Scams: Two Close Calls

Over on Twitter, Eric Mill tweeted:

A friend of mine who works in infosec recently fell for a scam and had to cancel their credit card. They're very embarrassed about it right now, but I'm pretty sure we can all be scammed, right? It's definitely happened to me.

Have you been scammed before? How'd it happen?

— Eric Mill (@konklone) September 25, 2019

My stories are a bit too long for Twitter, but let's unpack two scams that were pretty well done which I fell for -- at least partially -- recently. We'll also highlight some early telltale signs that something was wrong, which I embarrassingly either missed or shrugged off at first, so that perhaps you'll be able to spot these scams better.


Feel free to share your own "scammed" stories in the aforementioned Twitter thread, or here in the comments.

My bank's doppelganger phone number 

My debit card had been getting flaky in chip readers recently. In fact, the plastic around the embedded chip contacts was breaking. It was time for a new card. I turned the card over to find the customer service number, which was a bit difficult to read because it was inexplicably printed directly under the embossed credit card number. The conversation went like this:

Agent: Thank you for calling [my bank's name] Card Services, this is [name]. Who am I speaking with today?
Me: ... my real name ...
Agent: Good morning, [name]! How can we help you today?
Me: My card's pretty worn out and isn't working consistently. I need a replacement, please.
Agent: We can get your new card sent out right away! What's your card number?
Me: ... reads the card number ...
Agent: And the expiration date?
Me: ... reads the expiration date after a short pause ...
Agent: And for security purposes, the 3-digit CVV code.

I suspected something was fishy when the agent requested my expiration date, but a few things were going on in my head. *I* called them, not the other way around. Also, the agent was professional and friendly, and even answered the phone with my bank's name. But when I got asked for the CVV code, that's when I knew something was completely wrong. I took a very close look at the back of my card, and compared it to the phone number I was calling. One of the hardest-to-read digits of the phone number on the back of my card was an 8, instead of the 0 that I dialed. 

Having disclosed my first and last name, Primary Account Number and expiration date, I called my bank's real number and had my card disabled and ordered a replacement. My real bank didn't even need my whole card number to look my account up when I contacted them. That was the first red flag, and I had completely missed it.

The mobile phone carrier "Fraud Department"

I got a call unusually early on a Saturday morning from my mobile carrier's customer service number (It was in my contacts and it was the right number). The person on the line was from the fraud department, and explained that they'd seen unusual activity on my account. Someone had changed the address on my account and then mail-ordered a new iPhone X for a little over $1000. She explained that any time an address is changed right before a purchase, their system flags the transaction for review.

This sounds quite rational to me. But who had access to my account? My wife's caregiver had recently quit and moved out, and she had a phone on our account. When she quit, we made her leave the phone behind. Perhaps she was up to no good? I was confused and furious; I felt violated. I explained that our old roommate may be behind it.

"Do you recognize this address?" the agent asks, before rattling off some random address in The Bronx. There's no way our old roommate was in The Bronx. Her family is all in Texas and Oklahoma. I thought it was very strange that a fraud department representative would disclose this information to me. That was the first red flag. I chose to ignore it.

"Sir, we'll take care of this," she explains. "We never processed the transaction, because it was flagged for review. Let's get your account secured! I just sent you a one-time code to verify you're in possession of the phone tied to your account. Can you read it to me?" There's red flag #2. I was still far too flummoxed to see it.

I get an SMS message from my wireless carrier. In a rush, I don't even read the whole message. I rattle off the 8-digit number. But then something catches my eye as I bring the phone back up to my head. Right at the beginning of the text message, there's a big disclaimer along the lines of "For the security of your account, we will never contact you for this code."

Now the plot thickens, but I'm a bit sharpened up. I begin to suspect this is an elaborate ruse, and it worked pretty well.

"I am not comfortable with this call," I say, grabbing my laptop and trying to log in to my account. The password has already been changed, in under a minute. Even the temporary code I'd just been texted isn't working. "Is there a direct number I can call you back at?"

"I'm securing your account, sir. I assure you, I'm from the fraud department. We do this all the time. I understand you're angry. We're almost finished with the password reset," she says, quite professionally. Meanwhile, I'm issuing my own password reset through my carrier's website. I get the exact same text message this agent had "sent" me, with a different one-time code, obiously.

I tell her that something has come up and I'll have to call her back in a few minutes. I ask for her name again. "Jessica," she says.

"May I please have your direct phone number so I can call you back in a bit, Jessica?"

"Sure thing! Just call me back at the customer service number I'm calling from. I'm at extension 105."

I hang up, and finish resetting my password.

I call back while scrolling through my account to make sure nothing's been purchased or changed. I get my carrier's customer service, as expected. There is no way to dial an extension. I get a real human on the phone, and ask to be transferred to extension 105. There is no extension 105. There *IS* a fraud department, but they do not call subscribers directly. Customer service pulls up my account's history. They keep a record of every agent who's looked at my account. No one had opened my account since we added a line to the account for our recently-departed caregiver.

Attackers can easily spoof a call to make it look like it came from any phone number. Armed with only my carrier's customer service phone number, and a list of phone numbers assigned to my carrier, they can trawl through the list and perpetrate this scam over and over. Having a young woman with a southern twang make the calls, with obvious call-center background noise was icing on the cake.

Rubber-hose cryptanalysis and how to not get a wrench to the head

From xkcd this morning:


In the security industry, we call this "rubber-hose cryptanalysis" -- a euphemism coined by Marcus Ranum for getting the target to give you access to the encrypted data via coercion. The name implies physical torture, but psychological coercion (threatening physical harm, litigation, etc) is pretty much the same thing. I personally consider this a variety of Social Engineering since it relies on manipulating your mark rather than using technology to directly attack the assets.

When attacking many modern cryptosystems, a technological attack is often going to take a lot longer than simply bludgeoning it out of someone. Some technological attacks that don't directly involve breaking the crypto through brute force can sometimes get decrypted data :

• Dumping the contents of the target's RAM and Swap file (can contain the crypto key, unencrypted data, evidence of encrypted data or metadata about the encrypted files)
• Operating system history "recently used" (can store history data and reveal structure of the encrypted volume)
  

When legally possible, you should never, ever relinquish your encrypted data. When faced with torture and/or the loss of your freedom, you still have a friend in your corner: deniable encryption.

Simply put, deniable encryption most often refers to encrypted data which can resolve to both the genuine data and decoy data, depending on the key used to decrypt the data. The decoy data should appear to be "secret" in nature, and it's best if the decoy data appears to be the same kind of data that you're really trying to protect. If you encrypted a bunch of proprietary documentation, your attacker may know what they're looking for. You'd be best to make the decoy data look like proprietary documentation while remaining innocuous, perhaps loaded with misleading facts. Using a video of Rick Astley's Never Gonna Give You Up might tip the attacker off that they need to keep looking (and torturing you) for the real goods.

While not the only tool available, one commodity piece of free, cross-platform software that handles this task quite nicely is TrueCrypt. It handles full-disk encryption, deniable encryption (which is called a "hidden volume" in TrueCrypt), and can even boot an operating system from a hidden volume. That's right, TrueCrypt can boot an entirely different operating environment based on which pre-boot passphrase you enter.

I'll save the merits and woes of full-disk encryption for another day.

The Geek 100 Pt. 1: Possessions and Lifestyle Skills

See the whole series: The Geek 100

This is a list of 100 basic things and skills every geek should have. I've broken this series up into five parts. Let's face it: a list of 100 things would be tedious to wade through. Over the rest of the week, look for twenty more skills to show up daily. I've listed possessions first. The rest of the series focuses on skills and knowledge. The skills assume you have done it in the past and can remember how to do it right now (or, like a good Geek, you've jotted it down in one of your notebooks). Having it in your personal notebook is okay. Scrambling to the Internet means you don't have the skill. Yet...

This is just a fun, arbitrary list I came up with mostly on my own but with some help just in case I was missing any skills I didn't even know I was missing. I'll give credit where due. Don't think I just took 100 things about myself and built up a geek paradigm from it. Most likely, you won't have all of these. I know I don't. The lucky ones will have a good chunk of these covered, though.

Possessions. Every geek should have:

1. A citizen-band radio
2. A computer that's incapable of running MS-DOS 6.0 natively
3. A graphing calculator
4. A notebook of tricks, tips, and things you don't want to forget how to do
5. A weapon that fires (relatively) harmless foam projectiles
6. An HTTP proxy
7. Action figures
8. An acoustic coupler, TDD, or acoustic modem
9. An obsolete video game console
10. Off-site backup storage

Lifestyle Skills. Every geek should be able to:

1. Convincingly perform a magic trick or card trick
2. Brew French-pressed coffee
3. Play a musical instrument
4. Point out discrepancies in movies that feature "hacking"
5. Recite a significant number of lines from at least one Anime movie
6. Scam free drinks from noobs at the bar (or at the lemonade stand if you're <21)>
7. Social engineer your way out of trouble
8. Speak a foreign language
9. Start a large, powerful bonfire
10. Use wordplay

See the whole series: The Geek 100

Social Engineering: Avoiding Storefront Solicitors

Social Engineering isn't always used for malice. In its purest form, "Social Engineering" is simply taking advantage of predictable social behavior and habits. More advanced social engineering exploits revolve around the human tendency to trust and help others whose plight sounds remotely convincing. Millions of people use some form of social engineering without knowing it. While that doesn't make them good social engineers, it does mean that pretty much anyone can do it.

A simple example is avoiding solicitors who position themselves between you and somewhere you wish to go. This can be people pushing samples on you at the grocery store, people trying to sell merchandise as you leave from concerts, and even charity fundraisers operating in front of businesses.

Your objective is simple: Get in. Get what you need. Get out. If you see someone waiting to pounce on you with a survey, goods for sale, or something else you really don't have the time for, just whip out your cell phone and act like you're having a conversation. It won't stop you from looking like a self-important jerk, but it will save you and your would-be solicitor a few seconds of your lives. Okay, the solicitor's not going to be saved any time, really, but maybe they'll find someone else to talk to who would be more responsive anyways.

Obviously, this works because in most advanced civilizations, we've been trained not to interrupt someone who is talking on their phone. In taking advantage of this habit, you can get in and out quickly (remember to whip out the phone again as you exit!) without the hassle of solicitors.

Having said that, there are some great charity organizations I believe in who position themselves in front of stores. There are also a lot of scumbag scalpers and shrewd salespeople who force their wares on you at social events. Pick your social engineering adventures wisely.

You can't stop a social engineer

In Kansas City, we have two separate bus systems. One is a pretty well-designed intra-urban system on the Missouri side of the metro area managed by the Kansas City Area Transit Authority. The other is an anemic, under-funded system designed almost exclusively for the Nine-To-Five commuters from Johnson County, KS. I live in Johnson County, KS and thus have purchased a monthly bus pass for this bus system.

The benefits are that I can, if I must, use the Johnson County bus to get to downtown KC, MO and get a transfer from that Johnson County bus if my final destination is elsewhere in KCATA's system that my bus doesn't reach.

Last night, heading to the Cowtown Computer Congress, I decided to take a KCATA bus. Normally, the fare would be $1.25. I decided to ask one of the JC Bus drivers for a transfer. This worked once before. Hypothetically speaking, yesterday's events may have worked out like this:

Me: "Excuse me, could I get a favor? I really have to catch a Metro bus and I'm short on cash. I have this bus pass, though. Could you please print out a transfer for me?"

Bus Driver: "No?! You can't just walk up to the bus and get a transfer! You have to ride the bus."

Me: "Oh. I didn't know. (Feigning innocence and stupidity) How far south do you go before you leave Kansas City?"

Bus Driver: "Union Station, then Crown Center."

Me: "Oh, that'll be perfect! (Setting my bags down on a seat) Can I get a transfer?"

Bus Driver: "Sure."

After grabbing the transfer, I may or may not have just taken my bags and gotten the hell off the bus so I could catch a KCATA bus really quick. The bus driver may or may not have called me a few choice words.

Seriously, why would someone like a bus driver power-trip over this kind of thing? I'm going to get what I want one way or another. Worst case scenario, I would have ridden the bus for a few blocks after convincing another rider to get a transfer for me.

... like fish in a barrel, I tell ya ...

HiR Reading Room: No Tech Hacking

Johnny Long has been around as an info-sec writer and presenter for a while. In No Tech Hacking, he takes the reader through some of his twisted adventures, flippantly poking fun at some of the "security" he's encountered along the way.

When it comes to penetration testing and security awareness in general, there's a pretty massive human element that's simply ripe for the picking. There's also a lot of low-tech stuff that can be leveraged to your advantage. For many, the obvious first move on taking over a network is enumerating your target with ping sweeps and port scanners. If you want to get into a building, you might brush up on your lock-picking skills or reach for a brick to throw into a window. While these techniques have some kind of merit (not always good), it's often more effective to go low-tech (or No Tech!) as much as you can.

Johnny covers his low-tech tricks in detail and often with photos and screen shots. It's more than just social engineering and tailgating to get your mark. It's about thinking through info-sec problems with a different mindset than you're probably used to. Profile your targets and pay attention to seemingly useless details.

From bypassing locks to using exposed information via the Internet, people watching to vehicle profiling: there's a lot of low-tech information contained in this book, and you're almost guaranteed to learn something you hadn't thought of before.

No Tech Hacking closes with some sage advice to would-be no-tech victims. It was an entertaining and informative read. I hope I can see Johnny speak one of these days. He won't be talking at DefCon this year, but maybe he'll be there.

Lying kids are smart kids

What's this got to do with anything? Lying is, in essence, social engineering.

A child who is going to lie must recognize the truth, intellectually conceive of an alternate reality, and be able to convincingly sell that new reality to someone else. Therefore, lying demands both advanced cognitive development and social skills that honesty simply doesn’t require.

Continue reading: Are Kids Copying Their Parents When They Lie? -- It's worth a read, especially for those of you with kids. Via [Schneier on Security]