Threat Management

Social engineering, Part 2: No school like old school: Crushing your pretext calling risks

I say this so you understand – I've been on the other side of pretext calling before it was made illegal and learned from the best. I know what your company's attackers will say to get past your people

CIOs: Work with HR to harden the target

Customer records are the identity-rich information resources that every cybercriminal between the Pecos River and the River Danube would love to sift. Employment records are also at risk – juicy information such as HIPAA-protected medical insurance information of interest to to lower level fraudsters looking to score medical identity theft. Putting together medical coverage plans with subscriber numbers could mean a mess for employees once combined with personally identifiable information such as social security numbers.

The threat value statement comes again from the 2001-4 OCC Advisory letter:

Pretext calling is also difficult to detect. While information brokers and private investigators routinely advertise on the Internet and elsewhere their ability to locate and provide specific information about individual bank accounts, banks and their customers are likely to be unaware that they have been the victims of pretexting (i.e., the use of some form of pretext to obtain customer information). Unless the pretexting ultimately leads to identity theft, it may go undetected altogether.

Think your corporate fortress is secure?

As Kevin Mitnick and even Dark Dante himself (Wired Magazine's Kevin Poulsen) would tell you, social engineering is just a phone call away. Lock down your phones and harden your target against those who want to black-hat research your company's competitive edge through outbound call records, or worse, those who target your business banking information.

Here are my top three ways to block Pretext Dirty Tricks:

1. Every fortress needs a password for entry. Recommend your incoming phone-based users establish a verbal password. Aside from the normal ZIP Code, phone number, mother's maiden name, for phone-based access, call centers targeted by pretexting should always have their clients use specific verbal passwords.

a. Here's another opportunity to create dissociative passwords which cybercriminals can't hack past simply by compromising someone's Facebook account.

b. Insist on the same requirement for your accounting staff – password protect your company's many business accounts (phone, utilities, bank) to prevent unscrupulous competitors as well as bank fraudsters.

2. Stop using Caller ID as a valid identifier: trojan horse theory is not just for malware. Gut check on Caller ID: If Paris Hilton can spoof Caller ID, it's use as an identifier is over. What previously required tech-savvy in the form of an Orange Box is now website-simple to pay a nominal amount to display spoofed Caller ID anytime, anywhere. This is just about to become illegal with HR 1258.

3. Have procedures in place for reporting pretext attempts and follow up on your internal investigation of attempts. Train call center employees, receptionists, Human Resources and virtually anyone with access to records of interest and a phone line. Get a good employee education program running and complete your fortress. Limit your external extensions via paper phone directories. The military treats their base phone directories as critical to protect. Consider doing the same.

As for investigators who may still do pretexts – be warned that Action Research Group and HP bore the brunt of multiple hundreds of thousands of dollars in fines when the FTC took them down a couple years back. The FTC made ARG give the money back. Every cent, nearly half a million bucks worth.

Oh, and parents, keep paying your teen's cell phone bills and you'll never need a pretext to get the records should you need them.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.