Recently, a large number of YouTubers and other celebrities have been “hacked” or lost control of their accounts. The truth of the matter is that they aren’t being hacked, but instead the person taking control of these accounts is just having others do it for them. The people and groups helping them are not who you think. They are not hackers, black market data dealers, or even criminals, but they are customer service representatives and other professionals who are meant to protect your data.
Social Engineering: Laying Blueprints for Mayhem
Social engineering is the act of manipulating others to act in a certain way. In the most basic example, you pretend to be something you are not to gain access to something you would not normally be able to. In the case discussed in the introduction to this blog, it is phone providers. The bad guys start by calling the cell phone service provider of their target. They then state that they are the person they are targeting or another employee of the provider. They are then provided the access they needed, either through a reset password or access a SIM card. The target’s information is now available. This means things like phone calls, texts, and possibly emails are now in the hands of someone who means to do harm.
Let the Games Begin!
Once our so-called hackers have this information, they gain access to accounts, changing passwords and ownership of these accounts over to themselves. Sometimes it is as harmless as renaming every video on a YouTube channel, simply showing off or bragging about their deeds. Other times they are not so innocent, taking money from financial accounts, deleting entire accounts, or using the account to spread links to malware or other malicious sites. Even if you are not a YouTube celebrity, this can still affect you or your business.
Protection = Awareness!
So how do you stop this? How do you protect yourself or your customers from these kinds of attacks? The answer is very simple and you most likely already do some of these things.
First, you need to make sure employees verify everything when working with someone who is not in person. If the hacker claims to be another employee, ask for the name of their manager, an employee badge number, or any number of pieces of personal information all of your employees would know about themselves. It might take a few seconds to complete this verification, but a data breach will take a much longer time to control.
Next you want to make sure that if you use knowledge based questions, they are good questions that are not openly known. Asking for a mother’s maiden name, the name of a pet, or the school they attended may seem smart, but many of these facts can easily be found through social media. Facebook is a treasure trove of information when you need to answer a security question.
Use questions that are obscure but easy for a customer to remember. Being creative here is only going to help you in the long run. A good practice is to have each employee create their own questions and answers. If it is a customer that is involved, ask them about a recent transaction.
Finally, train your employees on these policies at least annually. It doesn’t take long to make sure they refresh themselves on the basics of protecting customer information or how to verify who they are communicating with. It is also good to train them on what schemes they may have to deal with, understanding the privacy metagame.