Looking for Love in All the Wrong Places: A Security Case Study on Online Identity Theft

Information systems are only as strong as their weakest elements. A truly secure environment requires effective network security, secure application development guidelines, well written policies and procedures, and a strong user educational component to account for the many potential attacks that can occur on a given day. In this case, the authors cover failed aspects of networking security, Web development, policies and procedures, as well as inadequate user education to illustrate how easily an attacker can glean critical business data from an organization via simple techniques known to the hacking community. This case demonstrates that even with basic physical security in place, social engineering practices, combined with well-known hacking techniques, can thwart an organization’s security procedures and practices. In our discussion, we analyze threats to Web servers and Web services using a sample business: MrLuv’s Online Dating Service. We also provide a scenario analysis to forensically explain the break-in and discuss possible techniques used to acquire customer identity information. Ultimately, we find that although secure technical solutions must be implemented, organizations must also educate system users about potential threats. Throughout the case we provide an explanation of common attacks on Web servers and Web services, as well as include a detailed glossary of relevant security terms to explain the technical vocabulary businesses must understand in order to effectively protect their digital assets.