Social Engineering, the art of obtaining details, maybe in part, from a target subject in order to impersonate or gain access to critical information facilitating fraudulent activity.
The stuff of cybercrime books and films? Think again. Lets run through an example.
Your phone rings one evening from a withheld or unknown number.
Good evening Sir/Madam, this is Chris from , may I confirm your details before we proceed?
In the UK at least, the above question is fairly common if you receive a phone call from a utility or phone provider. As per the Data Protection Act the company in question needs to be sure they are talking to the correct person in order to discuss account information.
Flip this around though, IF this person is not from the company in question and they are attempting to gain further details from you, how can you confirm they are who they say they are? It is surprisingly trivial to gain the information needed in order to place this phone call to you. They need 2 pieces of information:
Well get to how anyone can get this information later. Suffice to say, most people would happily give the information only without a second thought.
May I take your date of birth?
Fairly harmless you think. No problem.
Can you confirm your security password?
Again, many companies ask you to provide some default account password precisely to facilitate this phone authentication. Usually its from a set of predefined questions such as Place of birth, or Mothers maiden name. The answer is usually something that can be reverse engineered quite easily. i.e. if the reply is Potter its fairly obvious which question was answered versus a reply of Bristol.
So suddenly, without much effort, a potential fraudster has additional information about you that they would not otherwise have had. Your date of birth and your security question answer. Not bad for 20 seconds work?
With the above in mind and the fact you are now authenticated, its not hard to imagine that your credit card or bank details could be obtained at least in part. A new deal perhaps? or some arrears on your account that needs to be cleared? A sweeping statement perhaps but Im sure everyone reading this (with the best thoughts at heart) knows at least one person who would fall for this.
How could the fraudster get hold of your phone number and provider name? Well the answer is a load of rubbish . literally. Think about how much paper you throw away. Do you have a shredder? Do you religiously shred everything you receive?
Of course shredding paper wont make you secure. Loose lips could cost you aswell. Have you ever talked about utility suppliers in passing over a glass of wine or a beer? Ever given someone your phone number? Ever left a business card lying around by mistake?
Rejected Everywhere For A Merchant Account? We have a solution! Low – High-Risk Merchant Account Specialists. Unlimited Processing at 0%. No Contracts. No Shut Downs. No Set-Up & Application Fees. FREE Gateway Set-Up – Secured Transactions.
Open a New Merchant Account Here Now – OPEN MERCHANT ACCOUNT. PAYMENTS – PERFECTED.