Pub. 5 2016 Issue 1

The CommunityBanker 18 S ocial engineering” is a technique employed by penetra- tion companies, consultants, and criminals to com- promise financial institutions. You might recall Frank Abagnale, whose story was made into the movie Catch Me If You Can . He was nothing more than a social engineer of the 1960's. Abagnale eventually got caught, but the best social engineers today don’t. Social engineering enables criminals to compro- mise victims without their knowledge, yet with their help. We used to call this “confidence games”, but confidence games are conducted a bit differently in the twenty-first century. For example, there are two ways to break into a computer system: by breaking through firewalls, virus protection, or physically compromising the computer system; or by just asking people to give you their passwords, which is much easier. The amazing thing is, people are all too willing to do the latter if you give them a reason to trust you. One type of attack using this technique, that has been particularly successful recently, is a scenario in which a caller tells the person at the other end of the line that they’re a Microsoft technician and that the computer owner’s system has sent a notice to Microsoft indicating that their PC has been compromised. If the computer owner believes the caller, he/ she will hand over access to the PC, right down to the required passwords. Another example, one that targets entire financial institu- tions, depends on the social engineer knowing two things: when an institution has more than five branches or locations, it’s rare for all staff members to know each other person- ally; and that every bank has its own slang when it comes to discussing the general ledger, loan department or operational procedures. Imagine, for the purposes of this example, that a social engineer has discovered the crucial piece of information that a bank refers to its general ledger as the “yellow book” -- because before the ledger was converted to an automated system, reports were actually kept in a yellow book. The social engineer then uses this information to make telephone calls to departments within the bank and is able to talk to staff using its own vernacular. The goal? To discover the procedure the bank employs to make wire transfers. But whom to call first? Typically, a branch or the call center. Here’s how the call would go: XYZ Bank: “How may I direct your call?" Social engineer: “I need to talk to someone about making a wire transfer." While the social engineer is waiting to be connected, he listens carefully to the on-hold advertising an- nouncement that describes the services the bank offers -- the first and easiest step to discover- ing more information about a bank. XYZ: "This is Karen. How may I help you?" SE: "Karen, I may have to wire money to my son at college. How do I do this?" XYZ: "The money will need to be in collected funds in your sav- ings account so we can wire it to his bank. You’ll need to have the bank’s routing number and your son’s account number. Before we can wire the funds, you need to sign our wire transfer agreement in person at one of our locations." SE: "Can I do that online?” XYZ: "I’m sorry, but because of our security procedures, you’ll need to come in to the branch to sign the agree- ment.” SE: "OK. Will I need to do anything else?" XYZ: "The bank will call you at the time of the transfer to verify your intent to send the wire.” Our social engineer knows that he needs to find a way around the agreement obstacle. Of course, he wants to avoid entering the bank for any reason. In fact, he may even be on another continent; so he needs some more information before deciding how he’ll conduct the attack and he’ll get it by talking to someone who knows how the wire transfer department works from the inside. After downloading the Annual Report from the bank’s website, he discovers that someone named Maria is the officer in charge of wire transfers. He picks up his smart phone to make the call. The goal now is to make the call look like it’s coming from a bank em- ployee. Using an application like “spoof call,” an app for smart 21st Century Heist By Barry Thompson ,Thompson Consulting Group, LLC