With the evolution of security technologies such as intrusion prevention systems and firewalls, individuals seeking to obtain confidential information have begun using interpersonal tactics, rather than technical means to solicit information.
This “social engineering” is a collection of techniques used to manipulate people into performing actions or divulging confidential information. This information is typically used for financial gain and can be acquired through techniques such as phishing schemes, spoofed emails or pretexting.
The Weakest Link
As security technologies have become increasingly difficult to breach, social engineers have begun to target the weakest link in the information security chain — human nature. Social engineers exploit the characteristics bank employees display every day in providing quality customer service: helpfulness, trust, knowledge of internal processes, authority and technology.
Social engineers are often charming and charismatic, which allows them to establish a rapport with their targets. These individuals fly below the radar collecting small pieces of information from numerous bank employees. By combining several pieces of information, the social engineer may be able to get a virtual, or actual, foot into the door of your bank.
Phishing schemes involve websites used to steal sensitive information such as usernames, passwords, account numbers, Social Security numbers and other financial data. These websites often mimic trusted sites consumers visit regularly. Social engineers typically lure users to phishing sites through spoofed emails.
Social engineers often use spoofed emails to trick recipients into releasing sensitive information. Spoofed emails are messages that appear to have originated from one source but have actually been sent from another undisclosed source.
These emails often advise you to click on a hyperlink to be directed to a website. At this site, users are asked to disclose pieces of sensitive information such as name, date of birth, account number, or Social Security number. Spoofed emails may also request usernames and passwords from employees by posing as the bank’s network administrator.
Recently, many consumers responded to spoofed emails directing them to a phishing site supposedly sponsored by the Internal Revenue Service. Email recipients were advised that a mistake had been made and they were entitled to an income tax refund.
The spoofed email included a link to a phishing website where victims were asked to enter their bank account numbers so that refund checks could be disbursed. Social engineers used this information to access bank accounts and steal thousands of dollars.
Another dangerous social engineering scheme targeted at banks is pretexting. Pretexting schemes involve social engineers calling the bank, posing as a customer or someone authorized to have the customer’s information and using an invented scenario (the pretext) to persuade bank employees to disclose confidential information.
The caller has usually conducted research and knows the name, date of birth and Social Security number of a bank customer. If the pretexting attempt is successful, the social engineer will be given the customer’s account numbers and other personal information.
Quid Pro Quo
As technology grows and changes, computer users require technical support. Social engineers exploit this need by calling banks and pretending to be technical support representatives. The social engineers either enter numerous extensions or asked to be transferred from employee to employee until they finally find someone who has a legitimate support issue.
After the bank employee explains the technical difficulty, the social engineer prompts the employee to turn on a specific computer and perform a series of tasks. These tasks can create a vulnerability that allows the social engineer to penetrate the technology and controls that protect even the strongest security infrastructure.
One threat you may not have considered is the presence of USB ports on employees’ workstations. USB thumb drives are popular door prizes and give-aways at conferences and events. Recently, USB thumb drives were coded with malicious software and given to unsuspecting bank employees. When the employees plugged the devices into the bank’s computers, the program transmitted customer information to social engineers.
To protect your bank from this new social engineering scheme, warn your employees not to use USB thumb drives that have come from unknown sources.
While your bank likely uses the best security technologies available and trains employees to diligently lock-up confidential information, social engineering schemes continue to be a threat. Strong information security policies and security awareness training are your best defenses.
Matt Durbin is the information security coordinator for Computer Services Inc. in Paducah, Ky. Contact Durbin at www.esiweb.com.
Copyright © July 2008 BankNews Publications