Don’t be a victim of social engineering
Social Engineering – Reputable companies should be implementing far better security to your accounts. Unfortunately they still aren’t accepting the blame when they are quite clearly in the wrong. Until several factor authorisation is implemented and the last four card digits method is retracted, you are simply going to have to watch your back and be savvy about security.
Here is a recent example;
A previous owner of a Twitter account with highly coveted name tag has fallen victim to hackers, who have been able to gain access to his banking details, simply by using social engineering tactics.
Naiko Hiroshima a software developer and previous owner of a Twitter account, now owner of @N_is_stolen, recalled the horror of being blackmailed into giving up his @N account in a blog post.
Naiko claims he had, prior to the attack, been offered sums of up to $50,000 for his Twitter name due to the rarity of its single character, often he would receive emails alerting him that a password had been forgotten for his Twitter account.
One day however, an attacker was able to crack it, supposedly with the help of both international e-commerce business PayPal, and internet domain registrar GoDaddy.
Hiroshima states that upon surrendering his Twitter account to the attacker after a series of threats to take down all of his websites, the attacker informed him of how he was able to gain access to his personal information.
The hacker stated the following in an email – I called PayPal and used some very simple engineering tactics to obtain the last four digits of your card. I called GoDaddy and told them I had lost the card but I remembered the last four digits, the agent then allowed me to try a range of numbers (00-09 in your case).
Naiko commented that he didn’t know what to be more dumbfounded by, the fact that PayPal had given the attacker the last four digits of his bank card, or that GoDaddy had accepted just those four digits as authentication. It comes to light that in this case, even two-factor authorisation couldn’t secure Hiroshima’s accounts. When the attacker claimed that he had lost Hiroshima’s bank details, yet could still remember the last four digits, GoDaddy allowed them to repeatedly guess the first two digits of the bank card over the phone until he got them correct!
Although PayPal deny giving out any information to the attacker, they have failed to give the recording of the conversation with the attacker as evidence of this, which seems rather peculiar when they have the recording available. GoDaddy however, admit that their recipient of the attackers call had been manipulated by Social Engineering tactics into giving out Hiroshima’s card details, of which the attacker could not have accessed without the last four numbers of his card, supposedly gained via a member of PayPal’s customer service.
Conclusion
The problems appear to be that companies such as PayPal and GoDaddy do not put in place security measures well enough to protect your information, therefore you must be very careful when using online services, and such protective measures should include the following:
- Not entering any addresses or telephone numbers on social media so that hackers don’t have access to information that may help them obtain your details more easily from the likes of PayPal.
- Contacting any online companies that have access to your bank details and asking that any card details are never handed over by phone call.
- Ensuring that Amazon and PayPal do not remember your card details. Enter them anew every time you use their services.