Posted on March 22, 2012 ยท Posted in Security

During South by Southwest this year, I RSVP’d to a number of events and I’m pretty sure all of them were real except for one which promised to be an after, after-party that well never seemed to happen. I don’t think anything malicious happened, I simply believe they were unable to secure a venue and sponsors.

That got me thinking though, what better way to gather authentic personal information than to make a bunch of fake events and depending on what your fake event would require, you could conceivably steal a person’s identity.

Let me give you an example of what could happen, suppose I go on Eventbrite (or better yet self host event RSVPs and have people create usernames and passwords which are likely recycled combinations from Facebook, gmail, bank sites) and make a bunch of super secret after parties based on tour dates for a major act like Jay-Z, Radiohead, Kanye, etc … I would say that venue is TBA and to give authentic contact information so you can get the low down on where the party will be at.

I could ask for your name, email, phone number (in case we need to send a text verification or venue announcement), birthday (under the guise that the party is 21+) and if I wanted to be really sneaky I could ask you to make a special code word for additional verification (might be going a bit too far but you see what I’m doing, right?).

Assume I got 1,000 RSVPs per party and if the performer is doing a 30 city tour, I could literally create a list of 30,000 identities and I’d be willing to guess that 95% of the data would be correct. The scary thing is people would fork over their information because they want to be on guest lists for exclusive super VIP whatever after parties and wouldn’t want their night ruined because of some technical error (as opposed to their credit score).

If I didn’t feel like identity theft, I could sell the emails and phone numbers to spammers and profit that way and who knows people might already be doing this. So to end this post, here is the how to protect yourself section:

– Double check the information if you are wary of RSVPing to an event. Is the venue real? How about the promotion company? Are there previous events? Does the event make sense? (Radiohead won’t DJ at Pure and provide free bottles of Grey Goose)
– Never use a personal email when RSVPing, always use a junk account you have access to
– If you are required to provide more information than your name and email, that should be a red flag and you should really consider whether you are comfortable with a third party holding your information
– If an event requires you to agree to any kind of TOS agreement, it probably means your information is being sold