FIGHTING COMPUTER FRAUD….ADVICE FROM AN EXPERT….?ber-hacker Kevin Mitnick writes in the LA Times today about the real threat to computer security:
The greatest vulnerability for computer security doesn’t come from technological flaws in hardware and software but from the weakest link in the security chain: people. And not just dishonest employees. Trusted insiders can be duped or deceived into giving away the keys to the kingdom. The technique is called “social engineering,” and it’s a modern version of what I call the art of deception, which con men have been using for centuries.
An attacker, foreign or domestic, can easily take advantage of the trust we have in fellow employees and the respect we have for people in authority. For example: A caller tells you that there has been an ongoing problem with your server and you’re in danger of losing all your data. He needs to put you on another server; you’ll have to change your password and stick with it until the problem is resolved. He gives you a new password to use and waits while you make the change and verify that it works. You hang up, a little annoyed at the interruption but maybe feeling good that the people in information technology are taking such good care of you.
But was that really a man from IT, or a hacker who now has access to your computer system?
….The hacker who uses social engineer tactics steals your trust in much the same way. Consider: Your phone rings and on the other end of the line is a man from the phone company. He says you have an overdue balance of $63.14, and if it isn’t paid by 5 p.m., your phone will be disconnected and you’ll be required to make a $300 deposit before service is restored.
You insist that you paid on time. The caller says no payment was received and that a disconnect notice was mailed to you. In the spirit of good service, the man offers to search the records to see if he can locate the payment. This drags on for some minutes while you hear him clicking keys and making occasional comments. He still can’t find anything, so he asks you to get out your checkbook and give him the details of your bank, check number and amount of payment. Still nothing. He asks you to read off the numbers printed at the bottom of your checks.
You have just given him your checking account number….