Tuesday, November 24, 2009

How would I steal IDs and passwords from people?

I've been asked a question by a former classmate (or rather he challenged me) to give a proposal to steal IDs and passwords from people with little danger for me and little required technical knowledge from me.
Here's my proposal, I don't know whether it's new at all, I guess it's not. It's purely virtual, I've not tested anything like this.
  1. I go to a place where people use laptops: train stations, a home apartment in a crowded city or a job place where the Internet access is not given to all employees.
  2. I create an unprotected wifi access point, open to all. And I keep listening when someone does connect. It may take time, but that's not part of the given problem so I'm assuming I've got time.
  3. I count on the fact that at least one service the victim will use is not secured via SSL or similar. So when that happens, I just take note of the login/password couple.
  4. Then I go and try the login/password in other applications such as Facebook, Gmail, MSN, online stores and so on. As most people use the same passwords for many applications, I think it could be a correct ratio of success.
EDIT 01/24/2011: A few clues against public wifi here.