Privacy Ref Blog

Social Engineering is a Massive Problem

Recently, a large number of YouTubers and other celebrities have been “hacked” or lost control of their accounts.  The truth of the matter is that they aren’t being hacked, but instead the person taking control of these accounts is just having others do it for them.  The people and groups helping them are not who you think.  They are not hackers, black market data dealers, or even criminals, but they are customer service representatives and other professionals who are meant to protect your data.

Social Engineering: Laying Blueprints for Mayhem

Social engineering is the act of manipulating others to act in a certain way.  In the most basic example, you pretend to be something you are not to gain access to something you would not normally be able to.  In the case discussed in the introduction to this blog, it is phone providers.  The bad guys start by calling the cell phone service provider of their target.  They then state that they are the person they are targeting or another employee of the provider.  They are then provided the access they needed, either through a reset password or access a SIM card.  The target’s information is now available.  This means things like phone calls, texts, and possibly emails are now in the hands of someone who means to do harm.

Let the Games Begin!

Once our so-called hackers have this information, they gain access to accounts, changing passwords and ownership of these accounts over to themselves.  Sometimes it is as harmless as renaming every video on a YouTube channel, simply showing off or bragging about their deeds.  Other times they are not so innocent, taking money from financial accounts, deleting entire accounts, or using the account to spread links to malware or other malicious sites.  Even if you are not a YouTube celebrity, this can still affect you or your business.

Protection = Awareness!

So how do you stop this?  How do you protect yourself or your customers from these kinds of attacks?  The answer is very simple and you most likely already do some of these things.

First, you need to make sure employees verify everything when working with someone who is not in person.  If the hacker claims to be another employee, ask for the name of their manager, an employee badge number, or any number of pieces of personal information all of your employees would know about themselves.  It might take a few seconds to complete this verification, but a data breach will take a much longer time to control.

Next you want to make sure that if you use knowledge based questions, they are good questions that are not openly known.  Asking for a mother’s maiden name, the name of a pet, or the school they attended may seem smart, but many of these facts can easily be found through social media.  Facebook is a treasure trove of information when you need to answer a security question.

Use questions that are obscure but easy for a customer to remember.  Being creative here is only going to help you in the long run. A good practice is to have each employee create their own questions and answers. If it is a customer that is involved, ask them about a recent transaction.

Finally, train your employees on these policies at least annually.  It doesn’t take long to make sure they refresh themselves on the basics of protecting customer information or how to verify who they are communicating with.  It is also good to train them on what schemes they may have to deal with, understanding the privacy metagame.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on July 25, 2016 by Ben Siegel


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

May 10, 2017

Predictive Breach Cost Model
Download our predictive breach cost modelhere.

Latest Blog Posts

August 14, 2017

Privacy Ref and CyberDefenses Bring Privacy and Security Together
There is a saying that you can have security without privacy, but you cannot have privacy without security. While privacy and security are both concerned with the protection of information held by an organization, security provides the means to meet the business requirements identified to meet privacy demands from regulators, customers, employees, and other stakeholders. Privacy Ref works with our clients to improve their business and operational practices for protecting personal information. Increasingly our clients’ have been looking for services to supplement their security practices, tools, and expertise. CyberDefenses fills this role. Continue reading this post...

Can Consent Fall Short in GDPR?
Over the past several months, I have been taking a deeper dive into GDPR. I have found Article 6 on the legal basis for processing data particularly interesting. There is some discussion to be had for each company and how they will process data in a particular case, but I often hear that consent will be used. I have even heard arguments for consent as a catch-all for processing. This ignores the pitfalls that could come with the use of that certain legal basis. Continue reading this post...

Other Recent Posts

PRIVACY REF