Security Encyclopedia

Dumpster Diving

Dumpster Diving is investigating a person’s or business’s trash to find information that can be used to attack a computer network.

Dumpster divers locate financial statements, government records, medical bills, résumés, and the like simply through exploring the victim’s rubbish. Once in hand, the information is used to piece together identity profiles, making social engineering more likely to succeed.

Sometimes sufficient information for account takeover (ATO) is found directly in the trash, but in the event that full credentials are not discarded and recoverable, simple countermeasures such as being diligent with document destruction are helpful. Often, an enterprise’s trash-removal policies such as the mandated use of a cross-cut shredder are specifically tied to dumpster-diving prevention or in legal compliance to do so. Factory resetting and the proper disposal of devices is also important for preventing dumpster diving since smartphones, laptops, and security tokens may also be helpful for attackers capable of recovering data.

Example:

“Dumpster diving may seem like the punchline to a bad joke. However, a person snooping through your trashcan could find everything they need to assemble a complex enough profile on your to commit identity theft.”