#DEFCON: Hackers Can Use Netflix Account to Steal Banking Info
There are a lot of different risks to personal privacy, but one of the biggest could well be users themselves.
In a session at the Crypto and Privacy Village within the DEF CON 27 conference in Las Vegas, Cat Murdock, security analyst at GuidePoint Security, outlined a nightmare scenario seemingly straight out of an episode of Black Mirror (the session, coincidentally, was titled Black Mirror: You Are Your Own Privacy Nightmare – The Hidden Threat of Paying For Subscription Services).
Murdock detailed how simply having a Netflix account could potentially be the key that enables an attacker to gain access to a user’s banking information. She noted that approximately 60% of the adult population pays for some form of online subscription service, be it Netflix, Spotify or something else. She also noted that everyone with an online subscription has a bank account.
One way a financial institution verifies an account holder when they try to gain access is to verify a recent transaction, which is where subscription services come into play. Murdock observed that there are only so many plans that a subscription service offers and the payments typically recur at the same time every month.
She also noted that a lot of people will comment about their subscriptions on social media, identifying that they just paid again or have continued their subscriptions.
“People love to talk about their subscriptions,” she said. “This is quality open source intelligence [OSINT].”
To test her theory for the presentation, Murdock opened up a new bank account. During the presentation, she played audio recordings of her interactions with the bank, using OSINT and social engineering skills to gain access, which she ultimately was able to achieve.
“It's not your bank’s fault that you use Netflix and it’s not Netflix’s fault that you charge it to the bank,” she said. “It's incumbent on us as users to pay attention to these things, to understand that they're happening.
“Remember that any service provider you use is only responsible for their own privacy terms, and, quite frankly, as we have seen, they don’t always do that well either,” she added.
As a result, Murdock suggested that it is ultimately up to each individual to take care of their privacy themselves. She recommended that individuals be very aware of what they’re choosing to share with the world and who can see it.
“Make sure that you’re owning your own privacy and you know, try and do routine hygiene checks,” she said. “Pick a day every quarter or every month and ask: What am I signed up for? What is new? What am I going to share or did somebody else share something about me?”
Source: Information Security Magazine