Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Networking

    Cyber-Attackers Find It’s Easy to Trick Bank Workers to Divulge Passwords

    By
    Fahmida Y. Rashid
    -
    August 19, 2011
    Share
    Facebook
    Twitter
    Linkedin

      While cyber-attackers can probe Websites to find application flaws and network holes, employees at many financial institutions are just as vulnerable to social engineering tricks.

      Why hack a Website when all it takes is a phone call to get into a customer bank account? That is the question Jim Stickley, CTO of TraceSecurity asks when auditing the security measures in place at banks and credit unions around the country. The audits focus on both physical thefts as well as what Stickley called “virtual thefts,” where thieves use emails and phone calls to get the passwords they need to remotely penetrate sensitive systems.

      TraceSecurity’s auditors employ the mindset of a cyber-criminal to determine what would be targeted, and what techniques would be used, Stickley told eWEEK.

      “Most of the time, it’s bank accounts,” Stickley said.

      The first step is to identify new employees, Stickley said. Finding out who just started working at the targeted institution, such as a mid-sized credit union or regional bank, is very easy in this day of social networking, as all the attacker has to do is search the targeted institution on LinkedIn.

      Once the attacker has a list of employees with a recent start date, the next step is to masquerade as a senior manager.

      “New employees are gullible. They don’t want to annoy their managers, so they just do what they are told to do,” Stickley said, adding they are less likely to question suspicious incidents when a superior is involved.

      Attackers can call the credit union’s general number directly to find out the name of a manager. The trick works best if the targeted institution is big enough to have multiple branches or offices, because then the attacker can find out the name and phone number of a manager in a different branch, Stickley said.

      “New employees are less likely to know what that manager sounds like,” Stickley said.

      With the phone number and name of the manager in hand, the attacker calls the employee directly. There are software readily available online that let people spoof their phone numbers. With software, the attacker modifies the caller ID information so that the employee, when looking at the phone display, sees a phone number that matches the pattern the company uses and thinks it’s a legitimate call. Since the employee already thinks the attacker is actually a remote manager, there is already a sense of trust present, Stickley said.

      The supposed manager can claim that the branch’s network is down; IT is working on the manager’s computer; or a myriad of other reasonable scenarios as to why the manager can’t log in to the network and access a customer account. “Don’t make it a big deal, just mention it and move on to the actual request,” Stickley said.

      By asking the employee what account login is being used or reading information to supposedly verify some details, the attacker has obtained sensitive information to compromise the account. The fake manager can also convince the employee to change the password to something else “for security purposes” and then promise to call back after a specified time interval to change the password back, Stickley said.

      “That’s 45 minutes for the attacker to do whatever is necessary,” Stickley said. Some attackers may even continue the masquerade by calling back and saying they were done.

      New employees don’t want to push back, so it’s important for financial institutions to “empower” them to ask questions and feel comfortable pushing back right from the start, Stickley said. Employees need to hear that it’s OK to tell managers, “No!” or all the rules go out the window, he said.

      It’s one thing to teach employees policies, but better to teach them what to do when they are asked to violate policy, especially if it’s by a senior executive or the company president. “The policy might be, ‘Don’t give out private information over the phone,’ which is good, but the reality is, when the manager asks, you don’t say no,” Stickley said. Employees need to be told to say they can’t do that, and to offer to transfer the call to a senior manager. Attackers will often hang up at this point, since the manager might know the person they are pretending to be and expose the scam.

      Another common social engineering tactic relies on email. Many institutions have a corporate directory available on the phone system. Attackers call the phone number late at night to go through the phone directory. Many systems have a quirk where if the caller doesn’t punch in the “first three letters of the person’s name,” it lists all the names matching whatever was entered.

      “So press number ‘2’ and wait a few minutes. The system will time out and then give you every name that begins with the letters A, B, and C,” Stickley said.

      The attacker can get all the names of the employees relatively fast in this way. The attacker then picks up a free email account from any email provider and sends the employees a spam message. Some companies make this step easy because they publish email addresses online, making it easy to guess what pattern the company follows, whether it’s firstname.lastname, first initial followed by the last name, or some other variation, Stickley said. If the attacker can’t figure it out, then it’s just a matter of entering every possible combination into the message’s BCC field.

      While most of the combinations will fail, at least one of the addresses won’t bounce back, Stickley said. With the list of valid email addresses, the attacker can send out messages with links to malicious Websites, downloaders or infected attachments to try to compromise at least one user. The malicious links can claim to be e-cards sent by a “secret admirer,” or messages from industry regulators or professional organizations, Stickley said.

      Another method is to pretend to be another employee sending an internal email. It’s easy to create domain names that look similar to the legitimate name, such as replacing the o in .com with a 0 to create .C0M, or dropping an “i” in the company name. At first glance, people will not notice the slightly different domain, Stickley said.

      Financial institutions need to restrict Internet usage by employees, Stickley said. Most employees generally need to access a handful of sites, and don’t need to be able to go to so many places on the Web during the course of their workday, he said.

      “Lock down the sites and 90 percent of the risks go away,” Stickley said. When users can’t go anywhere other than approved sites, the only threat with this kind of social engineering attack is the malicious attachment, and most organizations are “smart enough to strip out the malicious payload,” said Stickley.

      Most organizations can afford to do two networks and tell users that if they want to access the general Web, they should use the system dedicated for Web surfing, Stickley said. The Web surfing machines should not have any access to internal systems or sensitive data. It’s similar to how the intelligence and defense industries have a classified and unclassified network, he said.

      “The risk is too great that you can’t just let users go anywhere they want,” Stickley said.

      Fahmida Y. Rashid

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×