2388: Viral Quiz Identity Theft

Explain xkcd: It's 'cause you're dumb.
Revision as of 13:48, 22 November 2020 by BlackHat (talk | contribs)
Jump to: navigation, search
Viral Quiz Identity Theft
[scrolling through a giant spreadsheet of transcribed data] 'Wow, a surprising number of users grew up at 420 69th St.' 'Yeah, must be a high-rise or something.'
Title text: [scrolling through a giant spreadsheet of transcribed data] 'Wow, a surprising number of users grew up at 420 69th St.' 'Yeah, must be a high-rise or something.'

Explanation

Ambox notice.png This explanation may be incomplete or incorrect: Why does White Hat say "we can do your thing" after pointing out that using a quiz is unnecessary?
If you can address this issue, please edit the page! Thanks.
Hairy is trying to compile a list of names and addresses, for identity theft purposes. He intends to do so by posting an online quiz to entice people into posting their personal information; for example, asking people to post their 'porn star name' by combining their pet's name (or their middle name, or their mother's maiden name) and the street they grew up on. However, as White Hat points out, a lot of this information is already in the public record making his "viral quiz" unnecessary. This comic is one of very few where White Hat's argument is not used as a straw man; rather, Hairy is the unenlightened one and White Hat has the idea that will require much less work for the same result.

Even though White Hat is correct that there are public databases with lists of legal names and addresses, lots of online interactions take place in forums where people adopt pseudonyms. A viral quiz like this one could be useful for de-anonymizing users, a process known colloquially as "doxing". There is also a suspicion that these kind of viral quizzes are used to create databases to answer password recovery questions correctly. Together with a man-in-the-middle attack on the email system used, this can lead to hackers taking over user accounts.

In the title text, it turns out that lots of users did not provide their personal information. Instead they provided fake information, which Hairy naively takes as truth. The number '420' is associated with the use of marijuana and the number '69' is used to refer to a sex position. These two numbers have found their way into society from memes to car prices. White Hat could also be taking the data at its word when he replies that there must be a high-rise building at that address to hold so many respondents, but it is more likely that he is making a sarcastic double-entendre pun.

If Hairy had talked to Black Hat, he might have been told about the time Black Hat made a bunch of free web services to harvest usernames and passwords.

Transcript

[Hairy and White Hat are standing across from each other at a table. Each has a laptop open in front of him.]
Hairy: Here's my plan: we start a viral quiz to trick people into posting the name of the street they lived on as a kid.
Hairy: Then we use it to steal their identity!
White Hat: Okay.
White Hat: Just checking, you know voter files and mortgages and stuff are mostly public records, right?
Hairy: Huh? What are you talking about?
White Hat: ...Nothing. We can do your thing.


comment.png add a comment! ⋅ comment.png add a topic (use sparingly)! ⋅ Icons-mini-action refresh blue.gif refresh comments!

Discussion

I was going to add in the old, old example of constructing your 'pornstar name' of first pet's name and (road you grew up on|mother's maiden name), but I see there's no real agreement which of the latter it is when I wanted to get it straight for editing in. MMN is probably better for "security question" purposes, but it predates The Eternal September anyway, before which it was more a party-thing rather than a security threat against BBS/Usenet/mailing-list users. 162.158.159.132 00:57, 21 November 2020 (UTC) (a.k.a. Frazier Derwent)

I briefly googled 'eternal september' and found it was a date when internet dialogue was swamped by new users. How did this relate to security questions? 108.162.219.248 12:08, 21 November 2020 (UTC)
It's a reasonable lower limit on when internet commerce became 'a thing' (and a large enough pool of potential marks, with everyday household access and not institution/corporate, to make it a profitable scattergun tactic). Though I'd have said a little bit later myself, there was no such obvious spike in potentially naive users as lucrative targets such as online banking started to be a thing. (And attack vectors tended towards things like malware-based login-scrapers in that era, in my experience.) Prior to then, though, any spear-phishing (not yet known by that name) would have been unlikely to have been achieved through the Porn-name Game, online, though perhaps it'll have been taken advantage of if brought up as an entertainment/ice-breaker at a physical social gathering, for traditional 'meatspace' fraud and personation crime, opportunistically. 162.158.154.83 15:21, 21 November 2020 (UTC)

Hairy tries to do something only to find that Black Hat did it far more efficiently - https://xkcd.com/1027/

Hmm... what exactly is the purpose/meaning of this sentence?

Even though White Hat is correct that there are public databases with lists of legal names and addresses, lots of online interactions take place in forums where people adopt pseudonyms.

I understand that the second part has to do with a strategy for doxing, which is fine, but why would it be appendaged to White Hat's strategy like that (and especially with an 'even though')? The entire paragraph following is just a description of how one could use this to attack the participant, but the whole point of the comic was to show that a brief Google search could give you the same results. If anyone could clear that up, it would be helpful. BlackHat (talk) 13:44, 22 November 2020 (UTC)

As you mentioned, White Hat's basic argument is there are already public databases of names and addresses. If that's all the information Hairy needs, then Hairy's more elaborate scheme is unnecessary. The quote you mention is a counterargument to White Hat's point: If Hairy is actually trying to steal the identity of some *specific* online users and all Hairy knows is a pseudonymous username like e.g. turnitup91, then Hairy can't find out anything more about them from the public databases alone. Hairy's more elaborate scheme may actually make sense in such a case.
White Hat's argument only works for certain countries, since voter databases of 20-60 years ago (needed to obtain the childhood address through the parents voter registration) are neiher public record nor available on google for most countries. --108.162.229.94 20:50, 23 November 2020 (UTC)
And that's the purpose of the quote: Even though White Hat is correct about the public databases, that's not enough if you're trying to de-anonymize someone specific and all you have is a pseudonym. Gertuviti (talk) 15:53, 22 November 2020 (UTC)

Folks: do a little Googling. 420 69th, New York is the address of "The Church of the Dildo Dude" Cellocgw (talk) 16:27, 23 November 2020 (UTC)

In New York there are actually several 420 69th streets. Most of them are going to be boring. There is one in Brooklyn, but that is a private residence and we shouldn’t bother the people there.

In Manhattan there are a 69th street East and a 96th Street West. 420 East is part of New York Presbyterian Hospital and Cornell Medical School. While you are likely to find sex (therapists) and (medical) marijuana there it’s a long, low (for Manhattan) building.

On the other side of Manhattan there is a high rise in the right spot, Trump Place. They use Riverside Blvd as the mailing address to avoid this issue. It is however a high rise. :) 162.158.75.138 23:32, 25 November 2020 (UTC)