This is a scourge. And of course most employees who get a call from someone purporting to be part of the company have a reasonable fear of creating problems at work and so often seem to err on the side of giving out more information.
The sad thing is that as we open up more and more ways to "do" things remotely (like move all your checking account funds from your account) the more danger involved. In many ways this makes the whole requirement that you authorize at a specific terminal in a secure space make much more sense.
For 4 years I was the systems security officer for a college. At least 2 students per week fell for a phishing scam. It didn't matter how much we warned about it; emails, orientation lectures for firstyears, one-on-one talks, big alerts on the Blackboard system, you name it.
They'd get an email claiming to be from the help desk and BAM owned. My sensors would pick it up and cut their access off and they'd have to come to my desk for restoration. I was unfailingly polite and respectful. Didn't make anyone feel dumb, no berating, just a calm explanation of exactly what happened and how to avoid it in the future. No student ever had it happen to them a second time.
One staff member fell for phishes at least 5 times, though. The president of the college had to talk to that individual eventually.
Yeah exactly, who is the audience here? For the average semi-computer literate office drone there's hardly any questions the jolly IT guy could ask that would seem out of place. You have to have a lot of domain knowledge to know that what's being asked isn't kosher.
Probably the biggest clue is that the IT guy is "jolly." The IT guy generally isn't jolly. You know some shit is up :)
"Any sufficiently advanced technology is indistinguishable from magic."
IT is magic to most - magic in the fact that they don't know how the trick is done or what is required for it. "hey, can you give me the serial number on your computer so I can configure the flux capacitor" seems like a reasonable request because you don't know what a flux capacitor is or what is needed for it to run. All you know is you need your internet and email to do your job and IT does all the magic to make that happen.
Having been at two of his talks, I can assure you that the man is no joke.
Sure, Social Engineering can look a bit voodoo-y but it's a tool that no one should underestimate, human error is the biggest and easiest to exploit breach one could hope for.
This is absolutely the case (source: I'm a former pentester in charge of the social engineering).
SE had two guarantees for every organization we were hired to pentest.
* We would get the information/access we wanted
* It would be easy
Chris is a pioneer in this branch of the industry and has done a great job of highlighting the importance of social engineering through his research, books, and the CTF at Defcon (which is awesome to watch if you get the chance).
Additionally to posing as an authority and creating some pressure, they also seem to add a general awkwardness to the conversation that may make the user want to get it over with.
Not sure how it is in USA/Europe - but in Australia, some of the biggest banks/telcos still ring up customers (from private numbers) and ask for all your personal details to confirm your identity before proceeding with the call. Some even ask for plaintext passwords over the phone. At the same time they have big warnings on their webpages about phishing and how they'll never ask for personal details over email.
More than once I've explained that providing all my details in this fashion directly contradicts the security policy of the banks, but it takes some convincing to get the phone operators to give you a number you can confirm is legitimate and call them back. Its clearly not on the call center script and they dont understand why I am being so pedantic.
Whenever I'm asked for some identifying piece of information via phone, I give a wrong answer.
If they say, "hm, that's not what I have here," I can be at least somewhat certain that they already have that information, and are probably legitimate. If they blindly accept it, then I know they ain't on the level.
If they ask for your password, an attacker can simply try to log in with it and then if it fails say "looks like that's not correct, could you try again Mr. Smith?"
Comcast now requires the last 4 digits of your social security number to do anything. Even though it's not the whole thing, I'm extremely uncomfortable whenever I have to call them.
Are you actually required to give them your real social security number? Or can you give them a random string of digits that you would like to be identified by?
They require social for credit check when signing up, then they're now using the last 4 digits for account verification. It seems really awkward and forced. They then also have you provide address, name, phone number when speaking to the CSR, which seems redundant. If I have someone's social, I probably know where they live. And I certainly wouldn't be calling Comcast on their behalf.
They probably don't require your Social Security Number. I've avoided giving mine out by paying a deposit to my cable internet company, my electric company, and I use prepaid (which is cheaper than post-paid for the same service) to avoid giving it to a phone company. I also leave it blank on my doctor's forms and other forms. No one has ever hassled me about it.
They run a credit check on you beforehand, that's what the SSN is for. I'm sure you can ask to opt out of the credit check as long as you are willing to give them a hefty down payment.
Many times you can avoid the SSN by asking and being willing to jump though a couple extra hoops.
Interesting when I worked for the big telecom in the UK 20 years ago where give very strict instructions that NI numbers (uk' ss no) where NEVER to be used for any customer id purpose.
On pain of having the IB (Bt Security) jump up and down on you with size 9 boots - think the auditors in the laundry files but worse.
Just a few days ago I had someone from Cox call me up out of the blue to ask me how I liked their service and to tell me about some of their other services. But first they wanted to verify they were speaking to the correct person.
I refused, told the woman flat out she called me, I didn't call her, therefore she was getting no information from me. I also told her I was happy with my Cox account and had no interest in whatever it was she was trying to sell. To her credit, she thanked me and ended the call amicably which is exactly what should have happened imo.
I understand the need for it from the company's perspective, but for me it was strange, uncommon, and I'm just too damned cynical. Even if I were interested I would have insisted on calling back through Cox's number before speaking with someone.
There was a time when it was relatively safe to speak with someone who calls you like that, but it's been years since I've felt comfortable doing so.
Please keep it up, I can't even write a coherent reply to this discussion because of how furious these policies make me. Its not just banks, its telcos, energy companies, government agencies, pretty much everywhere. They all think that knowing my D.O.B and address confirms my identity.
On the banks, I've never had westpac attempt this (I think,) but they do still have this bizarre 6 letter character limit to my online banking password where they just ignore any letters after 6 characters so it seems like you are secure but in fact are not very secure at all.
He mentions putting a color swatch on the company intranet that changes daily as a form of authentication.
I wonder how well it would work to call people up and say, "Hi, this is Paul from IT, we're having some trouble with our intranet security color swatch generator this morning. You should be seeing pink. Is that right?"
I think that was just an example; it just needs to be some daily changing token. When a bad guy calls up your company, he should have no idea whether you use a color scheme, mythical animals, sports teams or flightless birds.
If it's a former disgruntled employee then they shouldn't know what the daily token is, since they should at that point be gone and no longer have access to such details.
If they do, however, know the token, then you have another problem altogether.
"Hi, this is Paul from IT. We're having some trouble with the random color generator today, could you pop open a browser and check for me? It should be pink, but we've gotten a couple of calls saying it was a different color. What color are you seeing at your location?"
I think the daily token should be thought of as changing the default SSH port, a simple protection scheme that cuts out casual script kiddie attackers 99% yet does not deter someone who views you/your company as a specific target.
The problem with the token would be if it was the sole level of protection (just like simply changing your ssh port is not enough).
His social engineering contest at defcon is always awesome to watch. It's incredible to see the big companies give out such internal information. The social engineer is inside of a glass protected booth and the crowd can watch and listen in. They have a points system where the harder to get info gets you a higher score. Ex: a high score was given if you could get them to hit social-engineer.org from their browser. One guy told the person on the other side of the phone that it was a social network for engineers. Also: Make sure To check out the contest on Friday/thurs as they can't really do the live over the phone hacking on Saturday/sun as most businesses are closed on the weekends.
They are very strict inside of the room to ban all forms of recording or picture taking. Probably for legal reasoning (my guess) so I don't think you'll find any.
"LinkedIn: I have everywhere you’ve worked. Everywhere you went to college. Facebook: I have your family, your wife, your kids, your boyfriend, your girlfriend, your last vacation. Twitter: I have everything you’re doing throughout the day. If you’re on Foursquare, I can geolocate where you do it."
This is so true lol. Many people don't realize all the valuable info they put up on social media. Great article btw.
If anyone from IT calls you, you should be able to call them back at their extension. Or that's a red flag.
We used to have fun with William the "Windows Tech team agent" (from India) . He (They) would call us at least once a week. I think they might have had a successful attempt otherwise why would they keep calling.
>WSJ: Hold up. How can I get a free plane upgrade?
> MR. HADNAGY: Airports are always stressful. These ladies are always getting yelled at. If we make someone happy before we can ask for a free upgrade, that could work.
So now the question is: how do you make the agent happy enough to give you an upgrade? Just be polite?
45 comments
[ 3.7 ms ] story [ 111 ms ] threadThe sad thing is that as we open up more and more ways to "do" things remotely (like move all your checking account funds from your account) the more danger involved. In many ways this makes the whole requirement that you authorize at a specific terminal in a secure space make much more sense.
They'd get an email claiming to be from the help desk and BAM owned. My sensors would pick it up and cut their access off and they'd have to come to my desk for restoration. I was unfailingly polite and respectful. Didn't make anyone feel dumb, no berating, just a calm explanation of exactly what happened and how to avoid it in the future. No student ever had it happen to them a second time.
One staff member fell for phishes at least 5 times, though. The president of the college had to talk to that individual eventually.
That's an everyday occurrence in some offices.
Probably the biggest clue is that the IT guy is "jolly." The IT guy generally isn't jolly. You know some shit is up :)
IT is magic to most - magic in the fact that they don't know how the trick is done or what is required for it. "hey, can you give me the serial number on your computer so I can configure the flux capacitor" seems like a reasonable request because you don't know what a flux capacitor is or what is needed for it to run. All you know is you need your internet and email to do your job and IT does all the magic to make that happen.
Sure, Social Engineering can look a bit voodoo-y but it's a tool that no one should underestimate, human error is the biggest and easiest to exploit breach one could hope for.
SE had two guarantees for every organization we were hired to pentest.
* We would get the information/access we wanted
* It would be easy
Chris is a pioneer in this branch of the industry and has done a great job of highlighting the importance of social engineering through his research, books, and the CTF at Defcon (which is awesome to watch if you get the chance).
https://www.youtube.com/watch?v=DB6ywr9fngU#t=4m23s
Additionally to posing as an authority and creating some pressure, they also seem to add a general awkwardness to the conversation that may make the user want to get it over with.
More than once I've explained that providing all my details in this fashion directly contradicts the security policy of the banks, but it takes some convincing to get the phone operators to give you a number you can confirm is legitimate and call them back. Its clearly not on the call center script and they dont understand why I am being so pedantic.
If they say, "hm, that's not what I have here," I can be at least somewhat certain that they already have that information, and are probably legitimate. If they blindly accept it, then I know they ain't on the level.
Many times you can avoid the SSN by asking and being willing to jump though a couple extra hoops.
On pain of having the IB (Bt Security) jump up and down on you with size 9 boots - think the auditors in the laundry files but worse.
I refused, told the woman flat out she called me, I didn't call her, therefore she was getting no information from me. I also told her I was happy with my Cox account and had no interest in whatever it was she was trying to sell. To her credit, she thanked me and ended the call amicably which is exactly what should have happened imo.
I understand the need for it from the company's perspective, but for me it was strange, uncommon, and I'm just too damned cynical. Even if I were interested I would have insisted on calling back through Cox's number before speaking with someone.
There was a time when it was relatively safe to speak with someone who calls you like that, but it's been years since I've felt comfortable doing so.
I'm not so sure about that, I think it existed for all my life, just wasn't very common until now.
I remember over 20 years ago getting a phishing call trying to get personal information about me.
On the banks, I've never had westpac attempt this (I think,) but they do still have this bizarre 6 letter character limit to my online banking password where they just ignore any letters after 6 characters so it seems like you are secure but in fact are not very secure at all.
I wonder how well it would work to call people up and say, "Hi, this is Paul from IT, we're having some trouble with our intranet security color swatch generator this morning. You should be seeing pink. Is that right?"
If they do, however, know the token, then you have another problem altogether.
The problem with the token would be if it was the sole level of protection (just like simply changing your ssh port is not enough).
This is so true lol. Many people don't realize all the valuable info they put up on social media. Great article btw.
We used to have fun with William the "Windows Tech team agent" (from India) . He (They) would call us at least once a week. I think they might have had a successful attempt otherwise why would they keep calling.
> MR. HADNAGY: Airports are always stressful. These ladies are always getting yelled at. If we make someone happy before we can ask for a free upgrade, that could work.
So now the question is: how do you make the agent happy enough to give you an upgrade? Just be polite?