Nowadays we heard of many scams in the news that people are being conned for money. One of the oldest scam is perhaps those unsolicited emails that always end up in your junk mail folder (gmail filters that all the time, but yahoo and hotmail doesn't seems to do the job as good).
So email is one way that these scams will come to you, by saying that there is this fella had passed away and his cousin/son/relative who cannot inherit its funds in the Swiss Bank due to legal or tax reason. And to work around that is to transfer/remit those funds to overseas to avoid the huge amount of tax and such. And you had been referred or recommended to assist him, and rather you are the lucky one that he had picked up to contact with. The catch is, you need to first transfer some money, say about a few thousand to his account, so that he can use the fund to work things out and also for him to believe that you are trustworthy. So, basically many people actually fall into the trap for a very simple reason -- greed.
There are many more different scams over email, but then, that won't last long, as majority of users using email are educated to identify such scam over time. The next channel these scammers try is, to call you directly, on your fixed line or mobile line.
This is how it works, one of the actual case in Malaysia, some one was called and saying that his son was being kidnapped and command the parent on the phone to quickly go to the bank and transfer a big sum of money to the scammer's account. While on the phone, this father couldn't make another call out to verify that, or if he is able to do so, his son's line might had already been engaged by the scammer, probably talking about the same thing about his parents. And the scammer actually warned the party on the other end of the phone, not to make police report or try to be funny.
This is rather a mind twisting game, it challenges the victim on the urgency of the matter. To make it more realistic, the scammer might had already done some prior social engineering to figure out his household information. Such social engineering are pretty simple thru telemarketing tactics. You might receive a call saying that you are being invited to an exclusive showcase on some product, as part of their company new launch in the area, or you might got calls that say you won a lucky draw that you've never put your name on.
I've received such calls before, and they are quite "high-tech" I would say. I was being called and mentioned that the handphone company wanted to launch their product here and now calling up to survey. And they happen to have a talk/show on the coming saturday, at Johor Ah Fook Street, and I'm one of the VIP invited. Ofcourse, I'm not going to attend that, but well, the operator was polite and say that's fine, she'll keep me informed of the updates.
So one week later, she called again. I was told that I won a lucky draw on the day itself, but because I'm not able to attend, the prize wasn't given to me. But well, so they reserved the prize for me. And next, trying to lure me for another talk/show and such, and demand more of my information in order to verify and check my details so that the prize could be sent over to me. So that really alerts and annoy me, as it seems like it was purely a cold turkey call, where by all the operator know initially was only my number, not even my name and age. So of course, I refuse to give more details and say I'm not interested after all. And then the sales tactic came in, I was being questioned of why? since she did not even sell me product, but just that I won a prize! I really feel pissed off and she got it off the line with a bit of anger that I'm weird and stupid.
Just the day before, I receive a similiar call again and this time round, I manage to record this really boring or funny conversation.
So, what does all these things tell us? --- TO BE ALERT ALL THE TIME!
Social engineering had proven to be the weakest link in any security channel. No matter how secure your system or procedure is, there is always a way to social engineer thru it and break in with full trust.
With today's technology, there is ways to fake incoming call number, so the first line of defend of checking on the incoming call number is no longer a very trustworthy indicator of authenticity. And we really got to rely on our gut feelings and also experience, plus alertness.
When you receive a call today, if it says that it is from the bank and need to verify with you on your details and mother maiden's name before carry on, you better stop there and ask if you can call back to the bank via their main line and asked to redirect to the same operator. This is a real life 2-way handshake protocol that you can establish the authenticity of the connecting party! (our major computer network protocol TCP which all your web surfing is running on is based on this). If not, you better challenge the banker rather than having only the banker challenging you to authenticate you over the air.
I think the bank will start to get crazy on this very soon as scammers tap on advanced technology to fool users. And who knows, the next call the you receive from the bank requires you to tell him your 2nd factor authentication code, which you need 1 min or so to dig it out from your bag and press the little button on it and read it out. Beware! never do so for now at least, since the bank didn't instruct so publicly, it could just be yet another scammer holding your credit card or bank user name and password, but just need your authentication code to access your account.
In the future, there will need to have a way to authenticate both parties on the line and this will not come cheap nor that very soon. At the bottom line, we ourselves are the one that need to do things that technologies couldn't help us to do so, especially in security.
Thursday, March 06, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment