An attacker in South Africa can gain access to your online profiles using a small amount of data.
This is because identity verification policies are common across industries, and allow you to reset the passwords of online services offered by companies.
SensePost’s CTO Dominic White demonstrated how such an attack works in practice, using the personal details of a coworker obtained through the recent Master Deeds leak.
The leak occurred through a database backup file called “masterdeeds.sql”, which was uploaded to the webserver of Jigsaw Holdings.
Subsequent investigations revealed that the company’s live database was also vulnerable, exposing the records of over 75 million South Africans.
Armed with the data of a coworker, who provided permission for the demonstration, White phoned the contact centre of their medical aid.
He convinced the operator he was the coworker by quoting the ID and cellphone number contained in the leak. He was then able to change the contact details on file to numbers and email addresses he controlled.
From there, he reset the password of his coworker’s online profile and gained access to the ID numbers and full names of his dependents, and their recent medical records.
This included doctor’s visits and the medication they bought.
White said a small amount of leaked personal data can empower an attacker to gain access to private information. This can grant attackers access to more accounts.
With the details of a spouse and access to medical records, for example, an attacker may persuade a bank to reset the password for an online banking account.
White emphasised that this issue is not limited to medical aids, as many companies allow passwords to be reset with limited identity verification.
With the personal details of every South African now in the public domain thanks to the leak, White said he hopes a serious discussion takes place on data storage practices.
He said that as clients, we must put pressure on institutions to be more suspicious when verifying someone’s identity.
“I also hope that this leak discourages companies from holding on to more data than they need to do business – that they start seeing it as toxic and expensive to keep.”
A recreation of White’s original call is embedded below. The medical aid, ID number, and contact details have been changed.