Tag Archives: scott aurnou

‘Phone Spoofing’ – Yes, It Can Happen to You

Not so long ago, a senior executive at Insurance Thought Leadership received a phone call on his smartphone in which the caller claimed to be returning a call.  The ITL executive politely let the caller know that he hadn’t called. Then came another “returned” call… and another. Each caller said he had received a call from the ITL executive’s mobile number and that the caller hadn’t left a message. All told, the ITL executive received about a call a day for about a week.

Naturally, he called his mobile provider to find out what was going on. The provider said it sounded like “phone spoofing.”

How It Works

Spoofing is effectively falsifying a piece of identifying information, like a return email address. “Phone spoofing” relates to the number that shows up on caller ID — someone appears to be calling from that number but doesn’t own that number and is really calling from somewhere else.  Spoofing is used to trick people into picking up calls they otherwise wouldn’t (and get around the National Do Not Call Registry). For a shady caller from outside the area – and often the country – a local number is less likely to raise suspicion.

The real target of the scam is the person on the receiving end of the spoofed call. In the past year, attorneys general in Arkansas, Ohio, Pennsylvania and Rhode Island (among others) have all issued warnings related to phone spoofing scams.

If the recipients do answer the calls, they’re treated to a lovely conversation with ethically challenged telemarketers, debt collectors or scammers. And, as with most sketchy callers, they don’t leave a message if the target doesn’t answer. If the recipients are curious about who called, all they have to go on is the spoofed (false) number that appeared in their caller ID. The result: numerous angry “return” calls to the wrong person. In effect, the real owner of the spoofed number is collateral damage.

Spoofing technology is unfortunately cheap and widely available. As a result, anyone with a smartphone can be a victim — though the scam works just as well on landlines.

What to Do to Protect Yourself

The Truth in Caller ID Act of 2009 prohibits anyone in the U.S. from “knowingly transmit[ting] misleading or inaccurate caller identification information with the intent to defraud, cause harm or wrongfully obtain anything of value….” The act also includes penalties of as much as $10,000 per violation, and related FCC rules note that telemarketers are supposed to display an accurate phone number that can be called during regular business hours.

That all sounds good, but… there are a couple of problems with this scenario as it plays out in the real world. The nature of phone spoofing can make it tricky to figure out who actually made the call in the first place. Moreover, many of the perpetrators are based outside the U.S., effectively placing them beyond the reach of the law. While there has been an attempt to enact an updated version that expands the law’s reach to include calls made to recipients in the U.S. from outside the U.S., it’s naturally moving at the speed of Congress. And, of course, enforcement of that law against telemarketers, etc. based overseas will present an additional hurdle.

Another issue to consider: The FCC tends to view the recipient of the call as the primary victim of a phone spoofing scam. Consequently, “the intent to defraud, cause harm, or wrongfully obtain anything of value” noted in the Truth in Caller ID Act focuses on actions taken against the recipient of the call (as opposed to real owner of the number in question).

In a somewhat related matter, in late 2013 the Federal Trade Commission (FTC) decided not to amend its Telemarketing Sales Rule to address caller ID spoofing because it didn’t believe that the proposed changes would have any effect on the problem.

As you may have guessed by now, stopping this isn’t easy. It’s fairly difficult – if not impossible – to completely eliminate the risk of having your number used in a caller ID spoofing scam. One step you can take to decrease the likelihood is to reduce the number of places in which your phone number can be found online. In effect, don’t give out your number unless you have to. This includes web contests and other online forms. And if it is required for an online purchase, don’t save that information for next time. That way it – and your credit card details – won’t be there to steal if an intruder subsequently breaks into the retailer’s network.

What to Do if It Does Happen to You?

For starters, you can file a complaint with the FCC.

But, although it’s unlikely that the information on your smartphone itself has been compromised (unless there is an additional, unrelated intrusion), your realistic options are unfortunately somewhat limited once your number is used as part of a spoofing scam.

1)    You can block incoming calls, leave a message explaining what happened and, in effect, hope it stops before too long; or

2)    You can change your number. Of course, that also means notifying friends, family and professional contacts (and perhaps changing your business cards, too).

If you don’t feel safe, you can also take the extra step of changing your passwords (which is never a bad idea).

And if you would like more information, you can check out the FCC’s Caller ID and Spoofing page.

The silver lining here is that phone spoofing doesn’t equate to your phone – or the data on it – being accessed by someone else. Of course, that doesn’t make it any less annoying or disconcerting if it happens to you.

Happy Ending

In the case of the spoofing against the ITL executive, the system worked as well as possible. The authorities, working with the carrier, tracked the spoofing back to a scam artist in Germany, and an arrest was made.

How Stolen Credit-Card Data Is Used

Reports of high-profile data breaches have been hard to miss over the past year. Most recently, it was a breach involving 56 million customers’ personal and credit card information at Home Depot.

This is just the latest volley in a wave of sophisticated electronic thefts including Target, Neiman Marcus, Michael’s, P.F. Chang’s and Supervalu. Much like in the other attacks, the suspected culprit in the Home Depot data breach is a type of malware called a RAM scraper that effectively steals card data while it’s briefly unencrypted at the point of sale (POS) to authorize a transaction.  Reports of this type of attack have become increasingly common in the months since the Target breach.

Whether the cause is a RAM scraper or an “older” threat like a physical skimmer placed directly on a POS machine used to swipe a credit or debit card, a phishing attack storing customers’ card information insecurely, the result is the same: Credit card data for millions of people winds up in the hands of criminals eager to sell it for profit. How does that process unfold? And how can you – or people you know – get sucked into it?

The Basic Process: The journey from initial credit card data theft to fraudulent use of that data to steal goods from other retailers involves multiple layers of transactions. The actual thief taking the card numbers from the victim business’ POS or database doesn’t use it him or herself.

First, a hacker – or a team of them – steals the credit card data electronically. Most of these schemes begin in Russia or other parts of Eastern Europe, and much of what you might call the “carding trade” is centered there.

Next, brokers (also referred to as “re-sellers”) buy the stolen card numbers and related information in bulk and trade them in online carding forums. A hacker may also sell the card data directly to keep more of the profits, though that’s riskier and more time-consuming than using a broker. These exchanges are found on the dark net (aka the dark web). That’s a part of the Internet you won’t find through Google, where all manner of illegal and unsavory things can take place. Online prices vary depending on:

  • The type of card,
  • Credit limit (if known),
  • How much additional data is available (CVV codes from the backs of cards and associated Zip codes make stolen cards more valuable),
  • The card owner’s geographic location (a fake card used in the vicinity of the legitimate card holder is less likely to raise suspicion), and
  • How recently the cards began appearing in the carding forums (which relates to the likelihood of card cancellation).

Prices for the individual cards have come down significantly in the past few years because of the sheer amount of records available, though brokers can still do quite well from bulk sales of card data. Despite being on the dark web, many of the brokers conduct themselves like regular online businesses and will provide replacements or the equivalent of store credit if cards purchased from them don’t work.

The people who buy the card data from the brokers are called “carders.” Once the carders have the stolen card data, there are at least two distinct variations on the scam:

1) Physical, in-store purchases using fake credit cards.

2) Stolen card numbers used to charge pre-paid credit cards that are, in turn, used to purchase store-specific gift cards (which are less suspicious than general gift cards). Purchases are made online.

Variant 1 (“Mystery Shopper”): This variation starts with carders printing up the fake credit cards for use in stores. Once they have the stolen card data, the equipment needed to make the fake cards isn’t that expensive. The carder then usually works with one or more recruiters to find people to use the fake cards (though a carder may do the recruiting himself). The enticement to get people to use the fake cards will generally be in the form of email spam and ads in Craigslist or similar sites offering easy money to be a “mystery shopper” or “secret shopper” as part of a “marketing study” or some other semi-plausible justification.

Not surprisingly, the items purchased tend to have high resale value. After the physical purchases are made, the “mystery shopper” can either send items to the recruiter/carder (generally via a secure drop site like a vacant office) or directly to someone who has “purchased” an item via an auction site in response to a posting from the recruiter/carder. If sent straight to the carder, she then auctions the items directly on eBay, Craigslist or an underground forum on the dark web.

The people who actually make the purchases with the fake cards may have no clue what they’re involved in (though sometimes they’re active participants in the scheme or simply low-level criminals looking to use the cards for themselves). They are effectively the “drug mules” of the credit card scam, taking the most risk and getting paid the least.

You’ve probably seen one step retailers take to try and stop in-person card fraud. On a counterfeit credit card, the numbers on the magnetic strip and the front of the card generally don’t match — it’s too expensive to create individual fakes. Some retailers have their personnel type in the last four digits on the physical card into the register after the card is swiped. If the numbers don’t match, the card is rejected as a fake.

Variant 2 (“Re-shipping”): Rather than making physical cards, in this variation carders use the stolen card data to purchase pre-paid credit cards that are then used to buy store-specific gift cards (Amazon, Best Buy, etc.). As with the “mystery shopper” scheme, recruiters typically use ads and spam emails to entice people, though this time it’s people (especially in the U.S.) seeing “work from home” promises. Sometimes, the recruiters will employ a more personalized approach, even going so far as to start a fake “relationship” with the intended target. Then — wait, there’s more — the gift cards are used to purchase items online, and those items are shipped to the people responding to the ads, spam or “relationship” overtures. That’s where the “work from home” angle comes in.

The people initially receiving the packages directly from an online retailer are called “re-shippers.” People in the U.S. are used because U.S.-based addresses raise fewer red flags with the retailers. Like the “mystery shoppers,” the re-shippers are the drug mules here (and they are sometimes referred to as  “money mules” or “shipping mules”). And, as with the “mystery shopper” scheme, re-shippers can either send items to the recruiter/carder or directly to someone who has “purchased” the item through an auction site.

While this may sound a little convoluted, the shell game-like nature of using one card to buy another and then another makes it more difficult for stores to catch onto this scheme before the purchase has already been made and shipped out.  After that, it’s generally too late.

Cyber Risk: Are You the Weak Link?

In 2012, a young scam artist based in Asia posing as a private investigator simply purchased the personal information for more than 200 million users directly from credit reporting giant Experian and then posted it for sale online. The only reason we know about the incident is that the U.S. Secret Service caught it.  Experian didn’t.

Cyber criminals know that the weakest link in most computer networks is the people using it. Verizon’s highly respected Data Breach Investigations Report has repeatedly noted that most attacks start with employees. Attackers use “social engineering” to trick their victims into allowing unauthorized system access, data theft and even specialized stealthy attacks used to quietly steal massive amounts of sensitive data over time. These attacks frequently exploit our natural tendency to want to help others. They can be in person, electronic or over the telephone, and there are a variety of ways they can be used to take advantage of you:

“Phishing” attacks are designed to steal your personal, financial or log-in information through an email, text message (referred to as “smishing”) or even an automated phone call (“vishing”). The attacks often appear to come from well-known and trusted companies like banks, airlines or industry groups and contain attachments or links to websites that look legitimate but are really there to steal account log-in information or host malware ready to attack the recipient’s computer as soon as he clicks on any of the links. These emails and messages can also be used to lure victims into contact with scam artists posing as potential clients or officials offering to release substantial funds if only the target would be so kind as to hand over detailed personal information or a sum up front.

A spear phishing email is a personalized version of a phishing attack looking for the weak link in an otherwise strong network. It will be aimed at a specific target (rather than a general phishing email intended to ensnare whoever falls for it) and typically includes personal or professional information to make the recipient trust the sender. These details can come from online sources like LinkedIn, Facebook and other social networks and contain information available via business-related websites, as well as particulars obtained directly from coworkers via social engineering.

Spear phishing emails often appear to come from a familiar source like a friend, family member, colleague or a business you deal with regularly. This is because of a process known as “spoofing,” in which the actual sender hides his identity, and the “from” field in the email shows the fake sender’s name, not the real one.

The data breach at Forbes earlier this year began with an early morning spear phishing attack against a senior executive.

Whaling is an attack that deliberately goes after senior executives, partners and other high-profile targets within a business. The idea behind this approach is that these targets are “big fish” who have wide access within the network yet may not take the precautions needed to keep their own accounts secure.

Pretexting is effectively in-person phishing to gain information or access to a restricted area. The term “pretexting” refers to the setup used to convince the target that there is a justifiable reason (or pretext) to divulge the information or access the person is after. These attacks can take a wide variety of forms, often revolving around someone (or a team) creating a distraction or masquerading as someone who could have legitimate access to the system they’re targeting. It could be someone who claims to be from “corporate,” a fake contractor, fake IT personnel or something as random as a “fire inspector” allegedly checking the office for imagined safety hazards while an assistant/accomplice surreptitiously places devices to monitor or siphon sensitive data from the victim network.

Another in-person bit of trickery is “tailgating.” That’s when someone who claims to have forgotten their company ID, etc. asks you to hold the door behind you, allowing him into a restricted area. The same term is also sometimes used to describe someone asking to briefly borrow your phone, tablet or laptop to check something quickly and actually downloading malware instead.

Live social engineering attacks can also come by phone, such as fake “technical support” calls offering to fix imaginary problems with your computer if you will just allow the caller to briefly take control of it remotely.

Baiting is a type of attack in which a piece of portable electronic storage media like a CD-ROM, laptop or USB stick drive is left at or close to the target’s workplace to tempt the curious victim into seeing what’s on it. These will often include an official-looking logo or markings to make them especially tempting. How curious would you be to look at something labeled “Senior Executive Compensation – 2014” (with your company’s logo on it)? Of course, once the card, laptop or stick drive is connected, it will quietly download malware onto the network.

And, yes, this initial intrusion into the network will likely be traceable back to you.

What can you do to avoid being the weakest link? The one thing these attacks all have in common is that they rely on you to go along with the story they’re selling. The single best thing you can do whenever you receive an unsolicited electronic message or call from a business or someone you don’t know personally is to assume that it’s fake. Never click on links, open attachments, call phone numbers or use any other method of contact contained in any unsolicited emails, texts or calls. If you think the email, etc. could be legitimate, contact the alleged sender via phone or their official website.

If an email that appears to be from someone you know seems out of character, unexpected or strange in any way, give the sender a call to see if it really came from her.

When someone asks you to help her access something – or someplace – restricted, ask yourself why she needs your help. Also, it never hurts to take a moment to check out the story you’re given. A quick phone call (not using a number she gives you) can derail a social engineering attack before it starts.

Tempting though it may be, opening that conveniently abandoned stick drive, etc.  yourself is a bad idea. Take it to your company security or IT personnel.

Speaking of which, an IT department can (and should) take steps to help protect a network from electronic intruders, including the installation of network security software, but don’t forget that the first line of defense against a social engineering attack is you.

3 Ways to Protect Sensitive Messages

“Delete this email if you are not the intended recipient.”

That and similar language theoretically sounds imposing but essentially does nothing to protect sensitive data from any nefarious actors who view it (though they may get a good chuckle before reading the email).

Yet almost 90% of attorneys surveyed by LexisNexis for a study it published in May 2014 on law firm security acknowledged using email to communicate with clients and privileged third parties. The vast majority of attorneys surveyed also acknowledged the increasingly important role of various file sharing services and the inherent risk that someone other than a client or privileged third party could gain access to shared documents. Yet only 22% use encrypted email, and 13% use secure file sharing sites, while 77% of firms rely on the effectively worthless “confidentiality statements” within the body of emails.

Technology Basics

To explain the right approach, I need to start with some technology basics.

How does email actually work?

By its nature, email is not a terribly secure way to share information. When you send an email, it goes through a powerful, centralized computer called a server on its way to a corresponding email server associated with the recipient’s computer or mobile device. The email passes through any number of servers along the way, like a flat stone skipping across a pond. If that email isn’t encrypted, anyone with access to any one of those servers can read it.

What is encryption?

Encryption is the use of an algorithm to scramble normal data into an indecipherable mishmash of letters, numbers and symbols (referred to as “ciphertext”). An encryption key (essentially a long string of characters) is used to scramble the text, pictures, videos, etc. into the ciphertext. Depending on how the encryption is set up, either the same key (symmetrical encryption) or a different key (asymmetrical encryption) is used to decrypt the data back into its original state (called “plaintext”). Under most privacy and data breach notification laws, encrypted data is considered secure and typically doesn’t have to be reported as a data breach if it’s lost or stolen (so long as the decryption key isn’t taken, as well).

Three Methods to Secure Email

1) Encrypted email. Properly encrypted email messages should be converted to ciphertext before leaving the sender’s computer or mobile device and stay encrypted until they are delivered to the recipient (remaining indecipherable as they pass through each server along the way). This approach is referred to as end-to-end encryption.

Until fairly recently, email encryption has been a somewhat technical and cumbersome process, often requiring both sender and recipient to use matching encryption programs and carefully manage their own encryption keys. Now, there are plenty of encrypted email offerings from larger commercial companies, as well as a number of new and interesting email encryption services that have become available in the wake of disclosures made by Edward Snowden.

When choosing one, be mindful of where the service you use is located (including where the servers handling the emails on the system actually are). Snowden used a well-regarded U.S.-based encrypted email provider called Lavabit. Not long after Snowden’s revelations came to light, federal law enforcement forced Lavabit to secretly turn over the encryption keys safeguarding its users’ private communications. Lavabit’s founder tried to resist but was overwhelmed in federal court.  As a result, he shut down the service. Another well-regarded service called Silent Mail followed suit shortly thereafter as it felt it could no longer ensure its customers’ privacy. Both have since relocated to Switzerland and are planning to introduce a new encrypted email service called Dark Mail.

Larger companies offering encrypted email services typically control the encryption keys and will decrypt data before turning it over in response to a warrant or subpoena (including one coupled with a gag order). In addition, email service providers can legally read any email using their systems under Title II of the Electronic Communications Privacy Act, referred to as the Stored Communications Act. Moreover, emails remaining on a third-party server for more than 180 days are considered abandoned. Any American law enforcement agency can gain access to them with a simple subpoena.

Accordingly, if you choose to use a service based in the U.S. or another jurisdiction with similar privacy protections, be mindful of who controls the encryption keys.

2) Secure cloud storage. Another way to securely communicate or share files with a client or privileged third party is to place communication and files in encrypted cloud storage and allow the client or third party to have password-protected access to them. Rather than a direct email with possible attachments, the client or third party would receive a link to the securely stored data. The cloud service you select should be designed for security. Before you ask: DropBox and Google Drive would not be suitable options. There are a number of services offering well-protected cloud storage, and it’s important to do your due diligence before selecting one. If it all seems a bit much to figure out, two services I would recommend looking into are Cubby and Porticor.

3) Secure Web portal. A third approach is to place communications and files in a secure portion of your firm’s network that selected clients and privileged third parties can access. As with the secure cloud storage option, the email sent to the client or third party would have a link back to the secure Web portal’s log-in page. An advantage to this approach is that the communications and files do not actually leave your computer network and should be easier to protect.

An additional consideration: A government snoop or competent hacker doesn’t necessarily have to target a message while it’s encrypted. A message that is protected by strong encryption when it’s sent or held in secure cloud storage can still be intercepted and read once it has been opened or accessed using a mobile device or computer that has been compromised. The same holds true for intercepting a message before it’s encrypted initially. What steps can you take to protect yourself? The software on any computer or other device that can potentially access confidential data should be kept as up-to-date as possible. Devices should be protected against possible data loss if they are lost or stolen. And all firm personnel should have regular security awareness training with respect to social engineering and other threats.

At the end of the day, there is no single silver bullet to provide perfect security. But there are genuinely helpful steps that you can take to better protect your electronic communications and keep your sensitive data confidential.

The 7 Keys to Strong Passwords

Creating a strong password may seem like a chore, but sometimes it can literally be the only thing standing between a cybercriminal and your personal and financial information or access to your company’s network and intellectual property. Here are some tips for creating a strong password (that you can actually remember):

1) The most important factor in creating a secure password is length. A longer sequence of characters (letters, numbers and possibly punctuation marks) means more possible combinations to help thwart an attacker. The absolute minimum should be 12 characters. If a password has eight characters, for example, modern password cracking software will break it in a matter of hours. A difference of four characters in a password may not seem like much, but there is a huge increase in the number of possible combinations it will yield (and hence attempts that the cracking software will have to make before it can break the password in question). Even if only letters and numbers are allowed, there are 14 million times as many combinations with a 12-character password vs. an eight-character one. If punctuation marks are included, the 12-character password is 81 million times as hard to break. Simply put, longer passwords are always better.

2) Use a nonsensical (or completely personal) passphrase. You can pick a password that is both easy for you to remember and hard for an attacker to figure out. If you really want to, you can mix in random characters like $, @, etc., though hackers are well aware that people try this trick. Truth be told, it’s really the length that makes a passphrase difficult to crack, so the special characters will essentially make the password more difficult to remember while not making it any harder to break.

When creating your phrase, make sure it really is unique to you (or genuinely random). Avoid famous literary quotes and song lyrics – hackers can check for those. A good nonsensical passphrase might be something like: CyanStapleWashingtonBanana44 (don’t use this exact one – or any other suggestion you see online. Hackers can find those, too). A personal phrase can be effective because it relates to something that’s memorable to you. Just make sure it isn’t a widely known event. Perhaps you can use that time you were surprised at the aquarium: “BlueLobstersAreReal!” It’s long enough that a machine won’t break it anytime soon; no one is going to guess it; and you will remember it.

3) Don’t use the same password for multiple sites. Reusing passwords is known as “daisy-chaining.” If one account gets compromised, it will instantly expose others with the same (or a similar) password to attacks.

4) Don’t have a file or email called “passwords” anywhere on your computer (or saved in an email). These are easy for a hacker to find.

5) Change passwords regularly – perhaps every few months. If a database storing a site’s passwords has been compromised (which is often not discovered right away), changing a given password makes it effectively useless to an attacker even if it’s stolen and eventually cracked.

6) Use “multi-factor authentication” whenever it’s available. Additional “authentication factors” are just ways to ensure you are who you say you are. This can mean something like a fingerprint scanner or a code sent to your phone via text message that is then entered in addition to your password. If an attacker only has your password, she still won’t be able to get access. If you’re curious to see what this looks like in practice, Google has a good explanatory video here.

7) Avoid using security questions, if you can. Frequently, these questions are used as a way around the dreaded “I forgot my password” problem. The questions may sound helpful, but they almost always focus on information that can be found elsewhere online (where you went to school, pet’s name, favorite color, etc.). Any hacker will know to look for this information and can use it to get into your account – and potentially lock you out. Unfortunately, some sites require you to use the questions. If possible, try to select questions that don’t have just a few or even a single answer that a hacker can find (your mother’s maiden name, for example).

Remember that there is no such thing as an impervious system, but that doesn’t mean you should make it easy for attackers. If you’re a difficult target, they may well move on to an easier one.