Tag Archives: social engineering

An Attack Backdoor

I was interviewed by the local affiliate of a national TV network earlier today about a hack where a young lady got her bank account emptied out in a matter of seconds after she provided a caller a single 6 digit number. Hopefully this lady will eventually get her money back, but not without a lot of pain. Here is how the story unfolded.

The victim received a phone call from someone claiming to be from Venmo asking if she made a particular $450 transaction. This person was not from Venmo and there was no such transaction.

She said that she did not make such a transaction and the fake Venmo rep said that he was going to send a code to her phone to validate that he was talking to her and he needed her to tell him what the code was. She did and he said it was all good. Except that it wasn’t. She hung up.

Here is what happened next.

The hacker was actually trying to log on to her Venmo account. When she later looked in her spam folder, she saw a number of emails from Venmo saying that someone was trying to log in to her Venmo account and failed.

TIP #1 – Make sure that security alerts from financial service vendors make it into your inbox and not into spam.

What the hacker did while she was on the phone is tell Venmo that he forgot the password to her account. They sent her a one time password to her phone and she gave that code to the hacker. The hacker then entered that code into the forgot my password screen and Venmo let him reset her password. He now “owned” her Venmo account. This is called social engineering in that the attacker doesn’t actually break into the account but rather asks the victim to let him into it. The style of attack is called a man in the middle attack because the hacker is in the middle between the victim and the web site the he wants access to.

TIP #2 – If you get a call like this from a financial institution (or Twitter or other social media company), listen to what they tell you and if they ask for any information, hang up and call back to a known good number (say from the bank’s web site). DO NOT negotiate that with the caller – they understand they have lost the war if you do that and they will give you many reasons why you should not do that.

TIP #3 – If a supposed rep CALLS YOU and asks you to give him or her a code, HANG UP IMMEDIATELY. Refer to Tip #2. Occasionally, companies that YOU CALL may ask you to do that to verify your identity. It is a VERY bad practice but companies sometimes do that. If you are confident that you called the right number, then even though I think this is a horrible security practice, it may be required. You should tell the person that you think this is a horrible security practice and see if there is a different option.

The laws that protect CONSUMER (very different than businesses) financial accounts are pretty strong. Your liability for fraudulent use of your checking or savings account or credit card is pretty limited. Less so for debit cards (which is why I recommend that people never select the DEBIT option at stores and gas stations. Businesses want you to do that because it saves them a little bit on the transaction fee. If you think that you do not want to run up a big credit card bill to have to pay at the end of the month, if you are using a debit card, there is NO DIFFERENCE in terms of what happens whether you select credit or debit. In both cases, the money will be removed from the account that the card is linked to in a few minutes to maybe 24 hours.

TIP#4 – Always select credit and not debit when you are using you debit card in a store or gas pump. If you use your debit card as a debit card and enter your PIN, if the card reader has been hacked, the hacker can clone your card and use it at an ATM. From there, they can empty your bank account. They cannot do that if you use it as a credit card because they won’t have your PIN.

TIP#5 – Banks always set a DAILY CASH LIMIT and DAILY TRANSACTION LIMIT on your debit card (and probably also on your credit card, although that is likely looser). The cash limit restricts the amount of cash you or a hacker pretending to be you can withdraw from your bank account in any given day. The transaction limit is the total amount you can spend in any given day. You should talk to your bank about what these numbers are and set them as low as you can while not inconveniencing yourself too much. This is a risk- benefit trade-off. The higher the limit, the less likely you will be blocked from doing something and the more money a bad guy can get away with before being detected.

In this case, whether the victim will get her money back is less clear than if she was dealing with the bank directly. Venmo is considered a “non-bank money transmitter” so it is not required to comply with all of the banking laws and you are not protected in the same way as if you were dealing with a bank. It is required to comply with “Reg E” under certain circumstances, which does protect you to a degree. This is a risk you accept if you choose to use Venmo or any similar service. My guess is that her bank will work with Venmo and get her money back, but it is a much more slippery slope than the same situation with a bank. See this article for details on this situation.

TIP #6 – DO NOT use “accounts” at sites like Venmo and Paypal where they act like a bank and store money for you. Those accounts are not protected under federal banking laws. If you tie those accounts to an actual bank account, you have more protection under federal law.

TIP #7 – If you are more paranoid than some or just risk averse, but you want to use services like this, tie them to a separate bank account that is not linked to any of your other bank accounts. That way, if the account is compromised, your liability is absolutely limited to what is in the account. I have one of these and I never keep more than $200 in that account. Even though the account is not linked to any of my other accounts, I can transfer money in out of the account online.

TIP #8 – Always use two factor authentication for financial accounts and if possible use an app for that second factor. These apps are way more secure than text messages. Free apps to do this include Google Authenticator, Microsoft Authenticator and Authy, among others. The web site has to be set up to use one or more of these apps.

Hopefully this person will get her money back, but you can use her pain to improve your security.

Last tip – TIP #9 – All banks offer the ability to receive an email or preferably a text message any time a charge or credit to your account happens. This includes checks, debit card transactions, credit card transactions and even ATM transactions. You will receive text messages within seconds of the charge happening. Recently one of my cards was compromised and as SOON AS I got the first text message, I was on the phone with my bank’s fraud department (call the number on the back of your credit or debit card and ask for the fraud department). Banks are very motivated to stop this fraud because they eat the losses. In my case, as I was talking to the fraud department, the card was being used in three different stores. They immediately shut down the account, credited those charges and sent me a new card. If you think it is annoying getting text messages about the use of your account, think about how annoying it is if a hacker empties that account.

If you need more assistance, please contact us.

T-Mobile Sued For Lack of Security

I am always skeptical about these lawsuits.  One issue is usually “standing”, but in this case, I don’t think this will be an issue.  Often, if the party being sued thinks they are going to lose, they tend to settle, quietly, with no precedent from a court decision.  In this case, I predict this one may be settled quietly by T-Mobile.  UNLESS, the person filing the lawsuit is more interested in creating a precedent.  We shall see.

OK, here is the story.

Carlos Tapang is suing T-Mobile because someone was able to take over his phone account, transfer it to another carrier and use that new account to compromise his cryptocurrency account to the tune of $20,000 plus.  The good news (not really) is that this occurred when Bitcoin was selling for about $7,000, not the high price of $20,000.

The reason T-Mobile will likely lose if this goes to trial is that T-Mobile said that they would put a PIN on his account, BUT DID NOT.  Ooops.

Also, the hacker socially engineered T-Mobile customer service until one customer service person believed the hacker’s story and allowed him into the account without knowing the proper information.

THIS HAPPENS ALL THE TIME – CUSTOMER SERVICE PEOPLE ARE TRAINED TO KEEP CUSTOMERS HAPPY, NOT SECURE.

If this goes to trial and T-Mobile loses – big if – then it could cause the carrier to improve security.  That is part of what they say they want T-Mobile to do.

Tapang was able to recover his phone number – actually, he is lucky.  Many people lose their number permanently.  But it was too late.

While the article doesn’t say, what probably happened is this.

The attacker somehow figured out that he had a cyptocurrency account.  He either knew or guessed that it was tied to his phone number.  This is the typical “two factor” authentication which uses your phone number and a text message .

Using a text message as the second factor is relatively unsecure because if someone is able to get control of your phone number, they can receive the necessary information for a PASSWORD RESET and the TWO FACTOR text message code.  That is probably exactly what the hacker did.  Then  he emptied Tapang’s cryptocurrency wallet.

And, as we see all the time. the cell phone carriers are horrible when it comes to security.  It is hard to train call center employees, especially with the high employee turnover (for some call centers it is more than 100% turnover per year).  And, if security is good and they won’t hand over information, they wind up with upset customers.  On the other hand, if you do turn over the information without proper authentication, you wind up getting sued.  It is a challenge for the carriers because people want convenience over security.  Until is costs them $20,000.

Well, what can you do?

Number one – do set up a PIN on your cellular account and be a pain in the rear until they actually do it. TEST IT!  With Sprint they seem to be very good about the PIN, but if you don’t know it, they will sometimes let you answer other questions – which is bad security.  More than once I had to go into a Sprint retail store and show them my government issued photo ID to get a PIN reset.  THAT will deter most hackers.  Not all, but most.

Second, DO turn on two factor authentication for any account that that you would be upset about if you lost control of and hackers were able to “empty it out” – such as a bank account, brokerage account or cryptocurrency account.

IF YOU DO NOT CARE WHETHER HACKERS ARE ABLE TO EMPTY YOUR BANK ACCOUNT, SET YOUR PASSWORD TO 123456 AND DON’T WORRY.  IT WILL GET EMPTIED.

Second, if at all possible, do not use a text message as the second factor.  Use an app on your phone such as Microsoft authenticator, Google authenticator or Authy.  These apps are tied to your device once they are set up and NOT tied to your phone number.  If you phone number is stolen it will not help a hacker steal your money.

But this is up to you.  If you figure that it won’t happen to you, choose convenience.  If you think that it might happen to you and you would be upset if your account was emptied out, then use two factor.  Even though it is less convenient.  Google says that less than 10% of GMail users use two factor.

Information for this post came from The Verge.

Phishing Still Works

CSO Magazine has a great piece on social engineering/phishing scams.  The article quotes both vendors that we resell – Wombat and KnowBe4.

Bottom line – the Verizon 2016 data breach report says that 30 percent of the phishing emails were opened compared to 23 percent last year.  12 percent clicked on the link.

If 12 percent of the folks in your company clicked on a malicious link, YOU. ARE. TOAST!

Stu Sjouwerman, CEO and Founder of KnowBe4, an anti-phishing and security education provider says that “a handful of competing cyber mafias are casting their nets wider and wider.”  What this means is that the bad guys have launched an all out assault and situations like the ones that I wrote about the last two days – one company closed its doors, the other lost north of $40 million  – are likely the tip of the iceberg.

One cyber mafia alone netted close to $100 million during the first half of 2016.  That’s a pretty good incentive to hack since it is all tax free.

McAfee recorded 1.3 million new ransomware samples in the first half of this year.

The most commonly successful phishes?

  1. It looked official. – Wombat, a competitor to KnowBe4, says that users are better at detecting personal phishing attacks but do poorly with work related ones.  I guess that is how the hack of Leoni worked.  Send an email from the CFO to accounting, asking them to wire $40 mil to the Czech Republic and DONE!
  2. You missed a voicemail.  Attachments that are designed to look like voicemail messages get people to click,.  And get their computers infected.  You click on it and they own your computer.
  3. Free stuff. People cannot resist free stuff.  Even stuff that they down’t want and won’t use.  if it is free, they want it.  Of course the hackers attach an extra prize to the free stuff.  Once that piece of malware is installed after you click, things won’t seem so free any more.
  4. Fake social media invitations.  LinkedIn, Facebook.  Whatever.  If YOU don’t have a FB or LI account then a scammer can create one using your name.  Then invite your friends.  Or maybe the fake account belongs to the CEO.  Who wouldn’t accept his invitation.  Now they can steal your information or get you to click on a malicious link.
  5. Social Media at Work.  If your company allows you to use twitter, etc.  Wombat says that employees missed an average of 31 percent of the social media question on their tests.  Since most organizations allow employees to use social media at work but a third of the time users cannot detect malicious activities, what does that say about keeping the bad guys out?

Part of it is that the bad guys are getting better.  Much better.  I look at some of the malware and it is very impressive.

What is an organization to do?

If you are not actively phishing your employees on a regular basis (at least once a month, if not more) with very realistic phishing emails, you are missing a training opportunity.  And the cost is very reasonable.  Contact us for details.

Information for this post came from CSO Magazine.