Data Compromise and Social Engineering

It is being heavily reported today that a data compromise at Talk Talk has led to direct fraud attempts against customers. Although the Telecoms firm has reiterated that no sensitive payments details, i.e. bank accounts, were lost, it appears that fraudsters do have sufficient details to convince customers that they are genuine Talk Talk employees.

In a story reported in the Guardian ( Mr Smith was defrauded by a sophisticated team who used their exact knowledge of his Talk Talk account details to persuade him that they were trying to protect his account from being hacked. To assist them he downloaded software to his computer. To make up for the inconvenience he was passed to another team who would pay him £250. They asked him to choose his Bank logo on the downloaded software, and to allow the refund to be made he was asked to read out the One Time Passcode (OTP) code texted by his bank to his mobile.

Of course, that’s just not how it works, and you will shocked to the core to find out that in fact Mr Smith had authorised a payment to the fraudsters of £2,800 pounds. He had seen that amount on the text, but in a moment of theatrical genius he had been persuaded that the refund was going through from India in rupees, but that it would be converted to pounds sterling once it landed in his bank accounts. I’m amazed that they did not offer to cover the foreign exchange commission as well.

It would be easy to have a pop at the customer, asking why he wasn’t suspicious during the call: why would he get an OTP to receive a payment? Rupees, really? Download software, honestly? But the fact is once a fraudster has enough data to convince you that they are ringing from your service provider they are free to try any explanation they like to get you make a payment. This is text book social engineering: you are put in a difficult situation which you might have heard of, but will have no experience of. Your service provider is telling you that your computer, or cash, or family are at risk and they can help you fix it. If you guess what’s going on they hang up with a slim chance of being caught.

Although we can try to educate people about the risk of scams, whether online or over the phone, we can’t teach them that their service provider will never ring up to fix a security breach, because that is exactly what service providers and banks, to their credit, do all the time. What we need to do is to change the standard whereby knowledge of a customer’s personal and account are the best way for firms to ID customers, and vice versa. If you have any ideas how we can improve this can let us know on twitter @ACFEUK or on our facebook page:

Steve Hyndman

Member of the Board, ACFE UK Chapter