Entries tagged with “Social Engineering”.

The cautionary tales abound regarding the protection of payment data – credit and debit cards, and ACH (or banking) information.  Bad guys are seemingly around every corner looking for ways to steal data.  It’d easy to believe that stealing payment information requires a great deal of technical knowledge and a lot of time. One is almost tempted to envision the old Spy vs. Spy cartoons in Mad Magazine. (The picture to the left is The White and Black Spy, from Antonio ProhiasMad Magazine comic strip.) Unfortunately, sometimes the low-tech scams still work the best.

Social engineering is still one of the most effective ways of stealing sensitive data.  According to Wikipedia, “Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. In other words, worm your way into someone’s confidence and you can convince them give up critical information.  In the context of payments, this may take the form of someone telling you that they are calling to help you with your merchant account and can quickly troubleshoot an issue (that you may or may not be experiencing) if only you’ll provide your merchant ID and password.  The thief now can access your merchant account at will and doesn’t have to resort to any technical wizardry to do so.  They can process stored cards for payments to your merchant account, which would result in angry customers and multiple chargebacks.

Another common scam is the “skimmer.” In this scenario, someone that has access to the card terminal or card swipe device replaces the card reader with a “skimmer” which duplicates the information and can be downloaded or sent to another individual.  The information can then be sold or even used to make counterfeit cards.  Skimming is most commonly seen in restaurant environments, where servers have access to cards and are often able to take those cards out of the line of sight in order to process the payment.  Here is an example of a skimming ring that was fairly successful.

These are just a couple of the methods used by data thieves to misappropriate financial data.  Of course, the most reliable way to ensure that you don’t fall victim to a data thief intent on gathering your customers’ financial data is simply not to store it.

When the discussion of identity theft arises, most people would naturally assume that the phenomenon is one that primarily impacts consumers.  However, the unfortunate fact of the matter is that merchant (or business) identity theft is a very real threat that often gets overlooked.  One reason for the lack of attention provided to business identity theft is that it is a relatively new trend.  According to the state of Colorado, which has established a Business Identity Theft Resource Guide, ” Business identity theft (also known as corporate or commercial identity theft) is a new development in the criminal enterprise of identity theft. In the case of a business, a criminal will hijack a business’s identity and use that identity to establish lines of credit with banks or retailers. ”  The thieves have the same goal in mind as those that target individuals, but can often get away with more from businesses.  Businesses typically have larger lines of credit and are sometimes less fastidious about checking statements.

Lisa Lee of Atlanta provides illustration of just what a thief can accomplish through the misuse of corporate credentials.  According to news reports, Ms.Lee would scour the state databases of corporations (which are public) and would select corporations that were inactive or otherwise defunct.  She would then bring these entities “back to life” by filing corporate documents, opening bank accounts and establishing email and other contact information.  Once that was accomplished, she would apply for business lines of credit in the companies’ names.  During the course of crimes, Ms. Lee applied for and received over $1 million in loans and credit.  Fortunately, Ms. Lee was caught and convicted and has been sentenced to 10 years in prison.

In 2010, 35 businesses in Colorado were victimized by a scam in which corporate identities were stolen and used to make purchases at big box retailers.  In that instance,  more than $750,000 in fraudulent purchases were made at just one store.  There were half a dozen stores at which fraudulent purchases were made, so one can just imagine what the ultimate tally might be.

The focus on consumer protection has certainly succeeded in making individuals more cautious about their information and more conscientious about checking their financial statements.  Unfortunately, businesses have not benefited from the same level of focus and education.  That leaves many businesses, particularly small businesses, vulnerable to predators and scams.  There are steps that companies can take to protect themselves, though.

Protect your business records – Business records contain a great deal of sensitive information.  This may include EIN or Tax ID numbers, Insurance information, financial account information and other sensitive data that can be used to establish or alter lines of credit or financial accounts belonging to the business.  It is important that these documents are stored securely, in a locked cabinet, drawer or file cabinet.  Documents that are no longer needed should be shredded.

Hide your merchant ID – It is very common for small merchants to have their merchant ID on a sticker that has been affixed to their PINpad or terminal.  Unfortunately, these devices are almost always in view of the customer.  That means that anyone that goes to the counter or desk can easily gain access to the merchant ID number and the name of the merchant service provider through which the company processes payment transactions.  From there, it is a short hop to compromising a merchant account, though social engineering or other means.   Imagine if you received a call from someone purporting to be from the merchant services company and was able to provide your merchant ID as proof.  You’d probably be inclined to believe it was a legitimate call and provide more sensitive information.  Your merchant ID should be considered as sensitive as any other financial account information and protected accordingly.

Check your corporate records – Often, thieves will try to alter the corporate records of existing entities.  Many states have public online databases of corporate entities, complete with filings, name reservations documents, corporate officers.  Identity thieves may try to alter the address of record or change the names of the corporate officers.  While most states will take some action to verify these changes, it is a good idea to periodically check your corporate records with the secretary of state in your state of incorporation.  If anything appears out of order notify the secretary of state at once.

Review financial accounts - Just as with your personal financial statements, it is helpful to review business account statements to identity any anomalous behavior.  Quickly identifying potential identity theft can significantly reduce the potential damage to the company.

Restrict access to “need to know”- In small businesses it is often tempting to keep everyone in the loop with respect to every aspect of the business.  While that may be laudable, the unfortunate fact is that the more people that know, the more that can disclose.  It is important to ensure that only those employees that have a need to know things like bank accounts and EINs have access to that information. Not only does that limit the number of people that can (intentionally or unintentionally) disclose or misuse data, it also provides a chain of accountability in the even that business identity information is misused.

Certainly this is not an exhaustive list of protective measures, but it does represent some good, commonsense steps that small businesses can take to protect against identity theft.   Most states have a webpage that offer more information and localized resources or tips on the prevention of identity theft.  If you suspect that your business has been the victim of identity theft, it is important to notify the secretary of state and appropriate law enforcement agencies as soon as possible.

Dr. Heather Mark, PhD; SVP Market Strategy

Many people today that consider themselves to be internet savvy might believe that they are too clever to fall for an online scam.  They know that they should not respond to pleas for help from Nigerian princes that need to move furniture for their long-deceased, well-meaning philanthropist great uncle.  They know that any job posting that requires respondents to send their bank routing information is likely not legitimate.  They know that a bank will never send an email asking their account holders to “verify their passwords” by clicking on a link.  But do they know that they shouldn’t click on that link that promises a sneak peak of the iPhone 5?

According to a recent survey by the Ponemon Institute (in collaboration with PC Tools), the answer is “no.”  The temptation is just too much, even for seemingly savvy internet users.  “Almost half (47%) of US respondents identified an online survey with a prize as either a scam or an attempt to get you to buy something later. However, when presented with the test scenarios, more than half (55%) of US respondents indicated they would be likely to provide their personal information to redeem a prize after completing an online survey,” said Richard Clooke, Online Security Expert, PC Tools.

A recent article on CNet emphasizes point made by the survey. Last spring, a number of Facebook users were scammed by a link that offered a look at the new iPhone 5.   According to Elinor Mills, the author of the article, “People who normally ignore all the other scams involving purported free software or naked celebrity photos clicked that fake news link and even completed a captcha on a second site, which reposted the scam to their own Facebook stream. That probably says more about how fanatical people are about Apple products than anything else. But it did raise the question–what does it take to lure someone to click on something that seems fishy?” It would certainly appear that the old cliche “everyone has their price” is analogous to this situation. If scammers can target the right prey with the right bait, people seem to disregard their concerns about fraud.  Target techies and Jobs-o-philes with a promised look at a future Apple product and they’ll likely click away.

The moral of the story – “think before you click.”  Many people associate internet scams with malware and Trojans, but sometimes scammers are looking for more specific information about users so that they can launch more targeted and sophisticated attacks later on.   For example, in the scam listed above,  scammers could perhaps garner email addresses.  Those addresses could then be used in phishing attacks later on to get more sensitive data from individuals.  It’s important to remember not to let your guard down when it comes to cyberscams.

Dr. Heather Mark, Ph.D.

SVP of Market Strategy

We’ve written on here quite a bit about the dangers of social engineering, in which thieves talk people into giving up credentials to online accounts and resources.  No hacking necessary – the thieves can, figuratively, walk right in the front door.  IT professionals are fond of saying that “people are the weak link in data security.”  So imagine the surprise when Sabina Datcu, a researcher from Bitdefender presented the findings of her study in which 75% of her sample pool (all IT professionals and hackers) gave up their passwords and credentials to the wiles of a woman.

According to Datcu, the anonymity of the online environment provides a false sense of security, even to those who make their living on it. “No matter what ’side of the fence’ they are on, people will behave the same: as though the virtual environment creates a second life, entirely different from the real one — they are willing not only to accept unknown persons inside their group just based on a nice profile, but also to reveal sensitive information (about their company, themselves and other persons) after a short online conversation.”  Dactu created fake online profiles and inserted herself in online forums frequented by hackers.  In addition, she placed her profile on forums for IT professionals.  In both instances, she found there was little effort involved in convincing these individuals to turn over sensitive information.   So, if the hackers and security professionals can be duped, what can we do to protect ourselves?

The first and most important thing is to remain a little suspicious.  For most of us, if someone walked up to us on the street and asked us for our SSN and our online banking credentials, we’d be a tad skeptical ( I hope more than a tad skeptical).  Why should that change because the question is being asked online rather than face to face?  My suspicion is that many of the targets of this study felt that they “knew better,” and that they wouldn’t get taken because they recognized the signs of a scam.  They were overconfident in their experience and that may have been their downfall.

Consider skydiving as an example.  According “Skydiving Risk” there were an average of 33 skydiving fatalities in the US for each year between 1991-2000.  Most of these accidents involve experienced skydivers.  Why would that be?  In some instances, it may be an issue of complacency.  The jumper has so many jumps under his or her belt that preparation is taken for granted.  Or, as is identified in the article, the jumper may be “exceeding their own limits.”  In other words, they’ve become overconfident in their abilities and perform stunts that are beyond their capabilities.  The same might be said of the IT professionals in this study – they became complacent and overconfident in their abilities.

As for how we address social engineering, I suggest we take a page from the novice skydiver.  Now, I’m not about to go hurling myself from a perfectly good plane anytime soon, but you can bet that if I did, I would be checking, double-checking, researching and practicing to make sure that I was doing everything right.  I would ask questions of the instructor and not be embarrassed about it.   It’s my life on the line, after all.

The same philosophy holds true with social networking.  If someone asks you for information strike you as even a little odd, ask questions.  Probe their intentions.  Research the scam (there is almost always a Wikipedia entry on a similar scam).Maintain your vigilance.  Don’t let down your guard because you think you know this person.  Don’t be embarrassed about doing your homework.  It’s your identity on the line, after all.

Dr. Heather Mark, PhD; SVP Market Strategy

A recent article on MSNBC detailed a “security issue” at two major banks.  The vulnerability in question related specifically to the use of the banks’ phone system.  Generally, when a caller uses the automated account system via telephone, the system verifies the number from which the person is calling.  If the number matches the number on the account, the verification process is streamlined.  That means that instead of entering an entire account number, the caller can simply enter the last four digits of the number.  They would then be able to access the limited information available through the automated phone system.  Typically, that would include information such as credit limit, account balance, date and amount of the last payment and similar information.  The caller would not be able to access other accounts or to retrieve the account number.  The article expressed concern that someone could easily obtain a consumers phone number and the last four digits of the card number.  By “spoofing” the consumer’s number and entering the last four digits, an ill-intentioned individual could “hack” the system.

The author expresses outrage that such a vulnerability could exist.  Other banks, he insists, require that users enter a complete account number.  He makes no argument about the increased security that may offer to the transaction.  The article goes on to detail exactly how one could hack the system, then call the consumer posing as the bank to use that ill-gotten information to coax more information out of the user that could be used to facilitate identity theft, or even to blackmail users based on their transaction history.

Data security and privacy should be top priorities for any companies that deal with consumer information.  However, those businesses must also maintain operations.  Convenience and security will always be at odds and companies are tasked with striking just the right balance – making their services easy to access while still protecting consumers and their data.  Most companies seek to achieve this balance with the judicious use of risk analyses.  During the risk analysis, the company identifies the potential vulnerability and analyzes what the impact would be if that vulnerability were exploited.  High impact events, whether that impact is in terms of frequency or in monetary damage, are addressed and steps taken to mitigate the risk.  While this author has no direct knowledge of the businesses practices of the banks in questions, it is unlikely that the bank would have adopted such a practice if the impact to its customers or to the bank was intolerable.

In security, one must balance the theoretical with the practical.  In theory, data is never safe.  There is no way to categorically prevent data theft.  The risk can be transferred (as with insurance policies or third-party service providers) or it can be mitigated by implementing increasingly strong protections, but it cannot be entirely removed.  Security professionals must be able to recognize when a theoretical threat becomes a real one and how to most efficiently allocate resources to address the nature of threat.

Dr. Heather Mark, PhD; SVP of Market Strategy