A dumpster diving attack is a type of cyber attack made possible by searching through the victim’s trash.
While you might be imagining a messy and filthy scenario where a person dives into a dumpster, the reality is less unsanitary. In a dumpster diving attack, threat actors could be in and out of the dumpster in a matter of minutes. But they may already have their hands on a box full of confidential documents, storage devices, and workstations.
Read More about a “Dumpster Diving Attack”
In a dumpster diving attack, threat actors take the adage “One man’s garbage is another man’s treasure” to a whole new level. They could obtain sensitive information that allows them to infiltrate a network or copy a person’s identity.
What Data Can Dumpster Drivers Obtain?
You would be surprised at the amount of information about you, your life, or your company in your trash. Think about the last time you threw your credit card statement. Did you shred it? How about the medical laboratory result from your previous visit to the doctor?
Among the data that dumpster drivers can get from searching through your trash are:
- Phone numbers of family members, friends, customers, and business associates
- Access codes and passwords written on an innocent notepad
- Credit card and bank account numbers
- Blueprints of product designs
- Printed drafts of business plans
- Calendars and to-do lists for previous days
- CDs, DVDs, and other portable storage devices
More can be added to the list, but you now get the point. Any of the above information can be used to gain access to your home or work network. Notepads that contain passwords and access codes are the most valuable. However, most of us have learned to discard these items without a thought for security.
A list of clients would be useful for a competitor. However, some of the data, such as calendars and phone numbers, may seem harmless. Keep in mind that they could be used in social engineering or masquerade attacks where threat actors imitate you or any of your contacts.
Real-Life Dumpster Divers
One of the most infamous examples of dumpster divers is Jerry Schneider, who started a wholesale telephone equipment company while in high school in 1968. The idea came from the dumpster, specifically Pacific Telephone’s trash, that included order and delivery system documents, manuals, and invoices.
Needless to say, Schneider got in trouble and served 40 days in a security facility. He then founded a security consulting company.
Matt Malone is known as a professional dumpster diver, making thousands of dollars a year. He would get into a dumpster and come out after a few minutes with valuable items, such as electronic devices, power tools, and furniture. Below is an actual footage of Malone searching through dumpsters:
While he is now making money by selling the items he finds from dumpsters, he started as a zero-knowledge attacker. He was hired to break into a company’s system but didn’t know how. One of his first moves was to dig through the target’s trash. After a few weeks, he found several documents that contained the sensitive information of thousands of customers.
How to Protect Yourself from Dumpster Diving Attacks
The success of dumpster diving attacks can be traced back to lack of security knowledge. If people knew how an attacker could use the data on a piece of paper, they wouldn’t throw it without shredding.
Therefore, the most effective way to protect yourself and your organization from dumpster diving attacks is education. Learn to distinguish between confidential and public records.
For organizations, including disposal management in your overall security policy could provide clear guidelines on how sensitive data from your trash can stay protected. For example, the policy may dictate that all papers should be shredded before disposal. Storage devices, on the other hand, have to be cleaned of all data.
A dumpster diving attack does not just occur in 90’s spy movies. It remains an effective method of obtaining valuable information about a competitor, an opponent, or a target victim.