Identity Theft Attacks

Sat, 07 Feb 2009 13:19:09 GMT
by pdp

"Work with the system rather against it." I have always been a big fan of this approach as it proved to be successful every time it was put into practice.

So you receive one of these phone calls. The girl on the other end presents herself as Jessica Smith. The company has to do something with financing. The conversation goes as usual. She explains that she is calling in regards to a recent well known court case in UK in which major banks were made to return to their customers various service charges they have collected over the years, plus the reflective 8% of interest for up to £1000. She will send you the forms, which you have to fill in and send back. The background noise from her side hints a busy call center. It feels legitimate. In fact, it feels like you are getting a call from your bank. All that you have do is to give away just your address and full name and this is only because of the data protection act as you are kindly informed on the phone.

Most people will happily give away all the information. A reasonable person should ask for confirmation that the person on the other end is in fact entitled to receive personal information. Unfortunately, most of the time you cannot get such confirmation because in order to confirm that they need to get your details to unlock your details even though the organization that is calling you is completely legitimate and they already have your details. Complicated! So you get into this very awkward, twisted situation where there is no way out.

The best way to deal with it is to ask the person on the other end to give you their details. Then you have to do some research and if all looks good you can pretty much trusted them to a degree, depending on your likings. It is not very convenient, is it?

The problem here is in the process. Situations like the one described above happen every day and this is the problem. We get used to the process in the system. Obviously the system is flawed and as such it can be used for illegitimate purposes quite easily. I imagine a typical identity theft attack may unfold like this:

  1. Ring a random number. Simulate background noise from call center. Tell the victim whole a lot of crap about the data protection act and how you really care about it but unfortunately you have to get their name and address.
  2. Send them mail. This stage softens the next cold call.
  3. Ring them again. Get more information.
  4. Repeat all steps until you are satisfied!

Nigerian scammers are way behind similar attacks, which imho should be a lot more successful.

Archived Comments

David KierznowskiDavid Kierznowski
There is a currently a targetted scam in UK where the chaps phoning you already have your address and part of your bank details. Its so much easier to fall into this trap if the guys on the phone already know a fair bit about you before you even start the conversation.
Perhaps ask the caller to send a digitally signed email. Another option could be to provide you with a piece of your information that noone else would know. A simple right or wrong scenario. The caller would ask is your first three SSNs are ###? If they are not, hang up. If they are, proceed. Personally I like the digitally signed email better.
Shoaib YousufShoaib Yousuf
Recently i was investigating a case, in which scammer sent out a Paypal phishing email to a user, user was fooled and he gave out all his details except his credit card numbers. Scammer rang the user as he got all the details from the phishing email, pretending a call from Paypal. He mentioned, we sent out you an email but unfortunately you didn't provide a valid credit card number, user thought this is legitmate call and he gave his credit card details. After one month, he noticed 3k fraudulent charges on this credit card plus he lost his identity. Shoaib
I concur that problem is in the process, but perhaps the best defense is to avoid the temptation of giving personal information on the phone unless you can verify the ligitimacy of the person at the other end
sometimes credit card DBs get compromised, but the PANs are split across different DBs as a defense in depth mechanism. This is why in some carding forums you can only buy partial credit card #s. The reason why scammers buy them is because it allows them to perform targeted attacks where the victim feels the attacker is a legitimate entity because some info is previously known (even if that info is not complete). Think of customized phishing over email and phone.
Abhinav VaidAbhinav Vaid
As a rule of thumb, I think one should should never ever disclose any personal information over the phone irrespective of what the caller says/claims. The only exception could be if you've identified the no (caller id), & hence know the caller. Although giving ssn's or credit card numbers (especially the later one is like giving a blank cheque to a professional cheat.