Did you know the most common tool used by scam artists and hackers attempting to gain access to your system or credit card data has nothing to do with a computer? In fact, it has nothing to do with the internet, and it actually older than civilization.
This technique goes by the glamorous name of Social Engineering. What this means is someone will attempt to gain your trust in some way in order to get you to perform an action for them. Generally, this method is used to bypass security systems, encryption schemes and passwords. Sounds very powerful, doesn’t it? Must be pretty complex?
Actually it’s incredibly simple. One of my co-workers is in charge of the phone system. It’s his job to examine the phone bills. One day he was looking through a bill which seemed unusually large and found some very suspicious charges. He investigated and determined that someone had called the receptionist saying, “I am from the phone company and we are testing some equipment. Can you please press …”. The receptionist was obedient and did so – and gave the guy access to outgoing phone lines – he was able to rack up over $50,000 in a month in free international calls.
Another example involved America Online. One day my kid came up to me and asked if I could enter my credit card information for him. I asked why, and he told me he had received an email from AOL asking him to visit a website to “validate his identity” so his account would not be canceled. Naturally my kid did exactly what was asked, and if he had had his own credit card I’m sure the entire remaining balance would have disappeared. This is a very common way to fraudulently gain credit card, passwords and account numbers.
I’ve been told by some friends of mine that they recently found a hole in their company security. What had happened was someone called an accounting clerk, claiming to be from MIS. This guy called just before the Year 2000, and claimed he was making sure the computer would work properly after the new year. He wanted to send a floppy disk to the clerk overnight. Would the clerk be so kind as to insert it immediately upon receipt so his hardware would be tested? Naturally the clerk agreed and actually did as he was instructed. The result? A hacker gained access to the entire network at this company, requiring a full security audit to determine exactly what was done.
I even heard of a security manager who discovered that someone had left business cards with all of the users at his company (hundreds of them). These cards claimed to be from a warranty group and left a phone number to call for support. Each time a machine broke down a user obediently called the phone number on the card, and each time someone dialed into his system and fixed the problem. While the person was dialed in, he installed a set of tools to allow him to gain access to normally secure databases, including payroll, legal and accounting information.
As you can see the concept is very simple. A person contacts you somehow (via email, in person, on the phone) and talks you into doing something for him. There is no reason not to assume the person is legitimate, so naturally you just do what he says. He always sounds very friendly and helpful. Sometimes he will sound like he’s in a hurry or asks for your help to complete some task. The main thing is he is normally someone you would trust, because he seems to be doing the correct tasks.
So what can you do about it? What I’ve done in the past is given short classes to groups of people where I work. In these classes I demonstrate exactly how social engineering works and why it is often successful. Education does wonders for preventing these kinds of things from happening.
I’ve also run “fire drills”, where I (or one of my co-workers) will call our own company and attempt some social engineering of our own. If we can get the person on the other end of the phone to do something, we make sure he spends some time in training to learn what not to do next time.
You must be aware that social engineering exists, is very common, and often works very well. When you receive a communication asking you to do something look it over and determine if it “feels right”. Look over phone numbers, addresses and website URLs. Are they actually the company’s or a clever modification. A good example was the America Online scam which I mentioned earlier. In this scam, we were told to go to a website which had nothing to do with AOL although it did include the word AOL in the URL. It was pretty obvious to me that AOL didn’t need me to enter my credit card data at a GeoCities site, since AOL has it’s own servers and it’s own domain.
Something I’ve found useful is to validate it with a third party. For example, one day I received a notice from my ISP asking me to proceed to a web site and change my password. This is a classic tactic used by social engineers all over the internet. It seemed legitimate, but I wanted to be absolutely sure. So I called my ISP directly and asked their technical support people to help me with the instructions (playing stupid, like I need help). As it turned out, the letter was fake and did not come from my ISP.
If someone comes to your door or desk and asks to get access to your computer, check it out. I always ask for (and keep) business cards and identification. I may even call their company asking about them (but be sure NOT to use their business card for the phone number – get it from someone else that you do trust.)
The important point here is simply to validate the credentials of anyone who is attempting to get you to do something or to gain access to your computer system. You don’t need to be paranoid, just cautious. You wouldn’t hand your car keys to someone you don’t know, so why would you open up your computer to a complete stranger without checking him out first?