Can the Tsunami of Phone-Based Social Engineering be Contained?
As soft target telephone scams become more sophisticated, people are turning to protocols like biometric verification for enhanced protection. But implementation is key.
In the world of cybersecurity, it’s called a window of opportunity. That’s the limited time when hackers can exploit a system weakness or design flaw to steal sensitive personal information.
But what to do when that window means a return to attacks using old school technologies and approaches that successfully exploit human nature?
As digital security through online portals continually improves and people become more wary of phishing emails, hackers have turned to old fashioned telephone calls to elicit key pieces of personal information they can use for profit. It takes little technical skill—just the ability to sound convincing to vulnerable people over the phone. These scams target both individuals and businesses and in 2018 were one of the top three types of consumer fraud identified by the Federal Trade Commission in its annual report.
Talking ‘Bout the Man-in-the-Middle
The most common form of this type of scam is a variation on the classic “man-in-the-middle” attack. In this con, the hacker places a phone call to an individual pretending to be a representative from an entity with which the individual has a preexisting relationship—say a bank or e-commerce site. The hacker then works to extract sensitive data—like a password—from the individual. With that information, plus gathering someone’s date of birth and address through platforms like Facebook, the hacker has all he needs. He can clean out bank accounts, establish false credit cards and steal the individual’s identity.
Beyond its obvious utility for the thief, who can now drain this person’s bank account, this personal information also has value on the dark web. Passwords are frequently sold to the highest bidder, whether a nefarious actor wants to take free Uber rides or your dime or take down your employer’s systems.
Another common goal is account takeover (ATO). While on the call, the hacker claims to need immediate access to the person’s computer to remove a virus or resolve another (fake) issue. If the person agrees and provides the necessary info, then the hacker immediately locks them out of their computer and takes control of all their accounts. Meanwhile, they often extort the individual for money to “fix” the problem.
Old school scams like these, which exploit human nature, are also used against businesses. In one scenario, helpful members of a company’s staff are conned into giving the hacker pieces of identifying information about the victim of the fraud with whom the business has a relationship. That information, in turn, is used with other readily available information on social platforms to take over an individual’s bank or other accounts and steal their identity.
Apart from being non-secure, these verification methods are expensive, kludgy and inefficient. It also takes significant time and resources to ask personal questions and go through verification with an employee over the phone.
A Possible Solution to Hacker Phone Calls
To counter this rise, some companies are migrating to biometric verification. Typically, this verification includes three-point facial recognition or fingerprints. Smartphone-based biometric sensors like TouchID and FaceID are the most universally available sensors these days, so no additional investment in hardware is needed.
Here’s an example of how it can work:
- A customer calls in.
- An agent clicks a button on his screen.
- The user gets a push notification on his smartphone.
- The user taps the notification to open the mobile app They present a fingerprint or FaceID for biometric match.
- The user is authenticated with the agent.
This technology is a part of a seamless omnichannel authentication experience, using one device to log in to a mobile app, web portal, phone and other accounts. And instead of simply needing a few key pieces of personal information about an individual, the hacker would need that individual’s facial identification data or fingerprint. It’s nearly impossible to falsify. But, as with many technologies, the implementation must be structured carefully to avoid another level of exposure to theft and fraud.
Beware of Remote Server Storage
Biometric authentication technologies that warehouse facial identifiers or fingerprints on centralized databases must be avoided. Such implementations create hacking targets that are potential goldmines for hackers since a single successful data-breach attempt can lead to compromise of biometric information of every single user on the system. The loss of these identifiers to hackers would be a huge problem for the victim—the victim can change his passwords, but he can’t change his fingerprint.
More recent technological changes have helped to solve this dilemma by marrying biometric authentication with a means of keeping that data safe. The inclusion of biometric sensors on nearly all smartphones and many other mobile devices makes it feasible to contain these biometric authenticators on the individual’s personal device at scale, allowing individuals and businesses to use it for ongoing verification.
Technologies that allow decentralized biometric authentication only on the user’s phone or other mobile devices provide greater security without sacrificing convenience. An individual’s personal data never leaves their phone. It is never transmitted over the air and it is never stored on a remote server. A business could simply initiate a biometric verification request, send it to the individual’s phone and conduct that verification without ever possessing the individual’s data.
For a hacker to get access to this information, they would first physically need to get access to the person’s device and then go through the laborious process of cracking Apple or Google security protocols just to steal a single user's credentials. This task is so difficult that it's not worth a hacker’s time.
It’s certain that hacking, whether through a phone call or with the most advanced technology, will never be eliminated. Biometric authentication – done right – could be the tool we need to close the current window of opportunity for hackers to exploit our weaknesses. But, nothing is a replacement for good judgment. If a phone call sounds phishy, hang up.