hence no one can catch hold of him even if he gets identified. The loss is entirely yours. He cannot be blamed if he made fortune out of your trash unless unlawfully. Unfortunately, an eminent corporate house’s VP lost critical business information about an ongoing bid’s quotation worth millions of dollars (and his job eventually). Upon investigation, it was later found that one of their competitors intruded through the VP’s personal housekeeping staff who used to clean the papers dumped by him and handover to the competitor against a petty deal. The VP was sacked but the loss of business was irrecoverable.
Printed ATM Statements & Cancelled Cheques
How do you prefer to see your ATM statement – as a printed transcript or on the screen? Well, I always prefer the former way and it is a common human psychology which relies more on a tangible proof than a soft one. And that is why even after multiple reminders, people take print of their ATM statement, quickly give a glance to the available balance and throw the paper into the bin or outside the ATM counter. There lies the dumpster diver’s heaven.
Starting from the bank account number, social security number, card info, account owner name, withdrawn cash amount to remaining available balance, he gets all that he needs to know about your financial self.
Nowadays, banks are masking the account information to prevent printing of sensitive data. But still whatever remains, is good enough for a techno smart criminal to crack the remaining digits using hi-tech apps. And a young businessman lost huge sum for his habit of throwing cancelled cheques and statements at the ATM bins. Since it was required for his business operations, he should have taken additional care to dispose-off them safely.
Tips to Safeguard from Dumpster Divers
Give yourself some time to look back if you are allowing any of the above poor practices at your home or office and enabling easy data thefts. If yes, it is high time to take precautions to prevent further loss. I share here some useful and easy tips to safeguard your valuables from dumpster divers.
Always remember to shred your waste paper documents using a cross-cut or micro cut shredder (most reliable of all shredder types to prevent reconstruction from the tattered pieces). Majority of the corporate offices have at least one shredder installed. If not, try to burn the papers out safely rather than simply dumping into the trash bin.
While sharing your personally identifiable sensitive documents for job search or other purposes, do remember to self-attest with a date so that they cannot be directly reused. Any photocopied document with a six-months older date is not legally valid or acceptable.
While mailing scanned copies of your sensitive credentials to any vendor or bank, do remember to lock them with a password and share the key over another medium (other than email) so that even if they are compromised, there is an additional layer of security.
It is a good practice to use basic encryption for securing your personal hard drives and deleting all information from it before disposal. Open source encryption software is easily available online and does not require technical knowledge to use.
If you need to dump your faulty machine parts, especially devices which store information (ex: hard disks), always remember to degauss or purge it before scrapping. Degaussing will permanently delete all the information from the magnetic tape and it cannot be retrieved later by any means.
Avoid taking ATM statement prints to the maximum extent possible. In that way, you will not only save papers but also will save your cash. If it’s necessary to take a print, dump it after chopping it manually to whatever micro extent possible. It is perhaps time for the ATMs to display ‘Save your money’ disclaimer rather than ‘Save paper’ to discourage statement prints.
Always keep a look at your maid while at work. She should not be allowed to carry any paper or electronic waste with her without your knowledge. It could be really dangerous. They are the easiest picks of dumpster divers.
Do not save passwords or network passkeys in the sticky notes, mobiles or any papers. You might have changed your password before throwing the stickie to the bin but the attacker can crack your mind mapping trend as every human brain works in a certain similar fashion under similar situations. Rather save them in your mind or somewhere physically away from other’s reach.
Last but not the least, which I keep saying in all my articles, train yourself to be a responsible consumer of technology. There is no mercy for ignorance in the cyberspace.
Photos from the Internet
#DumpsterDivers #InternetTheft #Cyberspace #CyberCrime #WaysToProtectAgainsCyberCrime #Safegaurds #DifferentTruths
Latest posts by Reetwika Banerjee (see all)
- Stay Alert against BlueSnarfing at Free Public Hotspots - March 24, 2018
- Are you Helping Terrorists through Stego Videos? - March 17, 2018
- Vishing Attack: Cybercrime over Voice - March 10, 2018