

The Man Who Hacks Your Employees - softdev12
http://www.wsj.com/articles/the-man-who-hacks-your-people-1429499479

======
AlexDanger
Not sure how it is in USA/Europe - but in Australia, some of the biggest
banks/telcos still ring up customers (from private numbers) and ask for _all_
your personal details to confirm your identity before proceeding with the
call. Some even ask for plaintext passwords over the phone. At the same time
they have big warnings on their webpages about phishing and how they'll never
ask for personal details over email.

More than once I've explained that providing all my details in this fashion
directly contradicts the security policy of the banks, but it takes some
convincing to get the phone operators to give you a number you can confirm is
legitimate and call them back. Its clearly not on the call center script and
they dont understand why I am being so pedantic.

~~~
_asummers
Comcast now requires the last 4 digits of your social security number to do
anything. Even though it's not the whole thing, I'm extremely uncomfortable
whenever I have to call them.

~~~
pavel_lishin
Are you actually required to give them your real social security number? Or
can you give them a random string of digits that you would like to be
identified by?

~~~
_asummers
They require social for credit check when signing up, then they're now using
the last 4 digits for account verification. It seems really awkward and
forced. They then also have you provide address, name, phone number when
speaking to the CSR, which seems redundant. If I have someone's social, I
probably know where they live. And I certainly wouldn't be calling Comcast on
their behalf.

~~~
Casseres
They probably don't require your Social Security Number. I've avoided giving
mine out by paying a deposit to my cable internet company, my electric
company, and I use prepaid (which is cheaper than post-paid for the same
service) to avoid giving it to a phone company. I also leave it blank on my
doctor's forms and other forms. No one has ever hassled me about it.

------
Zikes
> Let’s say the jolly IT guy calls you and he starts to ask you things that
> don't make sense. That’s when a red flag should go up.

That's an everyday occurrence in some offices.

~~~
Consultant32452
Yeah exactly, who is the audience here? For the average semi-computer literate
office drone there's hardly any questions the jolly IT guy could ask that
would seem out of place. You have to have a lot of domain knowledge to know
that what's being asked isn't kosher.

Probably the biggest clue is that the IT guy is "jolly." The IT guy generally
isn't jolly. You know some shit is up :)

~~~
hn_
"Any sufficiently advanced technology is indistinguishable from magic."

IT is magic to most - magic in the fact that they don't know how the trick is
done or what is required for it. "hey, can you give me the serial number on
your computer so I can configure the flux capacitor" seems like a reasonable
request because you don't know what a flux capacitor is or what is needed for
it to run. All you know is you need your internet and email to do your job and
IT does all the magic to make that happen.

------
Scramblejams
He mentions putting a color swatch on the company intranet that changes daily
as a form of authentication.

I wonder how well it would work to call people up and say, "Hi, this is Paul
from IT, we're having some trouble with our intranet security color swatch
generator this morning. You should be seeing pink. Is that right?"

~~~
pavel_lishin
I think that was just an example; it just needs to be some daily changing
token. When a bad guy calls up your company, he should have no idea whether
you use a color scheme, mythical animals, sports teams or flightless birds.

~~~
antsar
Your definition of "bad guy" strangely seems to exclude disgruntled former
employees.

~~~
pavel_lishin
You're right, I didn't think about that.

~~~
frost_knight
If it's a former disgruntled employee then they shouldn't know what the daily
token is, since they should at that point be gone and no longer have access to
such details.

If they do, however, know the token, then you have another problem altogether.

~~~
pavel_lishin
But they'll know the general scheme, which would help them extract the current
day's code.

~~~
wingerlang
Unless the color is random each day, which would make more sense wouldn't it?

~~~
LyndsySimon
"Hi, this is Paul from IT. We're having some trouble with the random color
generator today, could you pop open a browser and check for me? It should be
pink, but we've gotten a couple of calls saying it was a different color. What
color are you seeing at your location?"

------
eyeareque
His social engineering contest at defcon is always awesome to watch. It's
incredible to see the big companies give out such internal information. The
social engineer is inside of a glass protected booth and the crowd can watch
and listen in. They have a points system where the harder to get info gets you
a higher score. Ex: a high score was given if you could get them to hit
social-engineer.org from their browser. One guy told the person on the other
side of the phone that it was a social network for engineers. Also: Make sure
To check out the contest on Friday/thurs as they can't really do the live over
the phone hacking on Saturday/sun as most businesses are closed on the
weekends.

~~~
Estragon
Are there videos of this contest? I had trouble finding any.

~~~
eyeareque
They are very strict inside of the room to ban all forms of recording or
picture taking. Probably for legal reasoning (my guess) so I don't think
you'll find any.

------
ChuckMcM
This is a scourge. And of course most employees who get a call from someone
purporting to be part of the company have a reasonable fear of creating
problems at work and so often seem to err on the side of giving out more
information.

The sad thing is that as we open up more and more ways to "do" things remotely
(like move all your checking account funds from your account) the more danger
involved. In many ways this makes the whole requirement that you authorize at
a specific terminal in a secure space make much more sense.

~~~
frost_knight
For 4 years I was the systems security officer for a college. At least 2
students per week fell for a phishing scam. It didn't matter how much we
warned about it; emails, orientation lectures for firstyears, one-on-one
talks, big alerts on the Blackboard system, you name it.

They'd get an email claiming to be from the help desk and BAM owned. My
sensors would pick it up and cut their access off and they'd have to come to
my desk for restoration. I was unfailingly polite and respectful. Didn't make
anyone feel dumb, no berating, just a calm explanation of exactly what
happened and how to avoid it in the future. No student ever had it happen to
them a second time.

One staff member fell for phishes at least 5 times, though. The president of
the college had to talk to that individual eventually.

------
ibrad
If anyone from IT calls you, you should be able to call them back at their
extension. Or that's a red flag.

We used to have fun with William the "Windows Tech team agent" (from India) .
He (They) would call us at least once a week. I think they might have had a
successful attempt otherwise why would they keep calling.

------
jmckib
>WSJ: Hold up. How can I get a free plane upgrade?

> MR. HADNAGY: Airports are always stressful. These ladies are always getting
> yelled at. If we make someone happy before we can ask for a free upgrade,
> that could work.

So now the question is: how do you make the agent happy enough to give you an
upgrade? Just be polite?

------
iizarc
"LinkedIn: I have everywhere you’ve worked. Everywhere you went to college.
Facebook: I have your family, your wife, your kids, your boyfriend, your
girlfriend, your last vacation. Twitter: I have everything you’re doing
throughout the day. If you’re on Foursquare, I can geolocate where you do it."

This is so true lol. Many people don't realize all the valuable info they put
up on social media. Great article btw.

