You are the Last Line of Defence - Personally

Over the weekend I received a phone call from someone purporting to be from a major credit card company offering me a great deal on balance transfers, etc.

Sometimes I brush these calls off but sometimes I let them ramble - both to learn about how they do what they do, and to in some cases teach them about how at least I (and hopefully you too) view their methods and expectations of what we will and won't give them in the way of information.

In this case I was mildly surprised - but not much - at what this person knew about me - name, company name, address, phone number (they used the business line, not the home one) etc.

It got down to the point where I was willing to say "yes" to this person (I'm fairly certain they were who they said they were - mostly from things I heard in the background of the conversation - did you know that today's telephone is VERY sensitive!) - and they blew it. They asked for my birthdate to "verify that they were talking to the real Richard Pitt" and I said right back - "OK - but I'll only answer that question after I have dialed you back via a phone number I can find and verify independently belongs to your bank - what is your local?"

Silence - then a repeat of the request and the reason for it - as if I'd never even asked to call them back. I repeated my requirement - and got "ok - call this number 1-888......", to which I said - "sorry - I need to find that number myself, you giving it to me defeats the purpose..."

While I was talking I had done a search both for the phone number they had given me, and for the bank's main web site. I found both, and after telling them to "hold on for a second", dialed the number on one of my other lines. The voice system asked for my account number and other than that, told me to go to the web site - nothing to allow me to either get to a human operator or enter a local, even though I still had not been told one.

I got back on the original line and told the rep what I had done - and that so far they had failed to give me what I needed to authenticate THEM before I would give up my information. At this point the rep asked me to hold while they got a supervisor. After a couple of minutes on hold, the supervisor came on and I repeated my story and requirement. At least she understood, and eventually offered up the information that in fact they were a call center in India only on contract to the bank, not actually a part of it, and that there was no way for me to dial back to them using information I could find anywhere.

At this point she suggested that she would have one of their management people call me to discuss the problem some time this week. I'll let you know how that goes.

In the mean time I received this morning a post on one of the mail lists I subscribe to describing a whole new problem that affects this type of "offline" authentication of who is calling you and asking for your personal information - quite a coincidence it seems, but the crooks and other bad-uglies out there are not stupid - they are sneaky and highly motivated by the millions they are stealing daily.

It turns out that the crooks are taking advantage of VOIP (voice over IP) technology and one of the unintended consequences of telephone deregulation; the opening up of the previously closely guarded (by the old-boys club of telecoms) SS7 system that gives you the caller ID information when someone calls you. As I've known for some time (been working with VOIP for a number of years now) the caller ID info can be generated completely independently of the actual number that is calling you - so I can set my VOIP system to show that I'm calling you from your bank for instance - and when the call enters the traditional telephone system via a gateway this bogus information is just passed along since it is pretty much unverifiable by your local phone company.

Along with this, the crooks are creating authentic-looking web sites (the same sites they are creating for PHISHING) with bogus phone numbers in them - then manipulating the search engines to make these bogus sites come up in the top 10 when you search!!!

As SANS says:

They also point to an example of a Vhishing attack that includes making fake entries for telephone numbers for "authentication" just so you know what I'm talking about is real.

As usual, the bottom line is that it all comes down to YOU - the person on the receiving end of any unexpected correspondence - whether it is e-mail, telephone, courier, snail-mail, or a visitor to your home or office door - be skeptical. Do not assume they are who they say they are - and do not assume that just checking Google or Yahoo for a pointer to allow you to authenticate them is OK - it is proving not to be.

Only you can do the "sniff test" of legitimacy - and only you can ensure that those who wish to deal with you in your personal information, money, etc. have in place the facilities necessary for YOU to check them out when they contact you unannounced.

The problem is similar to the parent telling their child not to talk to strangers - in fact, we all talk to strangers all the time but we initiate the conversations mostly. Statisticly speaking, when we choose someone at random on the street there is a high probability that they will be like us, since the vast majority of the population is law abiding and generally altruistic in dealing with strangers. It is when the stranger starts the conversation that we have a higher probability that they have some ulterior motive that is not what we expect. The contradiction in this (to the stranger, we are a stranger initiating the conversation) is dealt with by the circumstances - a child generally poses no threat to an adult they start talking to - and asking for help is different from asking for personal information. Similarly, walking up to a teller in a bank who is otherwise as stranger is legitimized by their surrounding; unless a whole gang has taken over or duplicated the bank premises we are fairly assured of the business we are dealing with.

The stranger calling us, sending us e-mail or snail mail, or walking into our office must somehow prove they are who they say they are - and we have a right and a duty to ask them to do so. Never forget this - and ensure they know it too.