Skip to main content

Credit Card Phone Policies, Social Engineering and You

I called my credit card company earlier this evening to either have my credit card discontinued or have my annual fee waived. Due to the problems I had with that company, it was not really my loss if they didn't waive my annual fee. Everything went smoothly and as the transaction completed, got home, started browsing, I came across this very nice article about cyber security (ironically) courtesy of Microsoft and (more ironically) released for free. 12.3MB downloadable here.


Then I thought, I think there's a bit of a security hole in those companies policies. I remember Kevin Mitnick and his book, The Art of Deception.


You see, banks asks about details which identity thieves could easily obtain. Take for example, I was asked for my credit card number and my full name. Credit card numbers could be easily listed down by some employee of a merchant you bought some goods on, so is your full name (its on the card Sherlock). Even that 3 digit CVV2 code behind the card. So make sure that you keep an eye on the person whom you hand your credit card to. But sometimes this is hard, take restaurants for example. When you ask for your bill, you drop your card on that black sleeve and wait for it to come back. You don't normally follow the waiter around to the cashier just to make sure that they don't do something funky with your card details.

Second, the card company normally asks for your mother's maiden name, your cellphone number and/or your home phone, and your birthday. Your phone number and birthday? Check your Facebook profile, you've might have given it away there. Home phone number? You might want to un-list yourself in next years Yellow Pages. Mother's maiden name? Someone pretending to be from a certain company calling your mothers secretary at her office could easily pry that information from that unsuspecting secretary. Heck, maybe even Google Search has those information about you.

But if you're pretending to be somebody else, even with those information, they could still trace your number! Sherlock, there's a thing called a payphone.

I don't know up to what extent one could exercise phone banking powers, in my phone conversation a while ago, just by saying yes to discontinue my credit card they would immediately process it. Now, use your imagination. What if someone who has a grudge on you, pretends to be you and calls your credit card company and right then and there terminated your card? Isn't that a pain in the ass?

Or what if that person, asks the bank on what current promos or bundled insurances they have? Then you'd just be surprised when you find out that you're already being charged for insurance payments which you never actually approved. The possibilities are endless.

I think banks and credit card companies should improve their identification or authentication techniques. If you watched the video with Leo Laporte and Kevin Mitnick, you'll be surprised on how easy it is for people to do those things.


The Art of Deception is available for purchase from Amazon or you could have it imported through your local book vendor.
Labels:

Comments

Post a Comment

Popular posts from this blog

Self Signed SSL Certificates

Ever wondered how to enable SSL or HTTPS on your site? If you dont want to pay for commercial SSL certificates, you could create self signed certificates for your site by following the instructions here: https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04 The instructions in the site above will make your default site HTTPS enabled. If you prefer having a commercial SSL, save your certificate files and key files in your server and edit the location on the /etc/apache2/sites-enabled/default to point to the directory where you stored those files.
Post a Comment
Read more

Moving to a New Linux Web Based Torrent Client

For years, I have been using TorrentFlux (url here) as my primary torrent client situated in my Ubuntu download server. But as time went on, the developers completely abandoned the development of TorrentFlux which led to several forks which I think is still insufficient for my needs. Main GUI of TorrentFlux Ive checked several options which runs on a GUI-less environment. Since my Ubuntu server is just running on command line to save precious memory, I needed something bare, simple and is packed with features. Installing uTorrent Server is pretty straight forward. Download. Uncompress. Run. This is better than the approach of TorrentFlux which you need to setup LAMP server and create a database. More often than not, it happens to me that some of the data in the DB gets corrupted. I normally just reinstall the whole thing again. Main GUI of uTorrent Server To further elaborate on the setup process, I've gotten an excerpt from this thread which, quite simply discusses ho
8 comments
Read more

Modernizing Qwtlys Database Part 1

Its been years since I have last updated Qwtly and I was given the opportunity to play around and modernize the database for my application. I wanted to try the cloud offering of MongoDB called Atlas being that its free for a small database.  With this in mind and considering that Qwtly doesn't get traffic after I have disabled the add, edit and delete quote function along with the login, I don't see the application getting to that limit of 5GB anyway. Well, that is considering if I can even get this to work.  The first order of business was to see if we can import the MySQL export painlessly to MongoDB Atlas. I have searched for MongoDB tools, external tools, scripts, only to find old abandoned projects which would not be ideal given my situation. I have considered writing a PHP script to do it but that too would cost time. I was looking for something that consists of using existing tools or features I am familiar with along with some manual eyballing and checking. Luckily, I
Post a Comment
Read more