Guest Column | August 22, 2016

Fight Social Engineering — Make Your Priceless Data Completely Worthless

Social Engineering Data

By Ben Rafferty, Global Solutions Director, Semafone

When a new wall goes up, criminals will always search for a door in or a way around. It’s in their nature, and it’s ultimately what fuels them. This is the transition we are witnessing in the cybersecurity space today.

Companies are investing more in defending their security perimeters and are using penetration-testing daily to identify and remedy holes that a hacker could potentially exploit. According to the SANS Institute, about 9 percent of IT budgets will be allocated to security in 2016, up from 4 percent in 2014. So called next generation endpoint products are surging to a predicted level of nearly $4 billion by 2020. Cyber criminals are watching a substantial wall being built between them and their targets. The skill set required to obtain the same valuable information is increasing and ever changing. Or is it? Just because some direct methods criminals have used in the past to get what they want will no longer be available to them, unfortunately, there’s always another way.

Security involves people and processes, in addition to technology. The most logical weakness is you and I, the human component. Hackers caught on to this years ago, and we’ve become incredibly familiar with weak spots that result in social engineering attack vectors that often trick people into breaking normal security procedures. Phishing emails hit our inboxes on a daily basis, trying to convince us to approve wire transfers from our “boss,” or click a link to “save” our sick Aunt Nancy, potentially installing malware, or more recently, ransomware.

But there’s one similar tactic flying below the radar and, if we’re not careful, it could soon become our worst enemy.

Digital disruption in the financial industry has led to a rise in third-party payment systems. The Amazon Store Card, Apple Pay, and Google Wallet are just a few examples. And with them, we’re far less likely to actually use our credit and debit cards at the point-of-sale. In fact, our physical use of cards is arguably becoming obsolete.

This trend isn’t going anywhere, and with it we will continue to deliver more of our personal and account information over the phone, email, and web to banks and retailers without thinking twice. But when this information reaches the contact centers that facilitate these interactions, it can be gold mine for fraudsters and criminals — especially with the rise of massive data breaches exposing huge amounts of personally identifiable information (PII).

Most organizations don't have the time to carefully vet every phone and digital interaction in order to ensure they are not being social engineered. If a caller provides accurate information, it’s often all they need to pass through the gates. And I’m not just talking about one crafty individual pretending to be someone that they are not. Criminal groups have systematized these intelligent attacks.

Exactly one year ago this seemingly simple tactic wounded one of the tech industries biggest players, Apple. A flurry of fraudsters took advantage of the Apple Pay authentication process by convincing contact center employees to activate Apple Pay accounts with stolen credit card information. The actual Apple Pay activation was then initiated between Apple and the Bank, and Apple passed the Bank stolen credit card info to open the account, including the details backing their iCloud.

Vishing, or Voice Phishing, calls involve a series of phone calls to a contact center that each take minor actions to slowly gain incremental access to an account or turn off alerting by warning of an impending “trip out of town.” Essentially, in about two or three phone calls, criminals are able to escalate privileges into user accounts and commit fraud. In this particular instance, fraudsters loaded iPhones with stolen, card-not-present card information and turned that data into physical cards via Apple Pay. This type of attack is very difficult to identify and defend against, because one given contact center could have many thousands of agents and it’s highly unlikely that an attack series would reach the same agent twice.

What does all this mean? And how can we stop it?

Social engineering in the contact center environment is something U.S. organizations have to address, and fast. But unfortunately, things are likely to get harder before they get easier.

A U.S.-wide move to chip card technology has the potential to grow the threat of these attacks. While the transition is intended to help reduce overall fraud rates its introduction in the U.K. reduced card-present fraud by 32.5 percent in seven years — but in reality it is more likely to simply shift the ways fraud occurs. Fraud that leverages a contact center environment is likely to be exactly where most new fraud attempts will occur, a trend already seen in the U.K., according the U.K. Payments Administration.

Humans have always been, and always will be, the weakest link in the security chain. Contact centers must do everything to try to insure that criminals are not socially engineering their employees. More cyber criminals will turn to contact centers as a potential target.

The most effective means of stopping this — and many other types of fraud — is to ensure that, even if the human element is misled, other measures are in place to prevent the looting of payment card and personal information. Many would agree an effective means of protecting against social engineering is to simply leave the data in some format unusable by the criminals. For example, tokenization can be used to replace sensitive data with a unique and meaningless equivalent that has no exploitable value, known as a token. This token is then stored by a tokenization system and acts as an empty stand-in and director to the sensitive information. Many organizations use this to increase the security of critical data and keep it out of reach of cyber criminals. 

Technologies will improve, but humans will always be duped. Acknowledging and preparing for that eventuality is the only true way we can combat social engineering.