adityasnv asked:
Security Compliance regulations and guidelines require a Telephone engineers to create an Information Security Program designed to protect confidential information, including Non-Public Personal Information (NPPI). Failure of employees to follow the security policies and procedures of the organization is a major vulnerability to an Information Security Program.
Social Engineering by Phone
Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim.
Social Engineering by Phone
The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack. Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense. Here’s a classic PBX trick, care of the Computer Security Institute: “’Hi, I’m your AT&T rep, I’m stuck on a pole. I need you to punch a bunch of buttons for me.’” And here’s an even better one: “They’ll call you in the middle of the night: ‘Have you been calling Egypt for the last six hours?’ ‘No.’ And they’ll say, ‘well, we have a call that’s actually active right now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2,000 worth of charges from somebody using your card. You’re responsible for the $2,000, you have to pay that…’ They’ll say, ‘I’m putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&T card number and PIN and then I’ll get rid of the charge for you.’ People fall for it.” .
Help desks are particularly vulnerable because they are in place specifically to help, a fact that may be exploited by people who are trying to gain illicit information. Help desk employees are trained to be friendly and give out information, so this is a gold mine for social engineering. Most help desk employees are minimally educated in the area of security and get paid peanuts, so they tend to just answer questions and go on to the next phone call. This can create a huge security hole.
The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he “dialed up a phone company, got transferred around, and reached the help desk. ‘Who’s the supervisor on duty tonight?’ ‘Oh, it’s Betty.’ ‘Let me talk to Betty.’ [He’s transferred.] ‘Hi Betty, having a bad day?’ ‘No, why?…Your systems are down.’ She said, ‘my systems aren’t down, we’re running fine.’ He said, ‘you better sign off.’ She signed off. He said, ‘now sign on again.’ She signed on again. He said, ‘we didn’t even show a blip, we show no change.’ He said, ‘sign off again.’ She did. ‘Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.’ So this senior supervisor at the Help Desk tells him her user ID and password.” Brilliant.
A variation on the phone theme is the pay phone or ATM. Hackers really do shoulder surf and obtain credit card numbers and PINs this way. (It happened to a friend of mine in a large US airport.) People always stand around phone booths at airports, so this is a place to be extra cautious.
IVR or phone phishing
This technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate sounding copy of a bank or other institution’s IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the “bank” via a (ideally toll free) number provided in order to “verify” information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning. One could even record the typical commands (”Press one to change your password, press two to speak to customer service” …) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
What is IVRS
An Interactive Voice Response (IVR) system I a computerized system that allows a person,typically a telephone caller, to select an option froma voice menu and perform transactions with a computer system. This can be as simple as obtaining account balances or as complex as performing sophisticated transactions. An IVR system plays a pre-recorded voice prompt and the caller presses a number on a telephone keypad to select the option, or speaks simple answers such as “yes”, “no”, or numbers in response to the voice prompts. Database Systems Corp. (DSC) is a leading provider of computer telephony integration products including automated call answering services and IVR phone systems. DSC turnkey IVR systems are composed of Intel processors with embedded Windows OS from Microsoft Corporation. These systems also include Dialogic computer telephony boards. DSC also provides complete Windows IVR software that lets you develop your own call answering applications. DSC can likewise perform custom ivr application development for you. From simple to complex phone applications, DSC personnel can design, develop, test and implement your phone campaign quickly and have your phone program in place with a minimal amount of time IVR Voice Messaging
Website content
Security Compliance regulations and guidelines require a Telephone engineers to create an Information Security Program designed to protect confidential information, including Non-Public Personal Information (NPPI). Failure of employees to follow the security policies and procedures of the organization is a major vulnerability to an Information Security Program.
Social Engineering by Phone
Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim.
Social Engineering by Phone
The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack. Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense. Here’s a classic PBX trick, care of the Computer Security Institute: “’Hi, I’m your AT&T rep, I’m stuck on a pole. I need you to punch a bunch of buttons for me.’” And here’s an even better one: “They’ll call you in the middle of the night: ‘Have you been calling Egypt for the last six hours?’ ‘No.’ And they’ll say, ‘well, we have a call that’s actually active right now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2,000 worth of charges from somebody using your card. You’re responsible for the $2,000, you have to pay that…’ They’ll say, ‘I’m putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&T card number and PIN and then I’ll get rid of the charge for you.’ People fall for it.” .
Help desks are particularly vulnerable because they are in place specifically to help, a fact that may be exploited by people who are trying to gain illicit information. Help desk employees are trained to be friendly and give out information, so this is a gold mine for social engineering. Most help desk employees are minimally educated in the area of security and get paid peanuts, so they tend to just answer questions and go on to the next phone call. This can create a huge security hole.
The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he “dialed up a phone company, got transferred around, and reached the help desk. ‘Who’s the supervisor on duty tonight?’ ‘Oh, it’s Betty.’ ‘Let me talk to Betty.’ [He’s transferred.] ‘Hi Betty, having a bad day?’ ‘No, why?…Your systems are down.’ She said, ‘my systems aren’t down, we’re running fine.’ He said, ‘you better sign off.’ She signed off. He said, ‘now sign on again.’ She signed on again. He said, ‘we didn’t even show a blip, we show no change.’ He said, ‘sign off again.’ She did. ‘Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.’ So this senior supervisor at the Help Desk tells him her user ID and password.” Brilliant.
A variation on the phone theme is the pay phone or ATM. Hackers really do shoulder surf and obtain credit card numbers and PINs this way. (It happened to a friend of mine in a large US airport.) People always stand around phone booths at airports, so this is a place to be extra cautious.
IVR or phone phishing
This technique uses a rogue Interactive voice response (IVR) system to recreate a legitimate sounding copy of a bank or other institution’s IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the “bank” via a (ideally toll free) number provided in order to “verify” information. A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker posing as a customer service agent for further questioning. One could even record the typical commands (”Press one to change your password, press two to speak to customer service” …) and play back the direction manually in real time, giving the appearance of being an IVR without the expense.
What is IVRS
An Interactive Voice Response (IVR) system I a computerized system that allows a person,typically a telephone caller, to select an option froma voice menu and perform transactions with a computer system. This can be as simple as obtaining account balances or as complex as performing sophisticated transactions. An IVR system plays a pre-recorded voice prompt and the caller presses a number on a telephone keypad to select the option, or speaks simple answers such as “yes”, “no”, or numbers in response to the voice prompts. Database Systems Corp. (DSC) is a leading provider of computer telephony integration products including automated call answering services and IVR phone systems. DSC turnkey IVR systems are composed of Intel processors with embedded Windows OS from Microsoft Corporation. These systems also include Dialogic computer telephony boards. DSC also provides complete Windows IVR software that lets you develop your own call answering applications. DSC can likewise perform custom ivr application development for you. From simple to complex phone applications, DSC personnel can design, develop, test and implement your phone campaign quickly and have your phone program in place with a minimal amount of time IVR Voice Messaging
Website content
Blogsphere: TechnoratiFeedsterBloglines
Bookmark: Del.icio.usSpurlFurlSimpyBlinkDigg
RSS feed for comments on this post | TrackBack URI for this post
Leave a Reply
Resources
Blog Categories
Monthly Archives
By Month
- July 2010 (3)
- June 2010 (4)
- May 2010 (2)
- April 2010 (56)
- March 2010 (42)
- July 2009 (69)
- June 2009 (131)
- May 2009 (78)