Make Your Data Worthless to Defend Against Social Engineering

Ben Rafferty – Global Solutions Director

Companies today are investing more and more in defending their IT estates

According to the SANS Institute, about 9 percent of IT budgets will be allocated to security in 2016, up from 4 percent in 2014. As companies invest in measures to quickly identify and remedy holes that hackers could potentially exploit, criminals constantly have to find new ways to attack and infiltrate networks.

However, security involves far more than just technology. It also involves people and processes. We, as individuals, are the most obvious weakness, and cyber criminals are already well aware of our human flaws. Through social engineering tactics such as phishing, people are convinced and tricked into potentially installing malware and ransomware on their computers, and even cell phones, every-day. We are learning to cope and train ourselves to identify these targeted social engineering tactics, but there’s one tactic still flying well below the radar.

Today, we are far less likely to actually use our credit and debit cards at the point-of-sale

Digital disruption in the financial industry has led to a rise in third-party payment systems. Tools such as the Amazon Store Card, Apple Pay, and Google Wallet have become our new best friends and the physical use of cards could feasibly become obsolete.

Mobile payments and digital wallets are certainly convenient, but when our bank information reaches the contact centres that facilitate these interactions, it can be a gold mine for fraudsters and cyber criminals.

When callers or online visitors provide a contact centre with accurate information, (or at least what the contact centre agent is presented as accurate information!), it’s often all they need to pass through the Identification and Verification process as the legitimate owner of a bank account. Unfortunately, legitimate personally identifiable information (PII) is increasingly easy to come by, given the rise of data breaches exposing PII. This type of socially engineered attack on a contact centre is so effective that criminal groups have begun to systematise these intelligent attacks.

For example, Voice Phishing (Vishing) calls involve a series of phone calls to a contact centre to slowly gain incremental access to an account or turn off alerting by warning of an impending “trip out of town”, or update (or plant!) PII to incorrect but known information to the “vishers”, potentially locking out genuine account holders!  In just about two or three phone calls, criminals are able to escalate privileges into user accounts and commit fraud. This type of attack is incredibly difficult to identify and defend against. One contact centre could have many thousands of agents and it’s highly unlikely that an attack series would reach the same agent twice.

The latest advice from NIST’s most recent documentation on Digital Authentication Guidelines, challenges Knowledge Based Authentication – KBA – (or pre-sharing secret information like “Mothers Maiden Name?”) to access accounts, so this is an evolving challenge in the market, which has yet to be properly addressed without looking to implement costly to enrol identification programs or dongle based dual factor authentication, which most non-banking companies feel is over the top for their organization and gets in the way of doing business.

Unfortunately for US businesses and consumers, things are likely to get harder before they get easier. A recent countrywide move to chip card technology has the potential to grow the threat of these attacks. While the transition is intended to help reduce overall fraud rates — its introduction in the UK reduced card-present fraud by 32.5 percent in seven years — the reality is that it is more likely to simply shift the ways fraud occurs. Fraud that leverages a contact centre environment is exactly where most new fraud attempts will occur, a trend already seen in the UK, according the UK Payments Administration.

Humans have always been, and always will be, the weakest link in the security chain

Contact centres must do everything to try to ensure that criminals are not socially engineering their employees. Measures can be put in place to prevent the stealing of payment card and personal information, even if humans fail to detect the attacks. Simply leaving data in some format unusable by the criminals is one of them. For example, tokenization can be used to replace sensitive data with a unique and meaningless equivalent that has no exploitable value, known as a token. This token is then stored by a tokenization system and acts as an empty stand-in and director to the sensitive information.

Despite advances in technology, the human element is always going to be a potential security threat. Acknowledging and preparing for the eventuality of a breach is the only true way an organization can combat social engineering and protect its data.

For more from Ben on social engineering take a look at his article in Business Solutions