Be aware of the wolf in sheep’s clothing. Social engineering is the new method of choice for hackers. Here’s how it works.
Is your name and your phone number all it takes for a hacker to take over your cell phone account?
Latest, investigation has found that just a few pieces of personal information could leave you and your accounts vulnerable.
It happened to Erynn Tomlinson. The former cryptocurrency executive lost about $30,000 in cryptocurrency after hackers used a few of her personal details during interactions with Rogers customer service representatives to ultimately gain access to her account.
“I don’t know how to describe it. I was sort of in shock at the whole thing,” said Tomlinson about realizing hackers stole savings she was planning on using for a mortgage.
Tomlinson is a victim of the latest type of hack plaguing the telecommunications industry: it’s called a SIM swap, and hackers use what’s known as social engineering to make it happen.
Social engineering fraud typically happens through email, phone, or text — or in Tomlinson’s case, through online chat windows. Hackers use charm and persuasion to convince a customer service representative they are actually the account holder.
If at first you don’t succeed, hack again
The hackers might have a few pieces of publicly available personal information: a person’s name, email address, birthdate, postal code or phone number.
Hackers use some of those details to try to sweet talk a representative into handing over more information and ultimately gain access to an account.
“The attackers are very sophisticated. In this case, Rogers didn’t provide any friction for them and made it far too easy,” Tomlinson said of her experience.
As far as Tomlinson can tell, the hackers had only her name and her phone number. Over a series of eight different online chats, the hackers managed to obtain her date of birth, email address, account number, the last four digits of her credit card, and other details about her account.
Armed with this information, the hacker convinced a Rogers rep to activate a new SIM card linked to Tomlinson’s account, which could then be placed into a phone in their possession. A SIM card is a chip used to identify and authenticate a subscriber to a service provider.
Once the hackers had executed the SIM swap, they were able to use their own phone to gain access to a number of Tomlinson’s sensitive accounts, including those tied to her finances.
Tomlinson used two-factor authentication on her sensitive accounts, an extra security step that sends a message to your cell phone before granting access. Tomlinson believes the SIM swap allowed the hackers to divert those incoming messages to a new device, effectively bypassing her security measures.
She first became aware something was wrong when her cellphone stopped working. After stopping by a nearby café to use the Wi-Fi, she realized one of her financial accounts was at zero. She rushed home and logged onto her other accounts, and also saw them being drained.
In total, the hackers managed to steal the equivalent of $30,000 in cryptocurrency.
“I hope this is a bit more of an extreme case,” she said. “But I think … every Canadian is at risk right now.”
Social engineering on the rise
Tomlinson’s losses may sound extreme, but companies around the world say social engineering attacks are on the rise.
Canada’s federal privacy commissioner now requires all companies to report any security or privacy breaches. Since November 2018, there have been more than a dozen reports of social-engineering breaches in this country’s telecommunications sector alone.
In an email, the Office of the Privacy Commissioner told Marketplace the trend “clearly raises concerns.”
The emergence of social engineering fraud comes as no surprise to ethical hacker and cybersecurity expert Joshua Crumbaugh.
“Social engineering’s been a popular thing, I mean, since the beginning of time — we just gave it a new term. It’s the same thing that grifters and con men have been doing forever … they’re just exploiting basic human weaknesses or vulnerabilities.”
It’s human nature to want to help and avoid conflict, which is why Crumbaugh says the key to a successful social engineering hack depends on who picks up the other line.
Chances are if one person is not willing to help, the next person likely is, he says.
“It’s just psychology. So if you understand how somebody’s going to react to something, you can easily manipulate somebody into giving you information or access to things that maybe they shouldn’t.”
To see how Rogers would respond to a social engineering attack, Marketplace asked Crumbaugh to try to hack into Marketplace host Charlsie Agro’s personal account, providing him only with her name and phone number.
On the first attempt, Crumbaugh called the company’s customer service line, posing as Agro’s personal assistant. The call ended quickly, with the rep refusing Crumbaugh’s access to the account unless Agro phoned and added him as user.
He called back minutes later and, with a different rep on the phone, instead posed as Agro herself. He did not disguise his voice. This time, the agent requested Agro’s birthdate and email address as verification, which Crumbaugh was able to provide after some quick searches online.
The agent also asked Crumbaugh to provide the PIN and postal code attached to the account. Crumbaugh guessed at a PIN number and, after another online search, provided a postal code. Both were off by a single digit but the agent still allowed Crumbaugh to access the account, which could have ultimately locked Agro out.
Crumbaugh believes companies need to better educate their customer service representatives on how to identify and prevent social engineering hacks.
“We have got to do more in making our people aware that these things happen,” he said.
Marketplace asked the Canadian Wireless and Telecommunications Association — the wireless industry’s main lobby group, representing Bell, Rogers and Videotron, among others — what it is doing to help protect consumers from social engineering attacks.
CWTA president Robert Ghiz said each of its members is responsible for their own security, but that the companies have measures in place to keep customers’ data safe, including PINs, passwords, security questions and voice identification.
He also said many telecommunications companies are undertaking training for their staff, and that he believes protecting consumers against social engineering attacks is a top priority for CWTA members.
“It’s got to be about educating those front-line services and training those front-line services — and it needs to continue to be vigilant into the future,” Ghiz said.
When Marketplace pointed out that an incorrect PIN and postal code didn’t keep our ethical hacker out of Agro’s account, Ghiz said he believes the security measures in place are largely working, noting there are millions of calls coming in every week.
“There’s always going to be some human error that’s going to exist,” he said.
In an email, Rogers said it takes its customers’ privacy and security very seriously and the company is continually strengthening its security measures and verification processes. It reinforces those measures with “ongoing training in authentication best practices for front-line team members.”
When provided with the results of Marketplace‘s ethical hacking test, Rogers admitted its authentication steps were not followed and said action was taken to reinforce proper protocols with the agent involved.
As for Tomlinson, she says she was not happy with the solutions Rogers offered following her experience: she was initially offered three months of free service, then a year of free service.
She is now pursuing legal action against the company.
Although Rogers would not comment on Tomlinson’s case, as it is before the courts, the company argues it is not responsible for what happened to her.
“What I really want to see is, not just that they give platitudes, and say, ‘Oh, we’re sorry this happened’ from a customer service point of view, but that they make real changes to their policies and their training … so that this can’t happen,” said Tomlinson.
Kevin Mitnick, an infamous hacker turned do gooder, agrees customer service reps need better training. “The companies need to have policies put into place to come up with a way to have a very high confidence that they’re dealing with the consumer,” he said.
Mitnick has hacked into more than 40 companies, from a McDonald’s drive-thru to Motorola, and was once one of the FBI’s most wanted — eventually serving five years in prison for computer and phone hacking. Today he runs a business that points out security flaws to the corporations he once targeted.
Social engineering attacks are happening every day, Mitnick says, and it is often the first technique hackers turn to, because “calling somebody on the phone is so much easier than doing the technical magic you need to break into a computer.”
Mitnick is adamant: Consumers need to demand more from their vendors. If you aren’t satisfied with the steps your provider is taking to protect your account, vote with your wallet, he says.
“It’s really up to the organizations that need to verify their customers’ information. They’re the ones that are in control … they’re the ones that could affect change,” he said. “The consumer can only demand change — and if they’re unwilling to do it, you go to a different vendor.”
Consumers can help themselves
Crumbaugh says there are some ways consumers can help themselves.
First, if possible, set a PIN on your account. Choose four digits at random; connecting them to an easy-to-guess birthdate or address is a bad idea.
He also suggests creating fake answers to common security questions like “What is your mother’s maiden name.” For example, don’t use your dog’s real name and if you do, don’t make that information public.
Social media is one of the first places hackers look to for clues about your passwords and answers to common security questions, such as your birthdate and where you went on your honeymoon.
“So many people will use their children’s names or birth dates or their animals’ names as passwords, and then you go onto their social media, and they’ve posted a million pictures of the same dog with the name of their dog, and they’re basically putting their passwords out there for everyone to see,” said Crumbaugh.
Crumbaugh also suggests using security questions that require an answer only you know but is not a personal detail like a birthdate.