Trust But Verify
Our world is becoming increasingly more digitized. Doctors carry laptops or tablets from one exam room to another as paper files disappear. Elementary students have their report card emailed home to their parents. Paychecks are directly deposited (at least that one isn’t new). Video conferencing and virtual offices allow a business to employ dozens of workers who have never seen each other and with no physical office necessary. Social media accounts include our date of birth and auditor’s websites have our full name and home address. In fact, we have practically reached the point where youth learn to communicate through emoticons, memes, and text at about the same age they are learning to speak, and then 21.5 million individuals had nearly the equivalent of their digital lives stolen. I recently had to laugh when someone lecturing on cybersecurity commented that they had four organizations currently monitoring (for free) their credit and identity due to various data breaches. We were laughing but cringing at the same time. Breaches will happen. But life does go on and we have to learn to adjust our lifestyles to include the daily possibility that someone is going to try and defraud us, or our organization, as a result of ill-gotten data gains. Law enforcement would call this situational crime prevention and many security awareness campaigns are built off of these elements (Leukfeldt, p. 231). So what does that life look like?
A user says, “what?”
What can a social engineering criminal do with the data collected in the OPM hack? The answer, my friend, is just about anything. For example, the holder of that information could call you up pretending to be with your place of employment (and spoof the number to look internal) and ask to set up a time to discuss your retirement plans. They know when you started with your employer, the number of dependents you have and their full names, as well as your social security number and other relevant information. You agree to set up a meeting and they arrive at your office to discuss said retirement. In the process of that conversation, you give your credentials for your retirement fund/account online. The discussion goes well and you forget about it, until you realize you can’t log on to your account. The password has been changed and your retirement money is gone. Sound too far-fetched? Unfortunately, it’s not.
In a world where crimes are easily committed half-a-globe away, we need to not lose sight of the scams happening right in front of us by people we can see or hear. It isn’t enough anymore to assume that just because someone sounds like they belong, they look like they belong, and (now) they have “insider-only” type information on us, that they are in fact who they claim to be. This brings us to the age-old tenet frequently used by politicians, “Trust but verify.”
We need to be able to move through our daily lives without a constant sense of paranoia. No one needs an ulcer for each time their information is compromised in a breach. We also need to start feeling more comfortable, and build into our vocabulary, politely questioning someone in order to verify who they are or the request they are making.
Call center employees can be very good at sticking to the script when it comes to verifying identity. “I’m sorry, ma’am, but without that PIN number I just texted to the phone number on record, I can’t reset your password,” is courteous and respectful without compromising information. These same types of standards can be built into our daily lives (another new habit to form, sorry, but increasingly necessary). “I’d be happy to schedule a time to discuss my retirement account, John Doe. Next Thursday at ten? Perfect.” Then you hang up the phone, pull up your handy organizational directory, dial the appropriate office, and ask to speak to John Doe to confirm your appointment time. No John Doe on staff? They aren’t scheduling personalized visits with anyone? Your next call should be to security who will be happy to meet John Doe at your office next Thursday at ten. And in fact, some investigators are now of the mindset that any criminal activity involving financial loss should include some sort of look into whether or not phishing activity was involved simply because the number of criminals who specialize in fraud will also diversify into phishing (Leukfeldt, p. 245).
Believe it or not
Let’s try another example, a representative of Credit Reports R Us calls (or emails) and says they have been contracted by [insert name of recently hacked company here] to monitor your credit and identity free of charge. They even have a number of details about you and your business/employment with said organization but they just need to fill in those last couple teeny-tiny blanks to provide the service. In comparison to the details they already have, you think that the information they are asking for is harmless and therefore, it must be legitimate. User security awareness campaigns should include that criminals may only need that seemingly insignificant detail, such as a transaction code, even if they never ask for the bank account number (Leukfeldt, p. 244).
The above example might seem completely transparent when you read it here, but in real life such obvious red-flags are much like the User Agreements when we download a new app; we ignore the details and simply “agree.” Before handing over that information, stop and verify. We always encourage the users to get off that call if it seems phishy and to call a known number for that organization. This buys you time to check out their claim. Have you received a letter/email from the organization that was compromised that states you will receive such services and the name of the company providing them? Can you call the organization to check? If you find out the caller was a scam then that organization might be happy to hear that call-back phone number you wrote down.
Other uses
Scamming people out of money isn’t the only possible use of the information gained from OPM. Most of us don’t consider ourselves to be important enough for a foreign government to take interest in little-old-me among the millions of people whose data was stolen. In fact, basic call center employees are sometimes exactly who criminal recruiters go looking for because these individuals know the system and have access to account information (Leukfeldt, p. 237). But there is also another use for that data, compromising someone lower on the food chain which would allow an attacker to continue gathering data. This additional information can be used to then gain the trust of the attacker’s key targets. Do you have access to phone directories or intranet privileges that outline your organization’s protocols for account management? Then you aren’t too small a fish to go after, because that information can be used to create new attacks.
A 2014 case study of a phishing campaign in the Netherlands, found that attackers used real-life bank employees to access information which the criminals then used via phone conversations to convince bank customers that they were trusted employees of the bank (Leukfeldt, p. 238, 242). The way they got the bank employees to cooperate was to approach them in real-life with some little excuse, such as a delinquent ex behind on payments, to ascertain if the individual could access the needed data. Information stolen in the OPM breach would certainly allow a criminal to find friends of individuals and allow bad guys to create opportunities for meeting key individuals with access to the systems they need.
Once the criminals in this case study knew that could get that individual to give them some information, more requests with a financial incentive quickly followed. The bank employees’ willingness to get involved goes back to the topics of commitment and consistency which essentially boils down to our tendency to continue in a line of behavior (even if we might think it is wrong) simply because we already started doing it. To stop after the initial action takes place would be to admit that it was a mistake in the first place. This makes it even more important to shut attackers down at the onset by questioning both their motives and our own.
Summary
Social engineers have learned to evolve right along with technology and they continue to exploit the trust of the human networks in place. Human beings are social creatures and we want to trust one another. The majority of our lives are now digitized and accessible via computer. All of these things combine to create our current environment. Millions of Americans were affected by this latest breach which will allow some bad guy out there to know more than a credit card or a social security number; they will know who your closest friends are, where you lived and went to school, and other day-to-day information. Social engineering attacks are going to result from that information being out there. It’s time to buckle down and focus a bit more on critical thinking, trusting but verifying, and the skills necessary to keep ourselves and our organizations as safe as possible.
Written by Tamara “BlackWidow” Kaufman
Sources:
https://www.researchgate.net/publication/280014116_Leukfeldt_ER_2014_Cybercrime_and_social_ties_Phishing_in_Amsterdam_In_Trends_in_Organized_Crime_174_231-249
https://www.natlawreview.com/article/opm-data-breach-cont-d-what-we-know-now-and-what-questions-remain
https://www.scmagazine.com/home/security-news/privacy-compliance/article-29-working-party-still-not-happy-with-windows-10-privacy-controls/426621/
https://www.social-engineer.org/framework/influencing-others/influence-tactics/commitment-consistency/