Tuesday, November 5, 2013

Oh, The Humanity! Another Pretexting Success Story.

And welcome back to our social engineering success story series: "Oh, The Humanity!" Storytelling can be a very effective tool in the fight to raise awareness about information security and effective training—and our firsthand experience with pretexting, phishing, proximity attacks, and more have provided us with ample ammunition. And now, on to our next story...

A while back, a large and pretty well known financial institution (name changed to protect the innocent) hired us to measure whether or not their call center was properly safeguarding the sensitive information in its customer accounts.

Here were the ground rules:

Rule #1: We only called on test accounts, or fake customers placed in the system by the company for penetration testing purposes only. This precaution was for everyone’s security.

Rule #2: We were only provided with the most basic fake-customer information: name and address. These pieces of information pretty well represent what a social engineer can get publicly on the Internet.

Starting Like a Social Engineer

pretexting, social engineer, information security
With the rules in place, we got started—and upon calling the call center, we learned their verification procedures pretty quickly. Their call center representatives used a standard, multi-tiered system that required them to first ask account questions (first car, first pet, first whatever) and then ask personal questions (birthday, SSN, mother’s maiden name, etc.).

Like I said before, we were flying blind. Since we never knew the first level of questions, we always tanked them—and our calls were always escalated to the next level.

So on we went, call after call, until I reached one particular young lady. I fed her a heartbreaking story (as usual): my daughter had been checked into the hospital and I desperately needed to check my balance.

Of course, we rolled around to the inevitable SSN and birthday questions. I tanked them both.

So she kept trying, asking personal question after question, until I miraculously managed to guess enough close-enough answers to be validated by the company’s authentication procedures.

Suspicious, But Not Supported

Now, let me give this young lady some credit. She was clearly suspicious. I mean, who doesn’t know their birthday?

And she didn’t make it easy on me. After I missed the first two questions, she put me on hold—forever. Then she came back on the line again, asked me some more questions, and then put me on hold again—again, for forever. She was trying to do the right thing.

But when she came back the third time, she not only gave me the information I was asking for but she apologized for the system error and updated the record with the fake birthday and fake social security number.

Was she new? Clueless? Untrained? Nope. She was just following orders.

After reviewing the call, we discovered that both times she put us on hold, she was reviewing the information with her supervisors—first her manager and then the security group.

And in both cases, even after indicating her suspicions, they just asked her just one question:

“Did they pass authentication procedures? Yes? OK…then give him what he wants.”

Pretexting: The Takeaway

You can’t give lip service to policies that let employees escalate situations when they feel suspicious or uncomfortable. Sure, everyone has to give good customer service and respectful communication—but if an employee feels suspicious enough to escalate to two different people, then there is justification for handling the call and account with great care. At the least, it is the kind of thing that requires a review of the account and certainly does not justify the changing of a social security number.

Bottom line: Your authentication procedures are not foolproof. Sometimes you need to go the extra mile.

Read More About Pretexting