Recent reports indicate a rise in text message phishing. Phishing, for those not in the know, means sending messages that claim to be from banks or other financial institutions and which use fear and urgency (”Your account will be closed immediately unless you respond”) to try to trick victims into giving up their sensitive information. Cell phone text messaging had already become an avenue for spam messages, which are annoying but not particularly dangerous from an identity theft perspective. Now, the combination of spam texts and illegal intent has led to a rise in text messages that try to provoke a response. The response that the phishers want contains your Social Security number, bank account number or other private information. It’s the same old thieves wearing a newer, cooler costume.

The most recent major text-message phishing scam was reported nationwide just a few weeks ago. In this particular effort, phishers sent untold numbers of bogus text messages, claiming to represent U.S. Bank. The messages said, “Dear US Bank member, your account with us is closed due to unusual activity, call us at [number withheld].” The recipients represented customers of various cell phone providers and were not necessarily U.S. Bank customers. Like many email phishing schemes, this one had a broad scope in the hopes of getting a few victims to nibble at the bait. It’s difficult to know how many people fell for the scam, but the three return phone numbers that were known to be used in the phishing texts have been shut down by the state.

Banks, meanwhile, must now work to make sure that customers who benefit from their mobile banking services aren’t burned by the same technology. U.S. Bank issued a statement shortly after the phishing attempts were reported, reminding account holders that U.S. Bank does not request sensitive information via email, phone call or text message. CIBC, the Canadian Imperial Bank of Commerce, is one of many financial institutions providing additional information online about phishing, including ways to check for an email’s legitimacy and ways to report fraudulent communications. Most banking websites include safety and security information for consumers, even if consumers don’t always read or heed the warnings.

The advice, of course, has been heard before: treat suspicious texts the same way you treat suspicious emails. Don’t reply, don’t call any phone numbers listed, and don’t go to any websites suggested in the message. If you do receive a message claiming to be from your bank, call your local bank office or a trusted customer service representative (using a number you already know to be valid) to investigate the issue. Remember, no bank is immune to being used as text-phishing bait (Oregon-based Bank of the Cascades was used as a phishing front several months ago, for example, so scammers aren’t limiting their phishing efforts to national banks), and no cell-phone-toting consumer is immune from the potential attack.

If you still have doubts about mobile banking, you can elect to discontinue it entirely. As IdentityTheft.com noted, mobile banking has many pros (including ease of use, free updates and no account numbers sent in text messages), but it also has many cons (including potential lack of encryption, lack of security and lack of anti-virus software in some phones). The site notes that the technology is still fairly new and untested and suggests asking both the bank and the cell phone provider about the security of the systems used before signing on for mobile banking, just in case. When in doubt, consumers can just skip the mobile updates and do their banking the old-fashioned way (well, as old-fashioned as “online” can be). That way, ANY text messages that claim to represent the bank can be known as fraudulent the minute they arrive on one’s phone.

Sources for this article: Minneapolis Star Tribune, CIBC, IdentityTheft.com, ConsumerAffairs.com

Mitnick described how easily a hacker might call a company, ask for some seemingly-harmless information, and use it to get more sensitive information out of the company’s computers. He spoke about how smooth-talking tactics from someone who claims to be part of the company are sometimes all that’s needed to get to the important data, and that the criminals play on the fact that we as humans have an inherent desire to help others, even when we don’t know them personally. Mitnick painted a picture of a hacker (he used to be one of the best) who could simply use the staff directory information posted on a company’s website to call the right people, say the right things, and hang up with the keys to the kingdom. He made it sound both simple and widespread. The presentation left me and my fellow listeners a little stunned, and more than a little paranoid.

The main issue at the heart of social engineering tactics, Mitnick said, is that we as humans are trusting, helpful people. We don’t really believe someone could steal our identities until it actually happens to us. We don’t think to question it when “Bob from Accounting” calls for some simple information, even if we’ve never met Bob personally. And the helpfulness and trust don’t stop at work; Mitnick mentioned how nine out of ten people in London were willing to tell a stranger their password in exchange for a cheap pen, and how others will happily disclose their pet’s name or the school they attended, forgetting that those questions are the same ones used to verify accounts online (Privacy Council posted an article about protecting those security questions in September).  Psychological manipulation, he noted, is easier than breaking into a computer system.

Phishing is one form of social engineering attack, since it tries to trick the victim into clicking a link in an email and giving away sensitive information. Phishing works because it often attempts to use fear and urgency as motivators, sometimes by saying “your account will be closed if you don’t click immediately.” More recent phishing attacks contain a phone number for victims to call to “verify” their information, but instead of calling the bank or other organization, the victim is calling the hacker. This combination of deception and manipulation can lead to disaster for those who trust it.

Mitnick did touch on some newer technology threats in his talk; for example, USB drives left lying around can contain malware that lets a hacker see and manipulate the computer desktop of whoever plugs the drive in. He also rehashed old-school hacking techniques, such as Dumpster diving (it’s amazing in this day and age that many companies still don’t shred sensitive documents before putting them in the trash). He handed out business cards that double as lockpick sets, and he played with Caller ID spoofing technology that allows a caller to fabricate the number on a victim’s Caller ID. He told tales of past hacks, both his own and those of other notorious hackers, and he engaged and entertained the crowd for nearly two hours. But everything he said and did served to bring home an important lesson: To have an adequate security system, companies and individuals have to have not just technology, but also people and processes that are prepared to handle all kinds of high- and low-tech attacks.

So how can you protect yourself and your company against social engineering? Don’t share your information unless you REALLY know who’s asking for it, and train your staff to do the same. Test your staff by calling and pretending to be someone else who needs data, and see how they respond. Also, don’t ever write down passwords and put them on Post-It notes on your computer screen or under the keyboard. Shred everything that contains information about you or your company, from credit card offers to company directories. Adopt a “less is more” approach to information-sharing. Don’t use your mother’s maiden name, Social Security number, or birthdate as the security answers on any sensitive accounts (SS numbers, birthdates, addresses and even mother’s maiden names are part of the public record in many states and can be accessed for a fee). Play your cards close to your chest, and you have a chance of protecting what’s yours.

There’s no way to avoid EVERY attack, and a talented hacker might still use a combination of technology and manipulation to gain information. But you can still try to be ready for the worst; if anything, think like a hacker, and don’t share your information unless you’re sure!

For more information about Kevin Mitnick’s services and books, visit Mitnick Security.

Part of the appeal of this conference (and its follow-up, the hacker conference DEFCON) is that the people who make a living protecting computers from malicious assault can indulge their less-than-heroic urges. In an effort to point out potential weaknesses in the current software and systems in use, the pros unveil their own codes and tricks that circumvent security and leave sensitive data vulnerable to attack.  Of course, the focus is on improved security to foil these attacks, but the real fun is in playing the bad guy (the “black hat”). This is why Black Hat declares itself positioned at the “intersection of network security and hacker ingenuity.”

Despite the creative efforts of security experts, one truth that routinely emerges from these conferences is that, no matter how good the mousetrap, someone will build a better mouse. This year’s Black Hat briefings indicate that the flaws and problems with our current systems are growing almost faster than security professionals can adapt to fix them. For example, web-based software (software that runs in a browser) has inherent weaknesses that are difficult to anticipate and correct, especially at the speed at which applications are being developed. 

Meanwhile, identity theft cases worth billions of dollars continue to come to light, usually with little response from those in the business. When the news broke during the conference that 11 people had been indicted for stealing 41 million credit and debit card numbers from a variety of retail systems (making it the largest hacking and identity theft case in history), the general consensus was not one of shock. Gathered professionals agreed that such crime will continue to persist, largely because it has been so successful and profitable for hackers. As one cyber crime expert for the Department of Defense told an AP reporter, “These guys were just persistent and lucky. And they got caught.” 

The reality is enough to make the average web merchant a little bit paranoid. Are our Internet security measures nothing more than Swiss cheese bricks just waiting for a clever hacker to slip through? Not necessarily. And the other important factor to keep in mind is that, as the need for security increases, the need to preserve privacy must also be considered. The Electronic Frontier Foundation (EFF) chose the Black Hat conference as the place to announce their new Coders’ Rights Project, which is an initiative designed to protect programmers and developers from legal threats that could interfere with their research. Above-board programmers shouldn’t have to worry that their latest, greatest development will lead to a lawsuit down the road; such a worry would have a serious chilling effect on technological advancement.

In the end, a persistent plea at Black Hat was one of collaboration. Working together, some claim, is the best way to thwart the hackers and protect our information. Rod Beckstrom, Director of the National Cyber Security Center in the U.S. Department of Homeland Security, gave a keynote address at Black Hat that walked participants back through history and drew parallels between historic events and the current situation with Internet security. While some of his analogies were elaborate, his message was simple: together, the developers and security professionals are more powerful than on their own. Whether that message will resonate remains to be seen. In the meantime, the best thing the average user or web merchant can do is be cognizant of what COULD happen, and vigilant in watching out for it.

Above all, resist the urge to turn to the “other side”… There may be lots of money to be had in stealing identities, but as Black Hat attendees prove, the efforts to reinforce the mousetrap are tireless and, in many cases, effective. There may never be complete and total security, but hackers don’t stand much of a chance when the guys working against them wear the black hat themselves on occasion.  

Sources for this article: NetworkWorld, Black Hat, PC World, Yahoo! News, InformationWeek

The scam artist sends an email that appears to be from a bank, online auction site, or other online merchant. The email says that the recipient’s account information has been compromised (or needs to be confirmed or verified), and that the recipient must click a link and enter all of his or her account information to update the records. The email might suggest that an account will be disabled or frozen if the recipient doesn’t respond. The email appears to be legitimate and official (complete with artwork and logos from the company’s actual site), and if the recipient clicks the link, the account information page appears to be legit, as well. The well-known logos or brands lend credibility to the email. The problem is, the page is a fake, and any information entered into the system becomes a way for someone to steal the recipient’s identity.

Phishing scams have been around long enough for many people to recognize them when they show up in an email inbox. The scammers are becoming increasingly sophisticated, though, and as new users (many of whom are elderly or unfamiliar with the pitfalls of the web) sign up for internet service, the potential continues for the scams to work on at least a few hapless individuals. It is important to know what to look for in scam emails and how to protect oneself from phishing attempts. 

Microsoft offers some examples of phrases that suggest an email is fraudulent:

“Verify your account.” – Banks and businesses don’t ask for this information by email.

“If you don’t respond within 48 hours, your account wil be closed.” – This statement sounds urgent, which makes people click on it without questioning it.

“Dear Valued Customer” – The lack of a name means the email was sent in bulk, not specifically to the recipient.

“Click the link below to access your account” – Links don’t always lead where they appear to lead. Consider the link that looks like this: Click here to visit Wells Fargo but actually leads elsewhere (if you click this link, it leads to Google, not Wells Fargo). This is called “masking” the link. Resting (but not clicking) the cursor over the link will show where the link ACTUALLY goes. Sometimes, the scammers will use URLs that look similar to the real thing, but are just a tiny bit off. For example, a link that claims to go to bankofamerica.com might actually go to “bankoffamerica.com” or “account-bankofamerica.com,” neither of which is an authentic banking site.

The criminals conducting phishing scams are prolific; the antiphishing.org website notes that in January 2008, 29,284 unique phishing reports were made, with 131 brands hijacked by phishing scams in that month alone. You might receive the next phishing scam in your inbox, or your brand may be the next one hijacked. 

The Federal Trade Commission (FTC) recommends these steps to protect yourself from a phishing scam:

1. Do not reply to emails that ask for personal or financial information. Legit companies will never ask for this information via email. Don’t click on links in these emails, either. Call a genuine customer service number if you are concerned about your account.

2. Don’t call numbers that are in these questionable emails, since area codes can be misleading, and the helpful service rep you reach might be a scammer. Call the number on the back of your financial statement instead.

3. Use anti-virus and anti-spyware software and a firewall, and keep them updated.

4. Don’t send personal or financial information via email, even if you’re sending it somewhere legitimate. Email is not a secure method of sending information, and emails can be intercepted by criminals.

5. Review your credit card and bank statements as soon as you receive them. Check for any unauthorized charges.

6. Be careful about opening email attachments or downloading files from emails, and NEVER open attachments from a sender you don’t recognize.

7. Forward phishing emails to spam@uce.gov and report the scam to the company being impersonated, if possible (some companies have a means to report scams on their websites).

8. Check your credit report periodically to see if anyone is opening new lines of credit in your name.

Please be sure to share these tips with any friends or family members who may fall victim to phishing, especially anyone who is new to email. If you think you’ve been scammed, the FTC recommends filing a complaint at ftc.gov, then visiting their identity theft website at www.consumer.gov/idtheft.

If you have a business and you are concerned that your pages and logos could be “spoofed” in a phishing scam, be prepared. Create a page on your site where customers can report phishing scams that involve your company, and pass along any reports you receive to the FTC. Request details from customers such as copies of the text from the phishing email and links to the spoof sites. Be understanding and supportive when speaking with customers who have fallen victim to this scam, as they will probably be extremely frustrated and angry. Maintain the highest possible level of security with your own website so that the sensitive data you hold will remain safe and customers will be confident in that safety.

Sources: www.ftc.gov, www.antiphishing.org, www.microsoft.com