Skip to main content

Credit Card Phone Policies, Social Engineering and You

I called my credit card company earlier this evening to either have my credit card discontinued or have my annual fee waived. Due to the problems I had with that company, it was not really my loss if they didn't waive my annual fee. Everything went smoothly and as the transaction completed, got home, started browsing, I came across this very nice article about cyber security (ironically) courtesy of Microsoft and (more ironically) released for free. 12.3MB downloadable here.


Then I thought, I think there's a bit of a security hole in those companies policies. I remember Kevin Mitnick and his book, The Art of Deception.


You see, banks asks about details which identity thieves could easily obtain. Take for example, I was asked for my credit card number and my full name. Credit card numbers could be easily listed down by some employee of a merchant you bought some goods on, so is your full name (its on the card Sherlock). Even that 3 digit CVV2 code behind the card. So make sure that you keep an eye on the person whom you hand your credit card to. But sometimes this is hard, take restaurants for example. When you ask for your bill, you drop your card on that black sleeve and wait for it to come back. You don't normally follow the waiter around to the cashier just to make sure that they don't do something funky with your card details.

Second, the card company normally asks for your mother's maiden name, your cellphone number and/or your home phone, and your birthday. Your phone number and birthday? Check your Facebook profile, you've might have given it away there. Home phone number? You might want to un-list yourself in next years Yellow Pages. Mother's maiden name? Someone pretending to be from a certain company calling your mothers secretary at her office could easily pry that information from that unsuspecting secretary. Heck, maybe even Google Search has those information about you.

But if you're pretending to be somebody else, even with those information, they could still trace your number! Sherlock, there's a thing called a payphone.

I don't know up to what extent one could exercise phone banking powers, in my phone conversation a while ago, just by saying yes to discontinue my credit card they would immediately process it. Now, use your imagination. What if someone who has a grudge on you, pretends to be you and calls your credit card company and right then and there terminated your card? Isn't that a pain in the ass?

Or what if that person, asks the bank on what current promos or bundled insurances they have? Then you'd just be surprised when you find out that you're already being charged for insurance payments which you never actually approved. The possibilities are endless.

I think banks and credit card companies should improve their identification or authentication techniques. If you watched the video with Leo Laporte and Kevin Mitnick, you'll be surprised on how easy it is for people to do those things.


The Art of Deception is available for purchase from Amazon or you could have it imported through your local book vendor.

Comments

Popular posts from this blog

Moving to a New Linux Web Based Torrent Client

For years, I have been using TorrentFlux (url here) as my primary torrent client situated in my Ubuntu download server. But as time went on, the developers completely abandoned the development of TorrentFlux which led to several forks which I think is still insufficient for my needs. Main GUI of TorrentFlux Ive checked several options which runs on a GUI-less environment. Since my Ubuntu server is just running on command line to save precious memory, I needed something bare, simple and is packed with features. Installing uTorrent Server is pretty straight forward. Download. Uncompress. Run. This is better than the approach of TorrentFlux which you need to setup LAMP server and create a database. More often than not, it happens to me that some of the data in the DB gets corrupted. I normally just reinstall the whole thing again. Main GUI of uTorrent Server To further elaborate on the setup process, I've gotten an excerpt from this thread which, quite simply discusses ho

LTE and the Unlocked iPhone 5

So heres the deal, theres a new iPhone out there and its got the new blazing LTE. If you're planning to get one buying from countries which have unlocked options (Canada, Singapore, Hong Kong) doesnt necessarily merit that you'll get LTE compatibility wherever you go. In the iPhone 5 website, theres a little asterisk there. Pretty sneaky if you ask me, that they have created 2 different models probably using 2 different LTE chips. GSM model A1428*: UMTS/HSPA+/DC-HSDPA (850, 900, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz); LTE (Bands 4 and 17)  GSM model A1429*: UMTS/HSPA+/DC-HSDPA (850, 900, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz); LTE (Bands 1, 3, 5) - From: http://www.apple.com/iphone/specs.html So what does this mean? If you're planning to get an unlocked unit from other country, LTE speeds might not be compatible with yours. From Wikpedia , theres a working list of LTE bands per country. With me residing in the Philippines it seems t

OBS Black/Frozen Screen Issue

Recently I went back to streaming and tried to improve my setup and use Streamlabs OBS  (SLOBS), a variant of the popular Open Broadcaster Software (OBS) which includes a really nice app for iOS and Android which lets you control you broadcast. My only issue about SLOBS (and/or OBS) in general is when you stream some games, its a hit or miss experience. Most of the reported issues include a black screen (but with audio) or in my experience, frozen frames as I transition from one part of a game to another. I had the time to do some trial and error testing yesterday and listed below is the pre-requisites and some quick summary of my setup. Take note of the terminologies used throughout this post. Terminologies SLOBS/OBS - Streaming software, liberally used interchangeably in this post.  Source - This is where an input of OBS is coming from. This can be a webcam, computer screen, full screen application, a webpage, an image, etc. Display Capture - Captures your whole screen re