Identity theft via attachment?
June 14, 2007 5:40 AM   Subscribe

How likely/difficult would it be to steal identity information from an e-mail attachment, like a Word document or an Excel file?

For example, if I send my Christmas card spreadsheet via e-mail to one family member (or my entire extended family), what kind of identity theft risk is that for the people whose names and addresses appear on the spreadsheet?
posted by deliriouscool to Computers & Internet (8 answers total)
There are various factors, but the main risk would be increasing the number of Internet-connected personal computers the file is on, which increases the chance of it ending up on a compromised machine.

Depending on which mail technologies you use, it could also be sniffed off the wire or gotten from a poorly-secured mail server, but those risks are, in most cases, minor compared to the personal-computer risk because, with so many insecure PCs, it just doesn't make sense to sniff or go after servers.

That being said, I don't think identity thieves are looking for random names and addresses, since you can get those through legitimate (buy a mailing list) or semi-legitimate means.
posted by backupjesus at 6:22 AM on June 14, 2007

Not much, really. If it's just names and addresses, then it would be just as much risk a phonebook or other directory listing.

If you are concerned about the metadata in your document, then there are ways to strip that data out.
posted by Pogo_Fuzzybutt at 6:23 AM on June 14, 2007

Names and addresses are fairly useless to identity thieves, and I don't think they'd bother since that type of information is readily available all over the place. You'd have to add something like a social security number to make it useful to actually get credit with, and hopefully that's not part of your mailing list!
posted by mattholomew at 6:33 AM on June 14, 2007

yeah the other important thing is birthdate which helps scoundrels get certified copies of birth certificates which is a real enabler for identity theft.

The list of names is not a huge liability although useful for worms and other virii that wish to spread to other people and can use your association with those people to speed the spread. Using your contacts and your name might increase the likelihood that the attacker can convince someone to do something that they wouldn't normally do. This could either be an automated attack with e-mails or really it could enable someone to do some social engineering on the phone.

In any case tho, a lot of this information is out there already as others have mentioned so you need to get your gaurd up in general.
posted by mmascolino at 7:04 AM on June 14, 2007

If you're worried about it - put a password on the file - Excel lets you do that, and I presume that other spreadsheet formats do as well.

It's not foolproof, but just like in that old joke - you only have to outrun the other guy. (see joke #24)
posted by Nodecam at 7:39 AM on June 14, 2007

I'm assuming that the very access to your message is bad.

Our email protocols are like sending postcards everywhere. Anyone whose hands it passes through can read it. When you send a message, it passes through around 20 or so machines, most of which are specialty devices that aren't very well equipped to snoop. The first few and the last few are the most likely places to intercept it; like carjacking, it will happen when you're near the endpoints of your long journey, not on the freeway at 90 MPH.

The most vulnerable points are the receiver's machine, then your machine, then the internet-service-provider's machine that holds it until your receiver comes online. Anyone with malice who has access to those machines somehow (and it's likely that of the three, there's at least 15 viruses floating around) could use your file for bad things.

If you want to be safe, encrypt. The file-encryption from Excel is laughable. It would only draw attention to the file, and provide no real protection.

If it's important, consider PGP or GnuPG. If that's too hard, obscure the information in something innocuous; hide in noise. If that's too troublesome, fax it.
posted by cmiller at 8:18 AM on June 14, 2007

Most online identity theft is either done via compromising a database or through automated searches of end user computers compromised by a worm, virus or trojan. The latter is your threat model; such programs will only know a few common locations to find & steal personal data from, like your address book, web browser & financial software. The only realistic way for your spreadsheet to be compromised at all is if a live hacker went trolling through a computer that had the file on it, which is not very likely at all. And even then, names & addresses aren't worth much to an ID thief without an additional identifier such as date of birth or SSN. I wouldn't worry about it.
posted by scalefree at 9:14 AM on June 14, 2007

Encryption doesn't buy you much here. It protects against potential network sniffers en route to the message's destinations. But, as people have noted, the larger risk factor is probably that the recipients' machines may have been compromised. If a recipient decrypts the message and saves the spreadsheet, it's just as available to a compromiser as if it had never been encrypted. Even if the recipient is willing to keep it encrypted and type the password every time, a compromiser may be operating a keylogger. And then there's the possibility of the OS helpfully saving part or all of the file to disk unencrypted in the name of virtual memory.

Given that this info isn't very sensitive, I'd say it's not worth the bother of trying to train your relatives in crypto for an at best doubtful benefit.

(Note: I write this from a whole-disk-encrypted machine. I'm a big fan of crypto. I just don't think it pays off here.)
posted by Zed_Lopez at 10:52 AM on June 14, 2007

« Older How can I move on with my life quick?   |   Do people stick around? Newer »
This thread is closed to new comments.