Occasionally I will be called by someone from some company or government department because they want to notify of something. Lets say for example, I forgot to pay my insurance bill.
At some point in the call they will ask me "I just need to verify your identity with some security questions." and ask me for something like my date of birth or my home address.
The only correct answer to this is "I can't give you that information. You called me. I have no idea who you are."
I'm always met with complete incredulity at this concept. About 50% of callers don't understand at all what I'm trying to get at. Most of the rest just don't have any idea how to continue.
What I tell them at this point is that the correct way to handle this is that they need to give me an extension number for them personally and I will find the external number of their company/dept myself on their website and then call them back.
Unfortunately a lot of these callers either can't (due to not having a personal extension number) or wont (it's off protocol I guess?).
The problem is, I feel like an asshole for taking a stand on things like this ("Why is this guy trying to make my job difficult"), but more people need to understand that it's all too easy to be socially engineered!
> The only correct answer to this is "I can't give you that information. You called me. I have no idea who you are."
This ties in with a scam in the UK that exploits a feature / bug of the POTS.
The scammer calls, and claims to be from your bank, and that you've been the victim of crime, and that they need to sort it out.
Some people express doubt about the validity of the caller.
The scammer says something like "Have a look on the Internet at your bank's phone number, and give them a call, and ask for Mr Jones in the Fraud Response Unit on extension 537. I'll hang up while you look. But it's really important that you do this quickly, to prevent more of your money being stolen".
The person being called hangs up the phone, but the scammer does not. Since the scammer initiated the phone call they're keeping that line open.
When the victim picks up their phone to make a call the scammer plays a fake dial tone while the victim "dials a number". An assistant of the scammer then pretends to be a bank phone answerer and connects the victim back to the scammer.
This little bit of social engineering appears to be very strong. There are stories of people who were initially suspicious, but who then lost all suspicion because of this trick, and who lost tens of thousands of pounds.
And since the victim handed out the money the banks tend to refuse to give the money back. The victims really lose real money.
It's very sad.
Is that a some UK specific thing? Because in Moscow hanging up the phone breaks connection at any side. Pretty sure that it was this way since soviet times.
Of course scammers can easily physically connect to your wire so analogue connections are totally insecure for communicating with bank anyway.
It's a tradition!
I must guess this kind of primitive social engineering can work around 1 out of 100 cases and still be practical. As far as I've seen though the real treat is phishing. Really easy to set up and for most people it works.
Just the other day I was playing around an unprotected server of a phisher that had just sent me an email and there was plenty of people that had fallen for their trick. It could be seen on a text file were they were lousily saving all these details. Scary stuff.
Two factor authentication and even one-time cards (some banks issue this) can protect from this; but as always people that worry about security are already secure. It's the unaware that will fall for the trick.
But in the heat of the moment we often forget these sorts of things; I got a scam voice mail allegedly from the US Internal Revenue Service (IRS) saying I owed money and was about to get sued.
I KNEW it wasn't legit; I KNEW it was a scam, but I still had that adrenaline surge and a desire to clear it the hell up, right now, using the method they wanted me to use. Which of course would have cost me a lot of money. My cooler head prevailed thankfully, but the fact my emotions rose so high, so quickly, scared me. Still does.
The related audio and video on this link show the extent of, and distress caused by, this scam: http://www.bbc.co.uk/news/uk-34660329
18 pensioners, £600,000 (roughly $45,000 each): http://www.bbc.co.uk/news/uk-35064360
"Hello is XXX there ?"
"Who is calling ?"
"I can give out that information"
"Mrs XXX here."
"I am going to need you to verify your identity."
"BUT YOU CALLED ME !@*!"
Companies need to actively distinguish their communications from SPAM, SLAM & fishing attempts.
As a programmer I can't understand how we are more secure by bunching people into large tight groups in security lines to protect people on the other side of security lines.
If terrorists want to kill the traveling public, one grenade and a few guns could take out dozens if not hundreds of people in a security line. And it requires no security to reach it. It really just seems a textbook case of security theater to me.
Some people DO get very pissed off, but never it was someone worth interacting with in first place, so...
Also, it's probably more "Hi, this is Mr XXX, who am I talking to?".
Maybe they should be, but they clearly are not.
They said "if the text says it's from us it definitely is". I was not overly impressed by this.
Now, allow me to take this article about irreduceable complexity and reduce its complexity: the question is not even about which shade of security gray to go with. It's an ongoing psychological battle between security and security theater, which is an unrelated set of activities that is almost, but not entirely, exactly unlike actual security.
Security theater operates on the level of what feels right, instead of what is logically right. That makes it powerful. It offers an appearance and feeling of safety, and there's value in that. Of course, if you ask someone "do you want a phone that feels safe or is actually safe," they'll pick the latter, but actually, they want and need both.
That's the problem with this issue. The general public doesn't feel the difference between these two domains clearly enough to know how dangerous the governments plan for the iPhone is - they don't understand that it shifts the balance wholly from security to security theater, when what you actually want is a blend of both. You need The Great Tagliatelle and the locked cockpit door. You need laminated paper and you need to have pilots with secret codes. Without security, an iPhone will still FEEL safe - it just won't be.
The problem is, feeling safe is good enough for most. That's why we mostly have metal locks and not giant flaming Doberman-lauching turrets on our lawns. Until the public gets the need for a balance, this debate will go nowhere fast, and the government - who is very used to getting its way - will skillfully play on our desire to feel safe in order to get what it needs.
I was recently asked to sign a receipt at a store when I'd used Apple Pay. My phone uses a fingerprint reader to authorize a one-time-use token for payment that's transmitted in a cryptographically secure way. But that signature - that's the real unfakeable proof.
It's a small part of a package of evidence that proves intent to deceive. If I use someone else's credit card I can lie and say it was an accident. I use someone else's credit card and sign their name, not my name, on the slip it's harder for me to make the same lie.
Apparently signatures are still used as a method of determining liability for fraudulent charges, who knew?
This term is onerous and as such needs to be agreed to which the signature does.
While this doesn't protect against a completely insane pilot (he/she could kill the flight attendant), it does eliminate scenarios where the cockpit only has one person present.
The person plotting to commandeer the cockpit always has the upper hand, because they'll be the first to act. It's hard to defend against a sucker punch or a knife from first-class.
You could even argue that the two-in-the-cockpit rule is less secure, because it introduces one additional person who could pull off a germanwings scenario into the impenetrable control room. This is the same concern raised by the pilot quoted in this article (http://www.smh.com.au/business/aviation/germanwings-australi...):
"It exposes the cockpit to more security risks than the isolated case of a homicidal pilot," he said. "I think flight crew are a better judge of fellow pilots' mental state. Now I have to judge the cabin crew member's mental state too before leaving them in the cockpit with access to things like the crash axe."
Originally I had a long aside in the article to deal with this point, but I axed it because I don't think it changes the core argument. Unfortunately Medium seems to have removed footnoting capabilities. But it's still a valid note. Thanks.
Also, the argument about now having to judge other cabin crew members mental state falls a little flat since the pilot that left the cockpit clearly wasn't even able to judge the guy he was with. It's sort of like arguing that now you have to read two minds instead of one.
I'm not a psychologist though, so not qualified to weigh in on questions of sanity. For the same reason, I also agree with your point about crew judging each other's mental states. The part that resonated with me was more that there's now one more person in the cockpit who could potentially pull this off.
The fact that he waited for the pilot to leave doesn't prove that he wasn't prepared to pull off the same attack if the pilot didn't leave. He'd still choose to do it this way given the option. We'll never know, but regardless, it remains a possible vector in the future, yet the cockpit security remains in place (for good reason).
Or, maybe the user is "kicking the tires" to see how robustly it was coded, concerned that poor data verification practices reflect weaknesses elsewhere in the code as well.
EDIT: s/inadequacies/weaknesses for clarity
The article is about software security and how it compares (or doesn't compare) to real-world security, and what this means for the Apple case.
What drew me in is mostly that the beginning is written in a very light-hearted style, so it's a pretty easy read at first.
Usually I go in the other direction and redefine bland, e.g. https://medium.com/@blakeross/don-t-outsource-your-thinking-.... Had a little Friday fun with this one.
Either way, I identified with some of the points being made and easily picked up on the things I'd not considered from this angle thanks to the funny examples.
I still see unease with some of my friends and family about the topic, and although perhaps some of them have realized the ultimate question of should the cockpit or the cabin control things, I don't think they have a good understanding of why that is, or how this phone security compares to other things that are called "security," whether a door lock or the airport security line.
Very vivid writing that explains this for everyone. And I dig this type of humor.
For example, who is "you" in the following two bullet points:
It is not 'secure' as the Coke recipe is secure.
Coca Cola has the key to its vault, but you don’t
have the key to yours.
It is not “secure” as the Pentagon is secure. Those
blueprints are closely guarded, but your plans — even
much of your security code — are known to all.
The metal detector makes the airplane neither more nor less safe than the security theater porno scanner machine, and the precheck also doesn’t accomplish anything. The only reason most of the people need to be diverted through the porno scanner machine is that the federal government spent a few billion on them in a handout to some senator’s friends, and to scrap them now would make the tremendous waste of money obvious to everyone.
But at the same time, business travelers don’t want to go through the new machines, so we let them pay a nominal fee (easily amortized down to trivial if you fly a few dozen times per year) to go through the old metal detectors instead. Bonus: they now get to take a shortcut in the security line that they didn’t used to get. If someone without a real precheck manages to sneak through the metal detector line by counterfeiting some paper token, it isn’t a real security risk.
I agree that it's generally theater all the way down.
* Potential damage is roughly symmetric. A bad/evil driver might kill others but very likely also kill himself.
* Threat is local. There is no way a bad/evil driver to kill all the drivers.
* The road system as a whole does not have the single point of failure.
I think the claim in the article is dangerously wrong. We should never be given a binary choice in such big issue.
The question, "should the security of any model of personal computing device be subject to the whims of every court in every nation" seems binary to me.
No matter how much defense you put up, if you are accessible, you are at risk for unauthorized use of data.
Employing only people you trust and showing them you trust them is a great alternative to security restrictions.