Social Engineering from Both Sides: Thinking + Caution = Safety
Thank you, now I know your social security number!
“Social Engineering” happens when you are manipulated into revealing sensitive or private information to someone who should not have it. The person performing the manipulation seeks information that can be used for fraud, identity theft, computer access, and other nefarious actions.
Recently, I have run across a few situations that were not actually social engineering attacks, but could easily have been. They serve to illustrate the danger.
Case 1: A phone call to the bank
My colleague, call him Joe, calls his bank to update his account. The attendant asks for his social security number — a typical question. Joe doesn’t want to give it out for obvious reasons, so he just makes one up. The attendant types away and then says “No, Joe, that appears to be the social security number of Fred.
Joe is blown away — she just gave him the someone’s social security number!
The attendant goes on to say, “Well, we can try to verify you by your address…”. So, Joe gives his actual address (which is not really a very private piece of information). The attendant then says … no, that is not what we have listed for “Fred” … The address should be … and she goes on to give Fred’s address.
So, now Joe has Fred’s name, social security number, and address. That’s about all he needs to steal his identity! Thing is, Joe was not even trying to get this information. His responses were not manipulative. They were more “flippant”. However, his purpose could have been malicious.
The bank attendant should have been cognizant of the information she was giving out and alert to be sure that private information is only given out after people’s identities are well verified. Its not just the layman that can be caught up — technical support staff, and anyone who deals with people can be.
Case 2: What’s the answer to your secret question?
This situation was encountered by LuxSci Technical Support just today.
We use secret questions and answers on customer accounts as one factor in verifying a user’s identity, for example if they have lost their password. Our support representative called the customer to assist him, but first needed to verify that he was talking to the proper person (you never know who answers a phone). He asked the customer to answer the secret question we had on file.
The customer refused to answer the question. He was unsure that it was really LuxSci calling and/or was not expecting us to contact him. As a result, support was delayed. However, he had exactly the right idea!
If someone calls you out of the blue and asks you to provide sensitive information — why should you do it? You don’t have to. Think before responding. Once you are sure the person contacting you is legitimate, then proceed. If you are at all unsure — error on the side of caution!
Case 3: The fraudulent request
Have you ever gotten a letter or email from someone claiming to work for a company that you do business with and asking you to do certain things, like sign up to a new web site, talk about your accounts, etc.?
In some cases, these requests are from fraudsters trying to impersonate a business partner in order to glean personal information or passwords from you. This happens all the time.
If you are not expecting the contact and do not recognize the person, you should either (a) ignore the request, or (b) verify it by contacting the company s/he claims to be associated with and check if it is indeed true. Don’t take his word for it, use his email address or web site, or call his phone numbers until you do — they may all be fraudulent or otherwise malicious.
It all comes down to the old adage of “think before you speak” and to not trusting strangers when it comes to business, financial, or personal information. Unfortunately, that’s the world we live in.