Never underestimate the lengths hackers will go to in order to steal from you. Too much confidence in our every day, and seemingly unrelated service providers can leave us open and vulnerable to carefully calculated cyber-attacks. Social engineering – the ability of a threat actor to convince you or someone in a position of control to take actions contrary to your best interests – is one of the oldest forms of criminal behavior, yet remains one of the hardest to protect against. The incident depicted below shows how easily this trust can be exploited.
The incident starts with a well-planned attack. The threat actor called the victim’s local telephone company and convinced the customer support representative to forward the victim’s phone number to a number under the attacker’s control. The attacker then called the victim’s bank and spun an elaborate tale about how they had recently moved, lost their credit card in the process, and requested that a new card be issued to the new address. Since the attacker didn’t know (he professed to have forgotten) the account passcode, the bank’s security policy was to call the telephone number on file and verify the customer’s identity. Since the home phone number had previously been compromised through a call to the telephone company whose own security procedures were far less stringent, the bank took this as positive identity verification. Having successfully authenticated, the attacker then proceeded to change passwords and access the bank account, spending thousands of dollars before being discovered.
When the victim realized his credit card had been fraudulently replaced, he began questioning the bank and subsequently the phone company. Unfortunately, this was not the first time the victim’s landline was subject to unauthorized forwarding and despite requesting that all forwarding be disabled and prevented, the telephone company ignored those requests, thus putting the victim at risk.
Throughout these types of account takeover schemes, attackers can often guess the answers to those ‘secret questions’ you’re asked to generate. Unfortunately, questions such as “where did you go to college” or “what’s the birthday of your oldest sibling” can often be found with simple research, made much easier since we are prone to sharing much of our personal lives on social media. The best practice here is to create nonsense, but perhaps memorable answers to those questions such as “What did you study in college? Beer and Pizza!”. Alternatively, consider deliberate misspelling in your answers to the questions.
Unfortunately, we cannot rely on businesses or vendors to keep our information safe, especially when there are human representatives with access and power over your finances or identity. There will always be room for a social engineer (we used to call them con artists) to worm their way into your protected accounts. Talk to the institutions that hold your finances and discuss with them how they keep your information safe, then make changes where you see gaps in their security.
With over 20 years of experience, Impact Business Technology has an entire suite of comprehensive protection measures to protect you and your business by filling in these security gaps.