I'm paranoid. But in my line of work, that's a good thing. Last night I came home from work at about 21:30 CST and started thinking. This lead me to empty out my shredder and shred one document. One document, just one. A credit card statement. I then spent the next 13 hours and 10 minutes re-assembling my cross-cut shredding just to see how hard it would be...granted I was working with one known document in isolation. But 13 hours and 10 minutes says a lot.
When I was a kid, Oliver North was being hoisted up before the public as part of the Iran Contra scandal. I watched those hearings then and even to this day joke about my shredder being my "Uncle Ollie machine." I also call it "Little Enron" for those who enjoy my sick humor. Nonetheless I shred almost everything. I shred more documents than an mob accountant. But I go one step further. I never throw out the shreddings. I burn them. Paranoid enough for you? Well...I was starting to think maybe it was a bit much. Then I spent the night re-assembling a credit card statement in 13 hours and 10 minutes, proving that maybe I'm just paranoid enough to survive.
I'm writing this for a couple reasons: First, I want people to think first and not just stop at the shredder. Just because you buy a tool, don't think you shouldn't ask how the tool works or if it does enough without at least some critical thinking. Second, I want to remind people that criminals think outside the box. The people making information security recommendations are often NOT criminals. At best they've attended some classes and learned to check boxes for your information security "protection." But real security comes from asking yourself "If I were going to be a crook, how would I do it?" Then go play.
I love puzzles. Jigsaw puzzles are fun. So are cryptographic ones. Some of you might read this and think I am a bit strange to have stayed up all night re-assembling a credit card statement. But it really was just a bigger and more fun jigsaw puzzle. It's also a very scary one. Go look at your next credit card statement. In the case of this particular card, they actually had my card number on the statement. Absurd, right? But it's there. And a lot of people have that same card. So consider the criminal motivation to re-assemble that card. It's real.
Let's assume that a card has a limit of $5K. Now let's assume that the statement for this account contains the credit card number. In my little exercise, I was able to reassemble the statement and read the card number (albeit the statement looked like Frankenstien with Scotch tape holding together confetti). Were I a criminal, I could now sell that card number to the black market and make a decent amount of money to cover the time I put into its reassembly. Absurd? Not too much. Anyone who has ever looked at the lengths government intelligence agencies or law enforcement will do to recover shredded forensic data knows this is really possible.
So where does this leave us? Well first of all, to return to those "information security" folks out there...uh...well...they failed. The card in question is issued by a rather large (read that "too big to fail") financial institution that has an information security department. How in the hell did they not catch such an obvious security issue? Better yet, how do I respond to this incompetence?
Here's what I've done so far: I called the credit card issuer. I told them the card is compromised and had them issue a new card. Then I called in again and (for my own little test) asked them to please provide me the new card number because I need to update my online accounts. Call this a social engineering attack on myself....fun stuff. To their credit, they wouldn't give me my new card number. That's when I asked why, since my card statements all have the old number printed in plain text. Heh. That confused the Customer Service Representative. Eventually I got to a supervisor who explained that she was unaware that the card statements contain the credit card number. She said she would look in to the matter.
So where does this leave me? Well...I'll probably close that credit card account. I will definitely not carry that card on my person, and I will most certainly continue shredding my documents and burning the shreddings. After all, I'm from Texas and you just have got to have something to start the old BBQ pit with.
[Update: This article was originally written a several months ago. But in the interest of good practice, I decided not to post it anywhere until I heard back from the credit card company. They have since fixed the issue and no longer print credit card numbers on their statements. I still shred-and-burn. But I am a little less dissatisfied with the aforesaid financial institution. On a more interesting note, the fraud specialist with whom I spoke actually asked what made me think to do this exercise. That lead me to ask why they had not...I'm thinking it has to do with their lack of knowledge how the other side thinks.]