Schneier on Security
A blog covering security and security technology.
« More SSL Woes |
| Sam Harris on Self-Defense »
November 15, 2011
Identity Theft Call Center
There's a group who charges to make social engineering calls to obtain missing personal information for identity theft.
This doesn't surprise me at all. Fraud is a business, too.
Posted on November 15, 2011 at 5:26 AM
• 14 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Time to update security awareness tips :-/
I've also heard of call centers where they have a dedicated team of googlers supporting the guys on the phone by providing realtime responses to identity verification questions.
I wonder how long of a pause before responding would be acceptable to the bank. Honestly the googlers might get a quicker response than the average guy's brain on something like an anniversary or kid's b-day.
... and this is why posting your whole private life on Facebook is a huge WTF.
@Captain Obvious, depends on the bank. I recall when back in 2005 I tried to tell my bank that I was going to be travelling in South America for a few months, so not to block my card if they saw transactions from Ecuador. The person on the other end of the phone wanted to verify my identity by asking very specific questions about transactions I'd made on the order of three months previously and if she heard the rustling of paper she discarded the question and came up with another one. It took me about twenty minutes to satisfy her that I was the account holder.
The focus on identity theft never ceases to amaze me. Maybe the reason there is so much "identity theft" - stealing personal identifiers - is the unfettered access to accounts and credit by people the lenders don't personally know. The risk of getting caught committing "identity fraud" is unacceptably low. As long as the costs are transferable to consumers and taxpayers this is not likely to change.
Social engineering? Didn't this used to be called "grifting" or "conning"?
"Social Engineering" covers a lot more. Pursing your lips and showing some cleavage to convince the bouncer to allow you past the velvet rope and into a night club is an example of "social engineering", but isn't a grift.
"Pursing your lips and showing some cleavage to convince the bouncer to allow you past the velvet rope and into a night club is an example of social engineering"
Depends. If I tried that, it would probably earn me a serious beating.
"It took me about twenty minutes to satisfy her that I was the account holder."
The process could have been simplified by just going over to your bank and sort it with the counter clerk. If your bank doesn't have a branch office close to where you live or is unable to provide you with a trusted account manager who knows your face and voice, move your money to one that does.
This goes for pretty much every company you deal with and in my opinion is basic customer service. Removing the man in the middle and assuming that no serious company will ever ask you for personal information over the phone or by email is the best way to stop this type of operation dead in its tracks.
I wish my bank would be that thorough. I've often gotten "customer survey" calls that go like this:
Caller: What products do you have with us?
me: I'm sorry; I can't help you.
me: I don't know who you are, therefore I can't help you. You may not really be calling from my bank.
Caller: Can't you use caller ID?
me: Nope. Caller ID can be faked.
Caller: ... [click]
And yes, these really are from my bank. I once called back to confirm.
Might have mentioned this story, but one sunday afternoon i got a call on my cell from someone purporting to be with the IRS. First she had to "verify" my identity and began asking for detailed personal info (SSN, DOB, MMN, etc.)
I told her I had no way to verify who she was, and to my astonishment, she agreed. We spent about 10 minutes negotiating an acceptable way to cross verify each other (reading alternate digits of SSN, DOB to each other).
I was just delighted to have a real, thining human on the other end of the line. In the end, she was calling to tell me of an Audit. I should have hung up.
These identity theft guys could very easily have your full SSN and DOB (in fact, that even follows from most SSNs, including the US one).
Always; always; call back. Ask who they are, ask their name; call into the company on their main switchboard number and then ask to be put through to them. This is not perfect; your call may still be intercepted; but it does mean that the attack has to have happened in or close to your telephone provider rather than anywhere in the phone network in the whole world.
I have been most amazed by the criminal phone people when we had some call up from "Microsoft" with a need to do a computer "update". This is a whole call centre with a full structure of supervisors and everything. They are better than many corporate IT providers. There is, of course, no chance your own phone operator will be able to trace these people.
P.S. There are some passport agencies that do the callback thing in the other direction. Once you have done a double callback you just have to accept that as good enough.
The people who do this stuff have lots of resources and are very creative. This week, some idiot included the address of a mailing list I administer, when they did a forward-to-all of a purported "game" where you send the answer to a series of questions, to the person who sent the quiz to you, and to everyone else in your address book. The questions were things commonly used for security questions like "What is your mother's maiden name?" and "What was your first pet's name?" and "What's your favorite color?" Unless he's crazy like a fox, he's the first victim - he sent HIS answers to the list address, the list admin address, and about a hundred other addresses. I blocked the one sent to the list, but received the copy sent to the list admin account. One of the other addresses he copied, probably goes to the fraudster who is going to break into his bank account.
In early 2010 I noticed that my health insurance company started insisting on verifying my identity when they called me. In this case I knew that it was legitimate, however still refused to provide my details.
I was surprised though, they didn't see anything wrong (and judging by their reaction to my refusal, didn't see other people do this) with cold calling and without any form of identity verification on their part, expecting people to answer the same security verification questions they ask when you call them. At the time it did occur to me that this would be a really neat way of stealing personal information.
I´m also of the opinion that dealing direct with the people in the workplace is the best solution. I refuse to do anything on the phone, I´ll take those extra 30 minutes, drive down to the bank - or whatever other service provider - and talk to someone who I can show my papers to. The hell with security questions on the phone, who I can never remember anyway or just let me startled so it looks like I´m faking it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.