May 2019 Security Newsletter
Welcome to a new month, same problems. Last month, it became public knowledge that the city of Chicago had paid over $1,000,000 to a currently unnamed person or persons. How? The city was tricked by a phishing email that asked them to change the account of one of their approved vendors over to a new bank. Which leads me to this month's topic, and it's one that we've introduced but never tackled head-on.
You Are The Weakest Link In Your Internet Security
I'm not picking on anyone in particular; this is true of all individuals. Humans are social by nature, and part of a functional society is an inherent level of trust that is hard to overcome. For most people, our first impulse when given information is to assume that the information is correct, as long as it doesn't directly conflict with what we know about the world. Knowing this, malicious people take advantage of us by presenting what seems to be a plausible scenario where we would share information we wouldn't otherwise.
This can take all kinds of forms: phishing websites or emails that ask us to fill out a form and change a piece of account information; ads that tell us our computer is infected with malware or is running too slowly; phone calls that tell us we have job offers and just need to confirm some information before they can give them to us; USB drives containing malware left in the open for us to find.
This kind of hacking is less about hacking computers and more about hacking people, and it makes for some of the most effective attacks.
And there's only one real defense against it: a healthy level of suspicion. That's a hard balance to find, because more and more, healthy suspicion looks like paranoia from a few years ago. And more and more, there aren't any concrete rules you can live your life by because these kinds of attacks are getting more common, more convincing, and more clever.
Don't believe me? Just watch how quickly this reporter from Real Future has his mobile phone account completely taken over by a stranger.
There are some things you can do, but even these can't always protect you.
1. Never take anything at face value, especially from sources you don't immediately recognize.
We've talked about this before, but if you receive a call about something that you did not directly request, ask for a case or ticket number, find the main phone number for the business (find it yourself, don't ask the person to give it to you), call the number and verify with the business that they have a case or a ticket for you with that number. If you end up talking to the same representative, push for concrete details and verify their identity with things you know for certain.
Stay calm about the situation, and keep control of the conversation. Be suspicious if the representative you are talking to gets frustrated with your desire to verify the information they are telling you. While it's true that everyone has bad days, most people who are trying to take advantage of you are looking for easy money, if you push them through a few hoops first they will get frustrated.
2. Pay attention to how they want to be paid.
If anyone asks you to pay via gift cards, they are trying to launder the payment so that your bank can't return the money if fraud is discovered. If you are paying for a service paying with a card, check, or a major payment service like PayPal or Square gives you at least some fraud protection. Gift Cards only protect the person getting the payment.
If a business uses a payment service you are unfamiliar with, ask if they will accept a method you know. If they won't, consider doing some research into that service before you use it. Go to the service's website, see what kind of websites they claim use the service, see if you can verify that.
And most importantly, we live in an age of large amounts of competition in most business areas, if you are uncomfortable paying a company, look into competitors. Sometimes a little extra piece of mind is worth a price increase.
3. Remember that convenience is a service, and all services have a cost.
This one is a little harder to identify, but try to remember that things that are easy and trustworthy cost money. You can find services that cost less, but you'll be sacrificing either convenience or trustworthiness. Even free services fall into this. Facebook is convenient, but Facebook is not trustworthy. If you don't agree with me, that's fine, but I'm sure that everyone has seen exactly how much the social media network has been in the news lately for behavior it has been exhibiting for years.
Always, always ask yourself, is this a fair price for what I'm supposed to be getting? Is it a fair price for the amount of effort I need to put in? Many service scams will attempt to give you what seems like a reasonable price to fix the problems they've just told you about, but isn't it convenient that the same person who told you about the problem is now offering you the solution? This isn't to say this doesn't happen. I know for a fact that our salesmen frequently do site audits before approaching a potential new client so that we can give concrete information about how we can help. But it does mean that you don't have to take their word for it. Verify the existence of a problem before paying to solve it, and do everyone involved a favor and verify it with someone who doesn't have a vested interest in there being or not being a problem.
4. Remember, that these techniques work because for the most part, people don't take advantage of each other.
This, this is the hardest one. Most people aren't out to take advantage of you. Most people present you the information they have without any hidden motivations. Salesmen want to sell to you. Your insurance company wants you to pay your premiums. But they have no real reason to knowingly lie to you for either of those things to happen.
But that's why social engineering is so effective, so you have to start suspecting everything and everyone, and even then, you have to plan on being caught up and taken advantage of.
What's hard is that you have to find a way to maintain that healthy suspicion without throwing the baby with the bathwater. You have to treat even the situations you are suspicious of politely, and try to avoid getting angry at those who don't deserve it.
Hopefully, we'll get a handle on these problems as society goes on, but since these social engineering tricks existed long before computing did, maybe we won't. If nothing else, remember that people are the most vulnerable part of any system, and you should have plans for if any one of those people gets compromised, yourself included. We already consult with a number of our clients on suspicious emails and services, and have seen tangible results from our efforts. If navigating all of this is too much for you, why not reach out? Talk to one of our consultants and see if you can put us to work for you.