Dumpster Diving is investigating a person or business’s trash to find information that can be used to attack a computer network.
Dumpster divers locate financial statements, government records, medical bills, résumés, and the like simply through exploring the victim’s rubbish. Once in hand, the information is used to piece together identity profiles, making social engineering more likely to succeed.
Sometimes sufficient information for account takeover (ATO) is found directly in the trash, as are full, useful credential sets. Simple countermeasures such as being diligent with document destruction can defend against dumpster diving. Often, an enterprise’s trash-removal policies such as the mandated use of a cross-cut shredder are specifically tied to dumpster-diving prevention or legal compliance to do so. Factory resetting and the proper disposal of devices is also important for preventing dumpster diving since smartphones, laptops, and security tokens may also be helpful for attackers capable of recovering data.
“Dumpster diving may seem like the punchline to a bad joke. However, a person snooping through your trashcan could find everything they need to assemble a complex enough profile on you to commit identity theft.”