Interesting article by Brian Krebs (here) about a social engineering fraud which obviously uses “human as the weakest link” but also some aspects of “using security to defeat security” itself.
In very few words, the scammer calls by phone the victim and asks the victim to prove to be the rightful owner of her/his bank account by providing the username and a code that she/he will receive as a 2nd factor authentication code. What the scammer is actually doing with the username and the 2FA code is to reset the password of the victim’s bank account and then to transfer some money out of the bank account.
What goes wrong here is, first, that the victim should identify the caller, not viceversa, and that the victim should never divulge to a person a 2FA code. Thus by abusing the human weakest link and a “secure” reset password process, the scammer manages to perform the fraud.
On the technical side, one should be very careful on evaluating security risks associated to a self-service reset password process, including social engineering attacks like this one.
From the APWG press release: “The Anti-Phishing Working Group (APWG) observed more phishing attacks in the first quarter of 2016 than at any other time in history” (here is the full report).
This is hardly surprising, but it quantifies with numbers the latest news about online frauds, like the “CEO Fraud”, the “Business Email Compromise” (eg. see this FBI announcement) etc.
The take-over of the RSA Conference website(see Krebs here for a nice summary) reminds us (as if it was needed) that is not the technology the weakest link (and even less cryptography as such), but us, humans. Two points should be stressed:
- if system are too complex (like in this case, the relations between content providers of online information) we are not up to the task of managing their complexity and we fail to adopt the needed security measures
- technology and technical security is best and most easily circumvented and avoided by exploiting the human factor: why deploy expensive and technologically complex malware when you can send an email (well-formed) to ask employees to provide their usernames and passwords to access even mission critical systems? Much easier, faster, less expensive and you are sure to get an obliging answer!
The DNS provider Web.com has been subject to a Social Engineering attack which allowed a pro-Palestine hacking gang to successfully reset the password of a few important customers, and use the new password to change the resolution of their domain name to other sites. See for example here for a description of the attack.
Again and again, as of today the technical side does not look to be the weak side of ICT Security. In particular cryptography is sound and reliable, and many technical ICT security products deliver what the promise.
On the other side, username + password show another time how much inappropriate they are to support our current security needs. But what can we use instead?
The general problem lies mostly in our ability to make a system “secure” by including logical, physical and procedural measures to give a 360 degrees protection. Indeed, the security level of a system is that of its weakest point, which for most systems means that they are really insecure.