You must be thinking how can a mail room locker be a topic for a cyber security professional, that too the snail mail box, not the ones that are cluttering your inbox right now on this computer, I have a real story to tell, a snail mail which could expose you to hackers online, yeah you read that right...
Relocation is painful!
We moved into my apartment like few months back and a great locality down here in Bay Area, thriving with active people and great neighborhood. As like any apartment complex there was a separate mail room with all lockers for different apartments filled with genuine communication from a bank to advertisement papers screaming at you to buy some stuff at a neighborhood daily at a discounted price, coupons and what not.
Boring visits to the mail room
I make it a point to head out to mail room twice a week, open the locker and throw marketing stuff to trash and take other stuff (important) ones along with me, today was interesting day for me, as I had my mailbox (locker) that was overflowing with junk and some bank communication, took all of them and threw the junk and took some of these envelopes with me.
Curiosity is the mother of invention
I came home relaxed on the couch, threw all the letters in front of me and opened each envelope one by one to further filter what else should go in trash, as I was doing this one particular post card caught my eye as it had some text in red letter written all over it and it said “You have been summoned by Jury Service”, now that caught my eye, confusion and obvious fear, oh no! what is this, what kind of problem did I get into expression on my face, I turned the post card around to see whom it was addressed to.
First step: Know your target
The letter was obviously addressed a different name, but the apartment number was same, I realized this must be the previous tenant, there was a link on the postcard which said respond immediately with a web link on it, and the curious security guy in me wanted to see what exactly this could be (any hacker would have probably done this too, except that I’m writing a blog on this).
Second step:Know more about your target!
I pulled up Safari on my iPad pro and typed in the link to be taken to the local counties court website, which prompted for a Juror ID and Group and last name and all the information that I had on the postcard in my hand.
The problem (or another security layer the website presented) was, it also asked for date of birth which I didn’t know for that person, now you guessed it right, there is a great tool called google and with right search parameters it can pull up information even from mars rover.
Yeah! put in some specific search patterns on that person’s name, and even typed DoB to complete the sentence, Bingo it leads me to a marriage invitation portal where the person whose name is mentioned is standing with her bride groom and smiling at the camera and the marriage date shows 2 months down the line.
The name clearly reflects name of the person on the court notice that came into my mail box, and further scroll down on to the website showed me why google listed this on top of the search results, someone had commented about the lady and her childhood and mentioned “I cannot believe you are all grown up” only to be followed up by several comments which lead to some one asking “hey what’s your birthday” and the lady proudly typing some numbers on the screen, now which would be considered as a juicy information for hackers.
What could have happened?
Next steps would be the hacker gets back to the court website, puts in the date of birth and sees all her personal records, stalks her probably, makes criminal money of it, and I only assume so many wrongly addressed post cards lie like this on so many mailboxes around the world, only to allow hackers to get into your digital world, only to invade your privacy and probably what not?
What you should do?
So be careful, make sure you change your address for all major communications when you move out, you never know who’s is considering to peep into your old mail box and mail room, criminal behavior is everywhere, whether you will be affected or not depends on what measures you take and your personal behavior.
True end to the story: I contacted our apartment office and handed over the notice to them and hopefully it will find its true owner.