Thursday, September 9, 2010

Credit Card Phone Policies, Social Engineering and You

I called my credit card company earlier this evening to either have my credit card discontinued or have my annual fee waived. Due to the problems I had with that company, it was not really my loss if they didn't waive my annual fee. Everything went smoothly and as the transaction completed, got home, started browsing, I came across this very nice article about cyber security (ironically) courtesy of Microsoft and (more ironically) released for free. 12.3MB downloadable here.


Then I thought, I think there's a bit of a security hole in those companies policies. I remember Kevin Mitnick and his book, The Art of Deception.


You see, banks asks about details which identity thieves could easily obtain. Take for example, I was asked for my credit card number and my full name. Credit card numbers could be easily listed down by some employee of a merchant you bought some goods on, so is your full name (its on the card Sherlock). Even that 3 digit CVV2 code behind the card. So make sure that you keep an eye on the person whom you hand your credit card to. But sometimes this is hard, take restaurants for example. When you ask for your bill, you drop your card on that black sleeve and wait for it to come back. You don't normally follow the waiter around to the cashier just to make sure that they don't do something funky with your card details.

Second, the card company normally asks for your mother's maiden name, your cellphone number and/or your home phone, and your birthday. Your phone number and birthday? Check your Facebook profile, you've might have given it away there. Home phone number? You might want to un-list yourself in next years Yellow Pages. Mother's maiden name? Someone pretending to be from a certain company calling your mothers secretary at her office could easily pry that information from that unsuspecting secretary. Heck, maybe even Google Search has those information about you.

But if you're pretending to be somebody else, even with those information, they could still trace your number! Sherlock, there's a thing called a payphone.

I don't know up to what extent one could exercise phone banking powers, in my phone conversation a while ago, just by saying yes to discontinue my credit card they would immediately process it. Now, use your imagination. What if someone who has a grudge on you, pretends to be you and calls your credit card company and right then and there terminated your card? Isn't that a pain in the ass?

Or what if that person, asks the bank on what current promos or bundled insurances they have? Then you'd just be surprised when you find out that you're already being charged for insurance payments which you never actually approved. The possibilities are endless.

I think banks and credit card companies should improve their identification or authentication techniques. If you watched the video with Leo Laporte and Kevin Mitnick, you'll be surprised on how easy it is for people to do those things.


The Art of Deception is available for purchase from Amazon or you could have it imported through your local book vendor.

No comments:

Post a Comment