Skip to main content

Credit Card Phone Policies, Social Engineering and You

I called my credit card company earlier this evening to either have my credit card discontinued or have my annual fee waived. Due to the problems I had with that company, it was not really my loss if they didn't waive my annual fee. Everything went smoothly and as the transaction completed, got home, started browsing, I came across this very nice article about cyber security (ironically) courtesy of Microsoft and (more ironically) released for free. 12.3MB downloadable here.


Then I thought, I think there's a bit of a security hole in those companies policies. I remember Kevin Mitnick and his book, The Art of Deception.


You see, banks asks about details which identity thieves could easily obtain. Take for example, I was asked for my credit card number and my full name. Credit card numbers could be easily listed down by some employee of a merchant you bought some goods on, so is your full name (its on the card Sherlock). Even that 3 digit CVV2 code behind the card. So make sure that you keep an eye on the person whom you hand your credit card to. But sometimes this is hard, take restaurants for example. When you ask for your bill, you drop your card on that black sleeve and wait for it to come back. You don't normally follow the waiter around to the cashier just to make sure that they don't do something funky with your card details.

Second, the card company normally asks for your mother's maiden name, your cellphone number and/or your home phone, and your birthday. Your phone number and birthday? Check your Facebook profile, you've might have given it away there. Home phone number? You might want to un-list yourself in next years Yellow Pages. Mother's maiden name? Someone pretending to be from a certain company calling your mothers secretary at her office could easily pry that information from that unsuspecting secretary. Heck, maybe even Google Search has those information about you.

But if you're pretending to be somebody else, even with those information, they could still trace your number! Sherlock, there's a thing called a payphone.

I don't know up to what extent one could exercise phone banking powers, in my phone conversation a while ago, just by saying yes to discontinue my credit card they would immediately process it. Now, use your imagination. What if someone who has a grudge on you, pretends to be you and calls your credit card company and right then and there terminated your card? Isn't that a pain in the ass?

Or what if that person, asks the bank on what current promos or bundled insurances they have? Then you'd just be surprised when you find out that you're already being charged for insurance payments which you never actually approved. The possibilities are endless.

I think banks and credit card companies should improve their identification or authentication techniques. If you watched the video with Leo Laporte and Kevin Mitnick, you'll be surprised on how easy it is for people to do those things.


The Art of Deception is available for purchase from Amazon or you could have it imported through your local book vendor.
Labels:

Comments

Post a Comment

Popular posts from this blog

Self Signed SSL Certificates

Ever wondered how to enable SSL or HTTPS on your site? If you dont want to pay for commercial SSL certificates, you could create self signed certificates for your site by following the instructions here: https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-12-04 The instructions in the site above will make your default site HTTPS enabled. If you prefer having a commercial SSL, save your certificate files and key files in your server and edit the location on the /etc/apache2/sites-enabled/default to point to the directory where you stored those files.
Post a Comment
Read more

Moving to a New Linux Web Based Torrent Client

For years, I have been using TorrentFlux (url here) as my primary torrent client situated in my Ubuntu download server. But as time went on, the developers completely abandoned the development of TorrentFlux which led to several forks which I think is still insufficient for my needs. Main GUI of TorrentFlux Ive checked several options which runs on a GUI-less environment. Since my Ubuntu server is just running on command line to save precious memory, I needed something bare, simple and is packed with features. Installing uTorrent Server is pretty straight forward. Download. Uncompress. Run. This is better than the approach of TorrentFlux which you need to setup LAMP server and create a database. More often than not, it happens to me that some of the data in the DB gets corrupted. I normally just reinstall the whole thing again. Main GUI of uTorrent Server To further elaborate on the setup process, I've gotten an excerpt from this thread which, quite simply discusses ho
8 comments
Read more

iPhone 4 Carrier Unlock Finally Here

The wonderful people of iPhone-dev Team (or I think they're called just DevTeam now) has realeased their iPhone 4 carrier unlock. What this means is you can unlock the iPhone 4 s you've purchased from any locked countries like the U.S.(with baseband 1.59 ).  iPhone 3G and 3Gs also benefits from this release which unlocks phones with basebands 04.26.08 , 05.11.07 , 05.12.01 and 05.13.04 As an excerpt from their blog post : Version 1.0-1 of ultrasn0w works for: iPhone4 baseband 01.59 3G/3GS basebands 04.26.08, 05.11.07, 05.12.01 and 05.13.04 (If ultrasn0w doesn’t show when you search Cydia, add the repo:  repo666.ultrasn0w.com) Quickest solution to unlock your phones is to visit www.jailbreakme.com which uses an exploit to jailbreak your device, and once you get the Cydia app, download (or add the repository if you havent) ultrasn0w. Restart and enjoy carrier freedom. Perhaps another implication of this with the iPhone 4 market now is that those people selling iPhone 4
2 comments
Read more