No, this isn't a write-up on Twitterank, the latest example of 15 seconds of hype-fueled hysteria that the Internets whipped into a minor frenzy before moving on to the next sensationalistic headline.
(Yes, Twitterank asks you for your Twitter username and password but — wake up people! — so does every other Twitter app that needs access to authenticated features because the Twitter API only supports HTTP Basic Authentication. This is a limitation of Twitter, not Twitterank or other legitimate applications. The problem, of course, is that you cannot tell whether or not an application is legitimate or not, so Twitter, in this instance, is responsible for teaching people to get phished.)
No, this isn't a write up on Twitterank (believe me yet?)
It's not even about tech companies or web applications.
No, it's about old-school, real-world companies and how some of them are using an old-school, real work technology to teach people how to get socially engineered, or phished. The technology in question is none other than the trusty the telephone.
Yesterday, I got a call, supposedly from my health insurance provider. The call went something like this:
Voice on phone: Hello, I'm calling from Company X, before I continue, I need to verify some security information with you...
Me:OK, the problem with that is that I have no way of knowing that you are really who you say you are. Can you give me a number and a reference code so that I can call you back?
The sad thing is that it really was my insurance company calling, not a scam artist trying to phish my security questions from me so she could steal my identity.
What's worrying is that this appears to be a widespread practice. Clive Flint on Twitter reports that he has experienced the same thing with AMEX and James McCarthy experienced the same thing with AMEX and his bank:
'We need to talk to you but need to confirm it's you' And how I'm supposed to know it's them? No security there. (Clive's tweet)
I've recently had the same from Amex and Halifax too Banks really should know better. (James's tweet)
There really needs to be a law against this practice. Does anyone know where we would start trying to get more visibility on this issue in the UK with a view towards getting legislation passed?
Quite plainly, these companies are teaching people to get phished and that needs to stop.
Instead of calling you up to ask you your security questions, they should be asking you to call them. Something along the lines of:
"Hello, I'm calling on behalf of Company X. I know that you cannot verify that what I'm telling you is true, so, for security reasons, can you please call us back on the phone number on the back of your health insurance card and quote reference XYZ. We need to speak to you about your account."
And, beyond this, how cool would it be if we had the telephone equivalent of SSL so that your Caller ID not only told you the number that was calling but whether or not it was a verifiable entity with a valid security certificate.
Have your say!
As in all things, my approach to blog posts is that they should evolve over time and your feedback is invaluable in achieving this by helping me fix factual errors, fill in details, and expand the original post.
Have you received similar calls? Did you give your security information over? Have you been phished in this way by a malicious caller? Do you know of efforts to educate companies about the dangers of this practice or to pass legislation to stop it? Leave me a comment and let us know!
Photo credit: Kenneth Lu.
The Teaching people to get phished, old skool style! article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.
HSBC have done the same to me, I told them my concerns and they said I could call them back. They said OK and hung up. This was shortly after someone in the office got scammed by someone claiming to be from O2… I bet there is more phone phishing that internet phishing.
I’ve had the same from Barclays and Orange. I just don’t answer anymore.
Completely agree. I’ve recently been fielding a lot of these calls from companies since I had to reset a bunch of direct debits (long story), and just about every operator I’ve spoken to has got the “How do I know you’re an employee of ‘company X’?” Almost all of them have agreed that there’s no way, and that they’re sick of getting asked that too.
An interesting variant was a company asking me for any three characters of my choosing from my password. This is starting to get towards a solution, as I can be quite sure they’re not just sitting there at my bank’s login screen asking me for the same “first, second and last character” that the login screen is, but still, I’m giving details away to an unknown third party. Screw that.
Most companies have eventually caved and asked me to pop into a branch, or have offered to send a letter. All of these companies offer secure online messaging through their website accounts – WHY DO NONE OF THEM USE THAT?
Final tidbit – the UK Police have a similar problem. If the cops call you (or, in my case, a colleague) about an incident to arrange an interview, they ask you to phone them back on the number listed in the phone book, or to ring 999 and ask for their office by its ID (which they give you). This is a great scheme, but it relies (here’s the key) on a trusted, incorruptible broker (999 is unlikely to get hijacked, and neither is the phone book). Asking you to ring back on the number on your bank’s website sucks, because my bank’s website could easily have been the victim of a DNS poisoning attack.
I don’t know what the solution is, but I agree that the focus being so heavy on “The Perils of Teh Interwebs” is leaving the door wide open for social engineering in other areas.
I think my bank’s approach to this issue is quite good & straight forward.
The bank sends you a default PIN code (8 digits) by (secured) snail-mail. You are encouraged to change that PIN code using their website.
When being contacted on the phone or when contacting them on the phone, they ask you 3 random digits out of that PIN code (e.g. please give me the 2nd, 3th and 8th digit).
They can confirm that you really are who you claim to be, and you don’t have to worry to give out that information since the PIN is only partially transmitted.
@bart see above. Who’s to say I’m not sitting at a computer ringing you and asking you for *exactly* the same information that your bank’s login page (or phone banking!) is asking me for?
@jonathan I guess bart would have to lie about one of the digits to make sure the person on the other side of the phone really has his code.
@Joey I like that, but the impression I get is that the call centres have effectively EXACTLY the same interface as the online one: they get asked for 3 characters, and only get through if they’re right. That’s certainly how I’d want it to work. So All bart would have done there is verify that they know when the characters are wrong. Again, I can do that.
I definitely understand the need for security, but this comment thread has entered a realm where nobody can communicate except by being face to face. Unfortunately, having top security and convenience are mutually exclusive. For every security measure put in place, it’s easy to think of two or three what-ifs. It’s all a balancing act, and if you don’t like the way your bank or credit card provider is handling it, make suggestions or switch.
You could also do this 3 random digits game the other way around to make to the person on the other side is who he claims to be – they should give you the 3rd, 5th and 8th number in the pin you got mailed. How about reading each other each consecutive digit “you say one, I say two, you say three, I say four…”
Robert: not so. There are plenty of ways to communicate securely. Public-key encrypted e-mail, or instant message.
If my bank wants to communicate with me, well, I’ve got an e-mail address and a GPG public key. That they can’t use that is their problem, not mine.
The security thing that irritates me is that phones are inherently insecure because they require you to be in a secure area. Most people aren’t when they use their phones – they are in public areas. I’ve had to explain to people over the phone that there’s no way I’m giving them my details over the phone because I’m on a bus or standing on a railway platform. I was on the train yesterday and a man across the aisle from me gave his full address, postcode and phone number over the phone. I’m betting people would absent mindedly do the same thing with credit card numbers.
To paraphrase Linus Torvalds: if your security doesn’t include a web of trust, it’s not security, it’s masturbation. This applies very much to pre-shared keys – if you give someone access to something that you can’t revoke without changing the key for everybody, I would consider that a failed security model.
(Also, what’s with all the damn at signs in comments? This is not Twitter.)
@Tom: which at signs? :)
@ jonathan:
The banks website would require all 8 digits to log in. That’s a secure connection, which you can check by the https protocol and the genuine url of the bank. On the phone, you don’t have those checks, so you don’t give out your full PIN code. Or put it like this: if my colleague at work would overhear me saying those 8 digits on the phone, then he could fish up my account number via my last invoice, and log into my bank account online. So basically: online you always need the full 8 digits, on the phone you can never give out the full PIN. Still seems solid to me.
Another one here from Barclays UK. Once I asked them how could I be sure they were calling from Barclays. The guy on the phone gave up after 5 minutes because I was refusing to “identify” myself.
On another call I asked them again if _they_ could identify and the girl asked me: “What you want to know from you? I’ve your date of birth, date when you opened your account, visa number or I can give you any piece of your data so you can verify this is an honest call”.
@bart – not my bank. My secure login page requires a unique key (not “password” fielded so everyone could read it off my screen), and then my date of birth, and THEN 3 characters from my X-digit secure password. The idea is that even if someone has a keylogger installed on the machine, they still can’t snag my full password.
The point is that phones are just a bad way to do this. There’s no convenient way to do security checks over the phone, so why do banks insist on using them for people like us, for whom plenty of secure channels already exist?
A great example is Egg – I’ve never received a call from them, because all comms go through their website’s secure messaging system. I get email, but all it says is “go log in”. Yes, that’s open to phishing, but it’s better than some random scammer phoning me up and asking me straight out for my details.