Security 101

I don’t pretend to be a security guru, but over the last few years I have had some specialist training in this area. I’ve also read a number of books on various security topics and have developed a bit of an interest in the subject. As a result, I tend to look at things a bit differently now – and sometime what I see really gets me wound up.

This morning, I received a telephone call from someone that said he worked for the credit card fraud section of one of the main UK banks. Our company does have an account with them (we actually use several banks) and we get company credit cards through this particular bank. These are used for a number of things – minor expenses, making travel arrangements, increasingly to buy things on-line. It makes life easier, and the credit control staff in our accounts department can track the charges much more easily than though petty cash arrangements.

The person that phoned explained that he wanted to query a particular payment – not a problem. But then he said that he needed to go through some security checks to make sure that I am the right person to talk to. He asked for the card number, my date of birth, account password plus some other items – effectively everything that a crook would be able to use to pretend to be me. At that point I refused point blank – he has phoned me, and I have no way of knowing if he is in fact anything to do with the bank.

I tried to explain this to him – but clearly he was reading from a script and couldn’t deviate from the process. So I insisted that I wouldn’t discuss anything further and hung up. I then phoned their helpline (the number was on the back of the card) and was put into an automated system. Eventually, I got through a nice young lady who explained that she couldn’t put me through to that department; they only work via outgoing calls and will not accept an incoming calls “for security reasons”.

As it happens, she was able to check the required details and I was able to confirm that the transaction was OK. But I have to say that there is something fundamentally wrong with the way that this bank are working. I tried to get put through to someone to discuss this – they refused point blank. In fact it appears that the only way I can register my concerns is in writing – a letter is going to go off to them tonight and I’ll update this blog to let you know what they say.

To indicate why I’m so uptight about this, I should explain that a while ago a I bought a copy of the book “The art of deception” by Kevin Mitnick. I was a bit ambivalent about this to begin with, as I don’t think it is right to reward someone for bad behaviour; but I wanted to understand how he achieved the various expolits that he got away with. Although some of the descriptions of his activities are now out of date or only relate to things in the US, the majority of the principles are actually very relevant today.

In the book, he described how he managed to obtain information by talking to several people, using one piece of information obtained from one person to persuade someone else to reveal another and so on until he got just what he needed. In this way, he gained access to a lot of really sensitive information, and if he had wanted could have caused a lot of trouble. What is so disturbing is how easy he found it all.

In my case, I refused to pass over the information and then took steps to verify the person was who he said he was – but it appears that the bank don’t want to work that way and in fact try to prevent a fairly sensible set of precautions. Worse they are propagating a method of verification that is open to abuse, and it is likely that if the average person sees that the bank do it a specific way, they will assume it is OK and not question someone else that telephones them, potentially leaving them open for a security breach.

Social engineering is a fact not a theory – and that is why so many people still fall victim to scams and the quantity and quality of spam we get is testament to the amount of money that is involved, and the number of people that regularly fall prey to these crooks. The risks are well known and I would expect those people that are involved in areas of security to understand this. If they don’t follow good procedure, how are the rest of us going to enforce it at our level?