A Hacker’s Bucket List
As a technologist and security enthusiast, part of the “fun” we have at work is tossing around attack scenarios and challenging each other with situational risk. This time it started out with:
If I steal credit card track data, I can make HUGE purchases (and perhaps return for cash).
If I steal PIN data, I can get cash directly.
If I steal health-related data in bulk from a doctor’s office, the most profitable thing I can do with it is…
While my inbox had dozens of responses, some of my favorites included:
- Sell the data to marketing or pharmaceutical companies for targeted marketing.
- With prescription information records, find out where the patient gets their meds called in, show up at the pharmacy acting as the patient, and purchase the meds to sell on the black market (or simply sell the data there).
- Blackmail or extort the patient if they have some medical condition or history that’s potentially embarrassing or detrimental to their life (e.g., injury sustained while driving intoxicated, treatment for STD, etc.).
- Post it to pastebin for the lulz.
- Identify the accounts of minors and use their valid Social Security numbers (SSNs) and personal info to open credit cards, loans, etc., which likely won’t get caught until they turn 18 and apply for credit or financial aid.
- Create fake identities with the information to sell to illegal immigrants.
Of course, if you can read the data, you can probably alter it. A devastating consequence?
- Blackmail the physician with the threat of messing with patients’ plans of care and killing them from bad dosing to cause the physician a decade of malpractice suits and medical board inquiries.
- Create an encrypted copy of all the data, destroy the original data, sell the provider the password to the encrypted archive (relies on being able to destroy the good backups or provider not having good backups).
- Monitor for specific tests, screen for diseases or disorders and insert false positives that involve treatment with a drug sold by “evil” pharmaceutical company. After records indicate treatment, the next test is miraculously negative. The drug is lauded as wildly successful and becomes hugely profitable. The snake oil of the 21st century; cures what ails ya!
And this one just made me sad:
Look for people with conditions that indicate easy targets for scams (e.g., Alzheimer’s medication) or target-specific scams. For instance, imagine a cancer patient getting this phone call:
“Hi, I’m calling from [well-known clinic/hospital]. Doctor Hibbert referred me to you as a potential candidate for a new drug study. Our research, with the team at [pharmaceutical company], has led to a new breakthrough drug, specifically designed to combat your type of cancer with a 90% success rate. We’ve reviewed your insurance policy with US Healthcare under policy #1234567. It looks like that policy does not cover experimental drugs. Do you have any other means of covering the $10,000 admittance fee for the study?
…I mean, we’re gonna cure your cancer. Is $10,000 really that much?”
Insert enough credible information, tell them it’s some sort of “blind study” so they can’t tell their doctor… you never know who may bite.
…and that’s just what us good guys thought up.