Phishing Is Not Just About Passwords


According to a local news source, March 10, 2020 is Middle Name Pride Day. To celebrate this they deemed it would be fun to have its readers and followers on Facebook to complete, "My middle name is ______". In public. For all to see. For most, this would appear harmless and innocent. Even fun. Who wouldn't be proud of their heritage, right? The problem is personal information like our middle name is often used for identity verification online or over the phone. In other words, this was a data security breach for those who participated. Any malicious actor who was monitoring the revelation of middle names would now have a copy.

How is this potentially dangerous? With enough of our personal information, malicious actors can impersonate us online or on the phone. Let me give you an example that is a potential security threat that is happening every day, yet no one is paying attention. Many of us have received that telemarketing phone call. They know who you are. They introduce themselves as representatives of a bank, credit card company, ISP, or telco. They offer some sort of product or service. But, to avail of that service they have to verify your identity. They ask the usual: birthday, and mother's maiden name.

Birthday and mother’s maiden name. The very same identity challenges for when you call your service provider’s customer support. But for this, they called you. How sure are you that the incoming caller was really who they claimed to be? You really have no way of verifying them. Oftentimes, the phone number indicated on caller id is some random landline or, worse, a mobile number that can’t be verified with an online search. This is a massive information security vulnerability for all common consumers.

It’s not difficult for threat actors to acquire our birthdays. We post our birthdays on social media. Even if we don’t, our friends greet us on our birthday. That’s the month and day revealed to the public. All that is needed to obtain the year is for someone to say how old you are. Our birthdays are also on many forms we fill up. Government, bank, or telco forms might comply strictly with data privacy and security policies. But many other personal information forms are less so. Your loyalty card or gym membership forms contain your birthday, for example.

Your mother’s maiden name would be much more difficult. Unless your mother is on social media and uses her maiden name publicly, that is all that a potential attacker lacks. Hence, why an incoming phone call asking to verify your identity is dangerous.

Those caught in the excitement of receiving a special, exclusive, pre-approved offer willingly give away personal identity information. Threat actors are then fully-equipped to impersonate you

For those up-to-date on the recent spate of email phishing attempts on bank customers, this is the voice predecessor of phishing: pretexting. Pretexting is when a threat actor portrays themselves as a person their target can trust. With trust established, the threat actor can then draw out the target’s private information. Instead of passwords or credit card CVVs, identity challenge answers are phished.

Most hacking is done via social engineering. Not by brute-forcing into systems as typically depicted on TV shows and movies. For the curious, good fairly realistic portrayals of hacking and social engineering are an old Robert Redford movie from 1992, Sneakers, or the Rami Malek TV series Mr. Robot that began in 2015.

Unfortunately, customer service providers would be hard-pressed to come up with a more secure process to verify identity. The most obvious and currently in use is a one-time password sent via SMS. But SMS has its own set of known serious security concerns. Other measures may demand some effort from the consumer. Cyber security is a balance and compromise between secrecy and convenience. Consumers will not react well to inconvenient measures.

Until service providers employ a more secure process, consumers should not give away any information to incoming phone calls. Consumers should only reveal verification information on phone calls to customer support that they make themselves.

In the meantime, the safe response to telemarketing offers is, “Thank you for your call. I am interested, however, I would like to visit my branch in person to avail of the offer.”