Last updated on April 18, 2022
Dumpster diving – it’s not hard to guess what it is. It is a type of activity that involves diving into the trash of a business or individual with the aim of discovering any kind of valuable information or discarded data that can be used against it.
Human weakness is at the root of dumpster diving, an inability to secure one’s property. A dumpster diver can yield many valuable items, including hard drives, diskettes, business directories, and so forth.
People have their own ways of explaining this term, with some saying that it refers to uncovering treasure hidden among others’ trash.
What is dumpster diving in social engineering?
Within the realm of information technology, among many social engineering attacks – dumpster diving refers to retrieving information from discarded items in order to perpetrate a cyber-attack by gaining control of the computer network with the help of discarded items.
You may wonder how something like this is possible or what to do with the discarded items. Don’t worry – we are here to help you out with that.
Below you will find some dumpster diving examples as well as a few techniques to prevent dumpster diving attacks.
Dumpster diving goes beyond finding treasures in the trash, such as sticky notes written with access codes and passwords plus other paper documents.
An attacker using these techniques can use seemingly harmless data from such information, for instance, a list of phone numbers, bank statements, a calendar, or an easily understood organizational chart could provide assistance to the attacker attempting to hack the system.
It is impossible to talk about dumpster diving without mentioning “Jerry Schneider”. In 1968, while still in high school, Jerry was the one behind a wholesale telephone equipment company. A Dumpster gave rise to the idea, in particular, “Pacific Telephone’s Trash” which included documents, manuals, and invoices related to the ordering and delivery systems.
Larry Ellison’s most notable case was found in 2000 when he hired private investigators to search through the Microsoft dumpsters for any useful information. In this regard, an attempt was made to get a better understanding of future developments in order to sustain its claims.
How to prevent dumpster diving attacks?
Despite the hassle of properly disposing of trash, firms can implement measures to help prevent dumpster diving incidents. Employees should be informed of these measures and they should be documented.
- Employee education is crucial – explain proper disposal procedures as well as common social engineering techniques. Printouts must not be taken home by employees, nor should old computers be given to them.
- Before selling or disposing of any equipment belonging to your company, make sure all identifiable information is removed.
- Ensure that the trash is securely disposed of. Put trash and recycling bins in locked containers, and secure the refuse until the day of pickup.
- The cross-cut shredders should be placed near recycling bins, or there should be secure shred containers by the trash bin. You can also provide home shredders to staff members who work remotely.
- Data retention policies must be in place, and sensitive data should be destroyed with certificates of destruction.
Dumpster Diving: Experts’ Advice
As a precaution against dumpster divers finding valuables among the trash, experts suggest that businesses set up a disposal policy that ensures paper waste, such as printed materials, are properly shredded prior to disposal, all storage devices are wiped.
It is vital for all employees of an organization to have minimum security knowledge about the fact that untracked trash is hazardous.
Think Twice Prior To Disposing Items
Attackers can profit handsomely from the discarded computer hardware. It is possible to recover data from storage devices after they have been misformatted or wiped.
In case you are wondering what else can be recovered, then you should know that passwords and certificates can also be retrieved.
On the other hand, improper disposal of medical records or personnel information can result in legal liabilities.
It is imperative to destroy all files containing personal or sensitive information; otherwise, businesses may face breaches and fines.
In
Hack the Stack, 2006 “Dumpster diving” means searching trash for useful information. The trash may be in a public dumpster or in a restricted area requiring unauthorized entry. Dumpster diving depends on a
human weakness: the lack of security knowledge. Many things can be found dumpster diving (e.g., CDs, DVDs, hard drives, company directories, and so forth). Probably the most famous example of dumpster diving was performed by Jerry Schneider in southern California. While in high school in 1968, Jerry found documentation regarding Pacific Telephone’s automated equipment ordering and delivery system, which he used to order equipment and have delivered to dead drops. Jerry accumulated hundreds of
thousands of dollars worth of telephone equipment and established Creative Systems Enterprises to sell it; some of it was sold back to Pacific Telephone. Jerry was arrested in 1972, and started a security company in 1973 that he left in 1977. Read more about Jerry Schneider at //en.wikipedia.org/wiki/Jerry_Schneider. Read more about dumpster diving at www.reference.com/browse/wiki/Dumpster_diving. Dumpsters can contain hazards such as broken glass and nails. Wear work boots and other protective clothing. Dumpster diving is illegal in some municipalities and legal in others. Know your situation.Layer 8: The People Layer
Dumpster Diving
Tip
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597491099500137
SSH Shortcomings
In Next Generation SSH2 Implementation, 2009
Attacking in person
In person social engineering attacks are the stuff of legends. Attackers dressed as service professionals have removed servers, stolen workstations, and even stolen backup tapes while pretending to be tech support. In person attacks take the most ability but can yield the greatest results.
Dumpster diving is listed by many as a social engineering attack, but to me it is more physical security, as a social engineering attack requires someone to engineer. This smelly method of attack yields interesting results. Old credit card forms, all the internal forms and memos and posted notes, all contain valuable information helping the social engineering attacks. Organizational structure, staff names, and departmental names are available to the dumpster diver.
While dumpster diving usually gives great results it does have its dangers. You'll need several items to keep this a polite process. Always take along extra clothes to wear just for this as sometimes dumpsters have real garbage in them. Take several pairs of latex gloves and leather work gloves. I usually wear the latex gloves as liners to the work gloves because icky stuff soaks through the work gloves but not the latex liner. A long stick with a hook of some type always helps and keeps you from having to reach so far in the dumpster. New dumpsters are tall so take some form of step stool to get in and out easily. I like to dive mid evening when it's quiet. Lastly, always call to see what the cafeteria has for lunch because it may end up in the dumpster you're diving in. Never dive when spaghetti is on the menu.
Shoulder surfing is the lowest tech attack but does supply login credentials and pin numbers. The attacker stands behind the victim and looks over their shoulder to see their pin number or password. This type of attack works great with administrators who log on to computers locally. The attacker is usually an insider as most employee screens are faced away from public view (We hope). Watch people at the ATM machine: some use their bodies to shield the keypad while they punch in their PINs, while other don't really care who is watching.
The human based attack has great advantages over computer based in that the attacker has the ability to adjust the attack based on real-time feedback. Monitoring the victim for physical signs of stress allows the attacker to have full control of the situation and the victim.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597492836000052
Social Engineering
Robert Shimonski, ... Technical Editor, in Cyber Reconnaissance, Surveillance and Defense, 2015
Dumpster Diving
Dumpster diving is an interesting attack that produces an immense amount of information on an organization, firm, individual, or entity. You can learn a lot about a person or company from the trash they throw away. It’s also extremely surprising how much personal and private information is thrown out for those to find. Generally, most dumpsters and trash receptacles do not come with locks, this would make it nearly impossible for regular trash collection services to dispose of it properly; however, other solutions are available to secure your trash.
For one, you should never throw anything out that has information contained on or within it without considering how it can be used against you. If you throw out bill statements and other paperwork that contain private information, you should consider burning it, shredding it, or any other way of destroying the information it contains.
In Figure 3.2, we can see an attacker digging through trash to locate useful information.
Figure 3.2. Dumpster diving.
Cross cut shredders were created because it was proven that a bag of shredded paper that came from a normal straight cut shredder could be reassembled given enough time. Kevin Mitnick, president of Defensive Thinking, was originally a hacker who once caught, turned to good. He claims that social engineering is one of the biggest links and dumpster diving is a huge hole in security controls. A large amount of data can be assembled quickly by using paper shredders and enough time that can be used against you and/or an entity.
We tend to throw things away without considering the impact of them being recovered. We gleefully assume that because we put something in the trash, it is dutifully removed from the premise and destroyed adequately. If only that was the truth. Your trash can easily be recovered and used to gather information. Disk drives can be thrown out, and even if you attempted to destroy them, can be reassembled and/or fixed enough to get data off them. There are many secrets that can be uncovered in the trash; you should consider that next time before you throw something away.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780128013083000032
Understanding the Methods and Mindset of the Attacker
Dale Liu, in Cisco Router and Switch Forensics, 2009
No-Tech Hacking
No-tech hacking is hacking that does not require the use of high-tech tools. Dumpster diving is one example of no-tech hacking. People throw out amazing amounts of highly sensitive information, and the authorities are highly suspicious and will investigate when someone reports seeing a person lurking around a corporate dumpster.
For a great article on dumpster diving, see the Internet Security Systems Web page at www.iss.net/security_center/advice/Underground/Hacking/Methods/WetWare/Dumpster_Diving/default.htm.
Another form of no-tech hacking is the use of social engineering to gain access to government and business data. One notorious hacker in this regard is Kevin Mitnick. This guy had an unparalleled ability to talk his way into getting people to assist him, without ever meeting them face to face, thanks primarily to his skill in leveraging human psychology to his advantage. By applying needs-based persuasion in his conversations with an intended target, he could get them to disclose sensitive information or provide him with a login he was not entitled to by listening closely and adjusting his emotional response to their initial hesitancy or wariness. This is just one example of the methods that can be used to exploit human psychology to gain information or bypass controls.
Eventually Mitnick was caught and served time in prison for his misdeeds. Today he uses his keen skill in a more constructive way, by teaching social engineering awareness classes and delivering lectures to educate the public (and those in high technology) the finer points of the social engineering threat. He even wrote a fictional book on hacking. For now this story has a happy ending.
Thankfully, people understand today how important it is to guard their personal information, as exposures to this threat are increasingly in the news. Incidents of computer hacking and identity theft are fairly common these days. As a result, businesses and organizations are increasingly being pressured to exercise due diligence. Due diligence goes back to the early part of the twentieth century when liability concerns for securities fraud began to surface. Today, those in information security are highly encouraged to protect their network and ensure that sensitive information is protected. Due diligence is about sizing up all the known threats and risks to a computer network and related assets, and making a diligent effort to reduce or eliminate those risks of compromise, beyond the perceived basics, with the goal of protecting the organization's data.
With hackers, as with most things in life, where there's a will there's a way; if a hacker is intent on attacking your network, it's just a matter of time before he finds a way to do it. Unfortunately, hackers with a background in technology can get in more easily, as they already know the lay of the land, so to speak. At the following URL, you'll find an article from the Santa Clara County District Attorney's press archives describing how a former computer administrator used his talent and skill to break into organizations in the California Bay Area and implant software that was used to harvest usernames, passwords, and other sensitive information. Lucky for us, the perpetrator was convicted.
▪www.sccgov.org/portal/site/da/agencyarticle?path=%252Fv7%252FDistrict%2520Attorney%252C%2520Office%2520of%2520the%2520%2528DEP %2529&contentId=ae306383d969d110VgnVCM10000048dc4a92____&cpsextcurrchannel=1
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597494182000077
Passwords, Vulnerabilities, and Exploits
Littlejohn Shinder, Michael Cross, in Scene of the Cybercrime (Second Edition), 2008
Dumpster Diving
Another threat that can be overlooked in companies is dumpster diving. As with tailgating, it is about as low-tech a method of threatening security as anyone could think of. It literally involves getting into a dumpster and going through the trash, searching through garbage bags, looking in wastebaskets, and rummaging through other places where people may have disposed sensitive information.
This method of breaching security remains popular because it is so effective. In addition to the rotting refuse of people's lunches, one can find discarded printouts of data, papers with usernames and passwords, test printouts that have Internet Protocol (IP) address information, and even old hard drives, CDs, DVDs, and other media containing the information you'd normally have to hack the network to obtain. Even the most innocuous waste may provide a wealth of information. For example, printouts of e-mail will contain a person's name, e-mail address, contact information, and other data that could be used for social engineering purposes (discussed in the next section).
There are many solutions to resolving dumpster diving as a security issue. Dumpsters can be locked with a padlock to limit access, or they can be kept in locked garages or sheds until they're ready for pickup. Companies can also implement a shredding policy so that any sensitive information is shredded and rendered unusable by anyone who finds it. This is especially important if the company has a recycling program, in which paper products are kept separate. If documents aren't shredded, the recycling containers make it even easier to find information, as all of the printouts, memos, and other documentation are isolated in a single container. Because discarded data isn't always in paper form, companies also need to implement a strict hardware and storage media disposal policy so that hard disks are completely wiped and old CDs and DVDs containing information are destroyed. By obliterating the data before the media is disposed, and protecting the waste containers used afterward, dumpster diving becomes difficult or impossible to perform.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B978159749276800011X
Identity Theft
Carl Timm, Richard Perez, in Seven Deadliest Social Network Attacks, 2010
Shred Your Documents
Having the ability to shred mail and documents is a very effective countermeasure to dumpster diving. Paper shredders have become more affordable; so if possible, acquire a shredder so that you can dispose of credit card, bank statements, bills, and medical records with assurance. While you can go crazy with the features of all the capabilities with the various shredders, take a look at what's good enough for you and try and buy one that fits comfortably in your budget. If you don't have the resources to shred from home, borrow one from work or school. Most organizations have paper shredders and encourage the use of them, so wherever possible and convenient borrow those resources (if permitted). Be sure to get permission from the company or organization that you are a part of before taking such actions.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597495455000057
The Physical Attack Vector
Gavin Watson, in Social Engineering Penetration Testing, 2014
Shoulder surfing
Shoulder surfing is another information gathering technique that is often described as social engineering. However, in the similar way to dumpster diving, it is not the technique itself but the way the gathered information is used. In its most basic sense, shoulder surfing is looking over someone’s shoulder to see what they are doing; typing, writing, etc. For example, an employee may covertly look across at their colleague’s keyboard as they type their password or look at a monitor as an e-mail is being composed.
It could be argued that there would be little benefit in employing this technique, as access to the target building has already been achieved. Having breached the security, knowing an employee’s password may be of some use, but it would be far easier to plug in a device and attack the network remotely. This is true, but the employees are not “always” within the target building. For example, although very much a long game technique, an attacker could shoulder surf an employee using their laptop in a local cafe. If the password could be seen, it could then be used to access the corporate e-mail. This could then be used to launch phishing e-mail attacks.
Looking for passwords is obvious, but remember that a social engineer can potentially use any information to attack the business. Consider the cafe example again, what else could the attacker see? They would be able to see operating system version, the web browser, the software they’re using, and the make and model of the laptop. This is all very useful information that can aid an attacker when launching phishing attacks. Knowing the software used can narrow down the attacks that are likely to work.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780124201248000119
Legal Considerations
James M. Aquilina, in Malware Forensics, 2008
Protected Data
When it comes to how best to steal valuable personal information, the days of purse snatching, breaking & entering, dumpster diving and shoulder surfing are long gone. Pod slurping or simply walking off with a laptop, backup tape, even an entire server is far more de rigueur, vulnerabilities of a digital age out shadowed only by the explosion of creative and malicious exploits once deployed by hackactivists, now wielded across the Internet for profit. While phishing, pharming, vishing,20 and spimming21 attacks depend in part on social engineering and user confusion, the transmission both indirectly through seemingly innocuous email attachments, text messages, and IMs, and directly across the firewalls and routers of insecure networks, of malicious code designed to harvest valuable sensitive information is where the real illicit money is at. And not simply transmission. Mass dissemination, in volumes and at rates historically unparalleled, true particularly given the recent ease with which botnet networks have come to consist of hundreds of thousands of compromised machines at any given time
Against this backdrop, it is not surprising then that across the globe legislation designed to better protect personal data has emerged. In the United States, federal industry-specific standards for the treatment of certain classes of sensitive information are the norm, while at the state level laws have been implemented requiring notification to users and consumers when information about them is digitally hijacked. For the digital investigator tasked with performing forensic analysis on malicious code designed to access, copy, or otherwise remove protected information, understanding the nature of those protections will help inform necessary investigative and evidentiary determinations along the way
Federal Law
Responding to an incident at a financial institution that compromises customer accounts may implicate the provisions of the Gramm Leach Bliley Act, also known as the Financial Services Modernization Act of 1999, which protects the privacy and security of consumer financial information that financial institutions collect, hold, and process
16 C.F.R. § 313 governs how financial institutions must treat non-public personal information about consumers. The regulation (1) requires a financial institution in specified circumstances to provide notice to customers about its privacy policies and practices; (2) describes the conditions under which a financial institution may disclose non-public personal information about consumers to nonaffiliated third parties; and (3) provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure, subject to certain limited exceptions. The regulation only protects consumers who obtain financial products and services primarily for person, family or household purposes
In addition to these requirements, 16 C.F.R. § 314 sets forth standards for how financial institutions must maintain information security programs to protect the security, confidentiality, and integrity of customer information. Specifically, financial institutions must maintain adequate administrative, technical, and physical safeguards reasonably designed to (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer
Be careful when working with financial institution data to obtain and document the scope of authorization to access, transport, or disclose such data to others.
Online Resources
The Gramm Leach Bliley Act (the “Act”) generally defines a “financial institution” as “any institution that is significantly engaged in financial activities.” 16 CFR § 313(k)(1). For a list of common examples, check out 16 CFR § 313(k)(2) of the Act, available at //edocket.access.gpo.gov/cfr_2003/16cfr313.3.htm
The Health Insurance Portability & Accountability Act (“HIPAA”), codified at 45 CFR §§ 160, 162, 164, applies generally to health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form,22 and provides rules designed to ensure the privacy and security of individually identifiable health information (“protected health information”), including such information transmitted or maintained in electronic media (“electronic protected health information”)
Specifically, 45 C.F.R. § 164 sets forth security standards for the protection of electronic protected health information. The regulation describes the circumstances in which protected health information may be used and/or disclosed, as well as the circumstances in which such information must be used and/or disclosed. The regulation also requires covered entities to establish and maintain administrative, physical, and technical safeguards to (1) ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits; (2) protect against any reasonably anticipated threats or hazards to the security or integrity of such information; (3) protect against any reasonably anticipated uses or disclosures of such information that are not otherwise permitted or required by the regulation; and (4) ensure compliance with the regulation by the covered entity's workforce
Given these stringent requirements, investigative steps involving the need to access, review, analyze, or otherwise handle electronic protected health information should be thoroughly vetted with the covered entity's counsel to ensure compliance with the HIPPA security rules and obligations
A quick note on public companies. The Sarbanes-Oxley Act (“SOX”), codified at 17 CFR §§ 210, 228-29, 240, 249, 270, broadly requires public companies to institute corporate governance policies designed to facilitate the prevention, detection, and handling of fraudulent acts or other instances of corporate malfeasance committed by insiders. Other provisions of SOX were clearly designed to deter and punish the intentional destruction of corporate records. In the wake of SOX, many public companies had overhauled all kinds of corporate policies that may also implicate more robust mechanisms for the way in which financial and other digital corporate data is handled and stored. In assessing early the scope and limits of authority to conduct any internal investigation at a public company, be mindful that SOX-compliant policy may dictate or limit investigative steps
Various other laws or doctrines exist at the federal level which specially protect certain other classes of information, including the following:
Information About Children: The Child Online Privacy Protection Act (COPPA), codified at 16 CFR § 312, prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet. In addition, the Juvenile Justice and Delinquency Prevention Act, codified at 18 U.S.C. §§ 5031 to 5042, which governs both the criminal prosecution or the delinquent adjudication of minors in federal court, protects the juvenile defendant's identity from public disclosure.23 If digital investigation leads to a child, consult counsel for guidance on the restrictions imposed by these federal laws
Child Pornography: 18 U.S.C. § 1466A proscribes among other things the possession of obscene visual representations of the sexual abuse of children. Consider including in any digital forensic services contract language that reserves the right to report as contraband to appropriate authorities any digital evidence encountered that may constitute child pornography.
Student Educational Records: The Family Education Rights and Privacy Act, codified at 20 U.S.C. § 1232g, prevents certain educational institutions from disclosing a student's “personally identifiable education information,” including grades and student loan information, without the student's written permission. Again, authority to access and disclose this type of information should be properly vetted with the covered educational institution or its counsel
Payment Card Information: To mitigate the threat of loss of cardholder data, in December 2004, the PCI Security Standards Council (“PCI SSC”), composed of representatives from Visa, MasterCard, American Express, Discover, and JCB, promulgated the Payment Card Industry Data Security Standards (“PCI DSS”) Version 1.0. PCI DSS 1.0 established common industry security standards for storing, transmitting and using credit card data, as well as managing computer systems, network devices, and the software used to store, process and transmit credit card data. According to these established guidelines, merchants who store, process or transmit credit card, in the event of a security incident, must take immediate action to investigate the incident, limit the exposure of cardholder data, notify PCI SSC members, and report investigation findings. When handling PCI data during the course of digital investigation, then, be sure to understand these heightened security standards and requirements for disclosure and reporting
Privileged Information: Data relevant to the digital investigator's analysis may constitute or be commingled with information that is protected by the attorney-client privilege or the attorney work product doctrine. Digital investigator access to or disclosure of that data, if not performed at the direction of counsel, may down the road be alleged to constitute a waiver of these special protections
State Law
On May 10, 2008, Iowa joined 42 other states in passing a data breach notification law requiring owners of computerized data that includes consumer personal information to notify any affected consumer following a data breach that compromises the security, confidentiality, or integrity of that personal information.24 The statutes generally share the same key elements, but vary in how those elements are defined, including the definitions of “personal information,” the entities covered by the statute, the kind of breach triggering notification obligations, and the notification procedures required.25
“Personal information” has been defined across these statutes to include some or all of the following:
▪Social Security, Alien Registration, Tribal, and other federal and state government issued identification numbers
▪Drivers’ License and Non-Operating License identification numbers
▪Date of birth
▪Individuals’ mothers’ maiden names
▪Passport number
▪Credit card and debit card numbers
Financial account numbers (checking, savings, other demand deposit accounts)
▪Account passwords or personal identification numbers (PINs)
▪Routing codes, unique identifiers, and any other number or information that can be used to access financial resources
▪Medical information or health insurance information
▪Insurance policy numbers
▪Individual taxpayer identification numbers (TINs), Employer taxpayer identification number (EINs), or other tax information
▪Biometric data (fingerprints, voice print, retina or iris image)
▪Individual DNA profile data
▪Digital signature or other electronic signature
▪Employee identification number
▪Voter identification numbers
▪Work-related evaluations
Most statutes exempt reporting if the compromised information is “encrypted,” although the statutes do not set forth the standards for such encryption. Some states exempt reporting if, under all circumstances, there is no reasonable likelihood of harm, injury, or fraud to customers. At least one state requires a “reasonable investigation” before concluding no reasonable likelihood of harm.i
Notification to the affected customers may ordinarily be made in writing, electronically, telephonically, or in the case of large scale breaches, through publication. Under most state statutes, Illinois being an exception, notification can be delayed if it is determined that the disclosure will impede or compromise a criminal investigation.ii
Understanding the breach notification requirements of the state jurisdiction in which the investigation is conducted is important to the integrity of the digital examiner's work, as the scope and extent of permissible authority to handle relevant personal information may be different than expected. Consult counsel for clear guidance on how to navigate determinations of encryption exemption and assess whether applicable notice requirements will alter the course of what otherwise would have been a more covert operation designed to avoid tipping the subject or target
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597492683000062
The State of the Art in Identity Theft
Amit Grover, ... Dennis Cobb, in Advances in Computers, 2011
10.1.1.1 Document and Information Handling
•
Be vigilant whenever dealing with sensitive personal or financial information.
•Shred all unnecessary documents that contain personally identifiable or financial information before disposing them off as dumpster diving is a very big source of identity theft.
•Do not carry your Social Security card in your wallet unless required for a specific purpose.
•Be extremely cautious about providing your SSN to non-governmental agencies and do so only if it is absolutely necessary.
•Do not leave checks in your car and avoid carrying your check book with you unless required for a specific reason. The Fed Chairman, Ben Bernanke became a victim of identity theft when his wife left her purse carrying personalized checks in a restaurant [38,39].
•Do not carry all your credit cards and debit cards in your wallet—if your wallet is lost or stolen, you stand to lose all your cards.
•Prefer using credit cards over debit cards as a fraudulent use of a stolen debit card number would result in immediate withdrawal of funds from your checking account as opposed to a financial transaction on the credit card that can be disputed more easily with the banks.
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9780123855107000011
The Dark Side
Michael Cross, in Social Media Security, 2014
Dumpster diving
If you’ve ever thrown something in the garbage that maybe should have been put in a shredder, you should wonder who might have access to it. Dumpster diving is a low-tech way of getting information, which involves pulling documents containing information from the trash. A person may throw out a piece of paper with a password on it, a work document, pay stub, bill, or something else containing sensitive information. One in the trash, anyone with access to the waste basket, a trash bag the janitor throws it into, or the outside dumpster can pull it out and use it. Even if the information isn’t as direct as a piece of paper with a password written on it, the information on multiple documents can be compiled into something the attacker can use.
Organizations should implement a policy that any documents containing confidential information should be shredded and not thrown out with regular trash. However, even if your business follows such policies, this doesn’t protect you from employees taking information home and throwing it out there. In the second annual Infosecurity Europe survey mentioned earlier, it was found that 80% of employees took confidential information home with them when they changed jobs. Even if an attacker didn’t have access to information at your business, it doesn’t mean that they can’t get it through current and former employees.
Trying to restrict what information an employee can and can’t take home from work can be difficult if not impossible. Many people in a workplace use tablets, laptops, and other devices that store considerable amounts of data and walk in and out of a business on a regular basis. As such, education and policy are important, so that workers take this responsibility seriously.
For employees, there is a greater need to control what they leave the building with on their last day of work. If a former employee is angry enough to leave a business with confidential information, they are also probably more than willing to share it with anyone who asks. Some may even be angry enough to start posting confidential information on social networking sites, or as we discussed in Chapter 6, uploading documents to various sites like WikiLeaks (www.wikileaks.org).
Read full chapter
URL: //www.sciencedirect.com/science/article/pii/B9781597499866000072