Identity theft enabled by fun quizzes.

What is your identity theft nameIf you are on social media, you will no doubt have come across those fun quizzes. You know the ones, “What’s your Westeros name?” or “What was the number 1 song the day you were born?” Did you realise that by actually answering these quizzes online, you could be enabling identity theft … of YOUR identity!

Now I’m not for one minute saying that the people who create these quizzes are doing so for nefarious reasons. They’re not all like Cambridge Analytica. But by answering these questions truthfully, you are putting certain pieces of personal data into a publicly accessible place, that others can easily find.

So what kind of quizzes specifically are we talking about?

You know the ones:

  • What was your first job?
  • What street did you grow up on?
  • What car did you learn to drive on?
  • Where did you meet your partner?
  • What is your favourite movie?
  • What is your favourite book?
  • What was your first pet and what was their name?

Then there are the real fun ones:

  • What is your rapper name?
  • What is your ninja name?
  • What is your unicorn name?
  • What is your porn star name?
  • What is your medieval name?
  • What is your royal guest name?

That is not an exhaustive list by any means. There are dozens if not hundreds of these things out there.

All of these questions tend to get you to use certain pieces of personal data to either reminisce about or have a laugh. If you post your answer online, then you are leaving pieces of personal data about you lying around on the internet.

But how can this enable identity theft?

Lets take the last three above and look at them.

What is your porn star name

So I would clearly be “Fido Smith”*. That’s really sexy isn’t it? So if posted online, my first pet’s name and mother’s maiden name are in the public domain.

What is your Medieval name

Clearly I would be “Lady Millicent Coastillon”*. Hilarious, I’m sure you’ll agree ?. But if I post that online, I’ve now revealed most of my date of birth. Getting the year could be fairly trivial, as there are many ways to deduce that (e.g. when did you start or finish secondary school or third level? You can usually narrow it down to within a year).

What is your Royal Guest Name

Now I would be “Lord John Spot of Main”*. What this little quiz gets out of you is a Grandparent’s name, your first pet’s name and the street on which you live.

* Just to be clear, these are all fake answers. I’m not that silly ?.

The answers to these quizzes tend to used by companies that we buy goods and services from, to verify your identity. Also known as Knowledge Based Authentication (KBA). If some evil doer also had that same information, they could impersonate you – that is how identity theft works.

Just to give you an example. I recently got a new phone, which needed a nano-SIM card, but my previous handset had a micro-SIM. So off to the phone shop I went. I explained that I wanted a new SIM for the new phone. I was asked for:

  • My name
  • My phone number
  • My address
  • My date of birth
  • Was the phone post-pay or pre-pay
  • A copy of some photo ID

The first three items may be easily found out (no matter how careful you might be). If I answered that Medieval Name quiz, somebody could have my date of birth. The post-pay/pre-pay question is a 50-50 and actually I think the vast majority of phones are pre-pay so the chances are that’s the right answer. I offered my driving licence as photo ID and there was only a passing glance given to it, before it was photocopied.

That was it … I was given a new SIM card with my number now active on it. I think a reasonable additional verification step would have been to make a call to my number before they activated the new SIM card, to ensure I actually had full control of that number.

If I was an evil doer, using a faked photo ID and the answers from the quizzes, I could now have full control over somebody’s mobile number and could make phone calls and send SMS text messages as them. Imagine the following text sent from the bosses number:

Hello Finance Director. I need you to transfer €12,400 to the following account ASAP to secure a discount with a new supplier I have just signed an agreement with. BIC=AIRUSGG IBAN=AIRUSGG12345612345678 Please get it done this morning. I’ll be in later with the paperwork. Regards. Your CEO.

That’s what identity theft can lead to … financial theft.

If you do put your personal data as answers to these quizzes, don’t think the GDPR will protect you … you put the information into the public domain yourself … willingly. So please stop doing it.

By all means look at those quizzes and even answer them – but do not post your answers online.

Some short and enlightening videos

Here is a short video showing how a social engineer can gather more data to steal somebody’s identity and potentially mess with their travel itinerary:

This short (90 seconds) video from the good people at Action Fraud in the UK, is also very revealing.

That was not made-up. That is how easy it is to get specific information about people in a very short period of time. I used to do something similar in the past when I was delivering my Security Awareness Training course. Once I knew people’s names, I would do some very simple online searches, that anybody could do, on them. I would occasionally use certain data mining tools to get more in-depth information on specific individuals. I would then present this information to those individuals discretely (of course). I actually had to stop doing this as it actually upset people quite badly.

Lets be careful out there.