When I was a kid, one of my favorite books was Bram Stoker’s Dracula; I loved reading about the ways the small band of vampire hunters went about systematically hunting down Dracula’s lairs in London while he was doing his best to find ways to avoid detection while creating new victims. Something that always stuck with me while I was reading and re-reading the book was the point Stoker made over and over about the fact that Dracula couldn’t actually enter a residence or building unless he had been invited in first. He was forced to seek out a victim and employ his various methods including charm to encourage them to invite him into the place he wanted to be. The victims he chose tended to be a means to an end, rather than the end themselves, that would allow him to thrive undetected in London since Transylvania was on to him. Once he was in, though, he was in and the victims didn’t really stand a chance.
We may have made incredible advances in technology over the last one hundred and thirty years since Dracula was stalking the citizens of London, but I’m always struck anew when I read about a new data breach that started with a social engineering component that exploited a person rather than technology. I’ve read about two relatively recent cases where this happened:
- Bogus Discount Clubs: The FTC recently charged operators of bogus discount clubs that took more than $40 million from consumers’ bank accounts in the form of remotely created checks (RCCs). The scam involved members of the criminal ring “cold calling” victims offering payday or cash advance loans. The only thing they needed to do to qualify for those loans was provide the caller with their bank account information. The scammers then enrolled the victims in an online coupon service that charged an initial fee along with a monthly fee that victims weren’t aware of. The scammers used the victims’ bank account information to create RCCs to pay the coupon service fees. Unfortunately, the victims had actually participated in their own fraud by providing the scammers the keys to the kingdom in their bank account information.
- Equifax TALX Payroll Division Breach (aka: The Other Equifax Hack): In March of 2017, Equifax reported to the attorney generals of several states that they had experienced a large data breach possibly impacting thousands of employees of the companies who used Equifax’s TALX payroll services. Users of TALX (employees of the companies who used TALX payroll services to view payroll information) were only required to use a username and pin to log in to the website. Attackers were able to exploit that by clicking on the “Regenerate my Pin” link that allowed users who had forgotten their pins to answer a small number of KBA (knowledge based answer) security questions and have a new pin sent via e-mail to dummy accounts. The attackers were then using the regenerated pins to log in to the victims’ TALX account and pull payroll and W-2 information to use to file fraudulent tax refunds. The attackers were able to guess the answers to the security questions because users tended to use the questions to which the answers could be gathered based on information found through unsecured social media accounts and other public information sources.
While the victims of the Bogus Discount Clubs ring were more directly involved in their own exploitation, the victims of the Equifax TALX Breach also played a part in their data loss. This topic is something I’ve touched on before, but I don’t believe that it can be said too much that the largest risk to any organization comes from the people versus the technology. The hardest perimeter defenses are only as strong as the least technology risk-savvy employee, so it’s in an organization’s best interest to ensure that enough training and information have been provided that will prevent that person from unintentionally inviting an attacker in.
What does that mean? It means IT Security training practices need to be adapted to the new threats with some specific examples and scenario walk-throughs that teach employees how to recognize a scam and respond appropriately. Continuous training is essential, but consider other types of social engineering approaches instead of just phishing e-mails and how training can help employees avoid falling for the traps. For example: if employees regularly log in to third-party applications that use KBA security questions as a secondary security control, encourage them to choose the more obscure questions that the answers aren’t readily available to via social media or public resources. The bottom line is: you need to spend as much time training your people on social engineering and how to avoid it as you do fine-tuning your cybersecurity tools. Otherwise, it doesn’t matter how secure you think you are, someone in your organization may have already let the attacker in.
Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.