Devious Tactic Snags Phone Data
Old security auditors would be proud. Social Engineering is still a significant security risk for wire-line and cell phone users.
Recent Comments
Evil Functions
Support the EFF
[ EvilTyrant – The Completely Evil Blog ]
Old security auditors would be proud. Social Engineering is still a significant security risk for wire-line and cell phone users.
January 18th, 2006
I’m not entirely sure what you mean by “Social Engineering”. I do agree that good security auditors would be fascinated and perhaps appalled.
The technique of calling thousands of times to collect pieces of information is particularly disturbing to me. I can only assume the practice has thus far been worth the effort expended. Perhaps I’m too lazy. I’m too ethical to engage in falsehood to acquire someone elses personal information that is not in the public domain.
It strikes me that the directory owners, RBOCs and wireless carriers, could implement some controls to limit access to their data. Someone calling and claiming to be a co-worker strikes me as insufficient to give access.
Given the current climate in the national legislative and executive branches of government, it is unlikely that any fair and effective privacy legislation is likely to be passed into law. As such, we must do what we can to protect what little privacy we may possess, if we wish to minimize the interaction with telemarketers, other marketers, and criminals that gaining access to our information provides them.
The only step I’ve not taken thus far that I’m aware is available is to switch from my mailbox to a post office box. Cheapness on my part is the primary impediment.
The FCC “Do Not Call List” received my phone numbers while it was still being contested by telemarketers as a violation of their free speech.
January 18th, 2006
Social Engineering is at least partially capitalizing on human nature to bypass security controls. One example would be carrying a large box at a security badge keyed door so some nice person would use their badge to open the door for you (as your hands are obviously full). The effectiveness of the example can be amplified if the Social Engineer is female and the potential door opener is male, bonus points for an attractive female, extra bonus for tight clothes or visible cleavage…
The example in the article was calling someone on the inside and convincing them that you are somehow entitled to the information and getting them to give you information they would not give you if they knew your real identity.
I know the RBOC’s (wireline carriers/the phone company) have specific governmental restrictions that preclude them from divulging customer information. I do not know of any such restriction on cellular operators.