Our family has had a PayPal account almost since PayPal has offered them.  It’s remarkably convenient, it provides us great flexibility to shop online using a single payment source and I love that we’ve been able to change funding sources several times over the years.  It’s always conveyed a certain sense of security; I’ve just always felt safe using PayPal.  I’ve even gone so far as to suggest that at some point, if PayPal management grows things just right I could see a future state where paper currency and maybe even actual physical credit cards go away and are replaced by some version of their services.  When I discovered this past year that Home Depot already allows you to use PayPal to make in-store purchases I was convinced I was right.  Now I’m not so sure.

Over the past year or so I’ve been getting the occasional email ping from PayPal regarding our reaching a spending limit.  It’s a fairly high limit for most but considering that we’ve been using PayPal to make purchases going back nearly a decade maybe not as much.  But the message has been quite clear; if we didn’t verify our account before reaching this limit it would be “ the maximum amount of money you can send or use for purchases before you need to become Verified”.   So how you become verified is quite simple – either give up your bank account information or apply for a privately owned credit card.  No, seriously, those are the only two options.

My first thought was that although I liked having the protective layer of a credit card product buffering my PayPal account from my actual money I was okay with providing bank account information.  It’s not like I don’t use that in other places to make payments and so there wouldn’t be any enhanced risk by doing so again.  I wasn’t going to apply for a PayPal-based credit card because I don’t want one or need one and I wasn’t looking for a new credit source anyway, I just wanted to continue using PayPal.  I clicked on the option to provide my bank account information and after the initial screen where they ask for the routing and account details and clicking on “Submit” I was presented with a screen that I still can’t believe exists.  Right there before my eyes was a screen from PayPal in which they ask me to provide my online banking user-id and password so they can verify a series of PayPal generated payments thus confirming my banking details.  Let me repeat that one more time; PayPal asked me to provide them with my online banking user-id and password.

Has PayPal lost its collective mind?  Seriously, have they?

I was stunned, almost to the point where I couldn’t get coherent words to flow.  I immediately fired off an email to PayPal customer support asking them how they could do something so outrageous.  Within minutes I received an automatically generated reply which I always find insulting, as if though I’m not worth an actual intelligent and personal response.  It was a complete regurgitation of everything stated on their website and completely ignored the gist of my email.  I fired off a second email missive, this time way more specific.  Here’s what I wrote:

I’m having that kind of month right now where I’ve been learned of one scheme after another to separate people I know personally from their hard earned money.  And much to my chagrin, the schemers are enjoying some measure of success.

Last week I was regaled by a tale of how a senior citizen was stopped on her way to the bank to have a cashiers check drawn for $500.  She needed it because someone contacted her with an offer that was impossible to ignore or turn down.  If she paid for the modest bank fees for a large international wire transfer she could keep a small percentage as a “thank you” gift, a mere $2M (yeah, that’s two million).  The people who contacted her did so because she was recommended as a trusting resource who would be flexible and work with them.  And so the combination of the compliment and the chance to net a nifty seven-figure profit for a simple enough favor was just good enough to make her want to do it.  Fortunately she ran into a friend who happened to ask her where she was off to and when she answered honestly was more or less forcibly snapped back to reality.

Now to be honest with you I was stunned to learn that this scam ever works.  I’ve long advocated to friends and family that they should respond to electronic offers exactly the same way as if though they received it in the mail.  But while we throw out junk mail automatically we’ll read sometimes very cleverly worded emails because they look authentic.  But if you filter all electronic email through the same logic that has taught us to toss mass marketing materials you can cut out much of the clutter.  But what if that email finds someone who is perhaps a little lonely or a little desperate?  What if that email finds someone who is willing to roll the dice that just once what appears to be a scam might be the real thing?  I wouldn’t have thought it possible until last week but sometimes it works.  And when you think about it just a little bit more it’s the perfect scam.  Once a senior citizen falls prey to the trap and comes to realize they’ve been had many will keep it to themselves both because they’re embarrassed and as I’ve come to learn more recently, out of fear that they’ll be labeled as losing their facilities.  And while not all seniors are wealthy a sizable enough percentage have access to $500 easily enough.

Then this week a story was shared with me about how someones identify was stolen but with a twist.  They didn’t try and completely take over the identity but rather borrow it.  The man-in-the-middle attack worked as such: Person A routinely communicates with Person B via email and instant messenger because they’re on opposite sides of the world with a language barrier and about twelve hours separating them.  The electronic communications reduces the impact of the language barriers and allows them to keep in touch outside of the boundaries of a shared work day.  This has proven successful for both Person A and Person B for several years.  Recently Person B asked for special handling of a payment that while unusual within the designs of their business relationship was not otherwise out of the ordinary when dealing with others in the same country – Person A agreed to the request.  After several back-and-forth communications to arrange for the payment which spanned several days Person A sent an email asking Person B to confirm that they finally received the payment.  Person B responded by asking “what payment?”.

Someone had hacked into Person B’s account and was intercepting emails and instant messages and assuming that identity.  They still allowed most communications to pass through but successfully filtered out anything having to do with the payment from Person A.  So Person B had no idea there was something amiss and Person A saw very little outside of  normal communications.  But apparently that one time the hacker must have been off their game and not paying attention and so the two legitimate parties were made aware of the situation.  A long painful phone call ensued and some amateur detective work confirmed their suspicions.  And so a new version of phishing comes into play, one in which the scam is not so apparent or easy to detect.

That’s the thing, while there may be rules to how the scams are being run today those rules are ever changing.  You can’t simply look for one telltale sign that something is amiss because once a trend emerges the hackers change things up.  And while financial institutions and a multitude of agencies are always trying to educate the masses about the perils lurking about it seldom penetrates into peoples way of thinking.  The popular adage about suckers has never been truer only now there are two to the power of X ready to take them.  There are increasing measures available to counter attack some of these scams (e.g. Red Flags – Identity Theft) but by and large they go undetected or unreported.

So here’s the sum total of my PSA: If it seems too good to be true it is.  And if any financial dealing is presented where something is out of the ordinary apply the old audit mantra – trust but verify.

Ms. Keen was kind enough to share her story with me so that I in turn could share it with you.

Her bad day started with the most basic error in judgement: She responded to a Yahoo-branded email requesting that she confirm her account information or else her account would be closed.  She said that “despite my initial instincts, I fell for it.”  It’s not hard to understand why.  Like most parents with school-age children, she has too much going on, depends on email to keep things moving and if she is anything like my wife, is of a mind to address things as they arise; she was a perfect target for a hacker.

Ms. Keen first became aware that she was about to have a bad day when she received an early morning phone call from a friend indicating they’d received an email from her asking for help.  She attempted to sign on to her Yahoo account to see what was going on but the hackers had changed her password and she was locked out.  She explained what happened next:

“I had to wait for Yahoo to open at 9:00am to resolve the issue and regain access to my account.  Yahoo was extremely helpful and we were able to take the account back quite easily.  The representative I spoke with knew to advise me to confirm if any of my personal information had been changed, which it had.  An alternate email address had been added by the hacker as a way to retain control of my account even after I had gotten back in.  And my understanding is this is how they would continue to log in and check to see if anyone was actually trying to send me money.  If I did not know to delete this alternate email, the hackers could continue to monitor the account and target anyone asking me where to send the money.”

I asked her if anyone actually attempted to send money or respond favorably to the hacker’s phishing attempt and fortunately no one had.  While she did receive a few calls and/or emails trying to confirm if the request was legitimate, because as Ms. Keen explained, “They did indeed want to help me if I really needed it,” no one actually took further action.  Apparently the majority of people who received the phishing attempt knew it was a hoax and ignored it (score one for security awareness in the private sector).

Was there a lesson learned from all of this for Ms. Keen to share?

“Do not respond to emails requesting personal account information, no matter how reputable they may seem,” she said.  ”As Yahoo explained, they would never request that sort of account information from me (they already have it and there is no need for it to be confirmed).”

To which I would add that you could easily replace the Yahoo name with literally any reputable business with which you have an online account.  I would also recommend that you print Rebecca Keen’s advice and tape it to your monitors and keyboards at both work and home for all to see.  Because whether it be the result of a successful phishing attempt, poor judgment or sloppy controls (e.g. sticky notes under the keyboard/phone/stapler, etc.) the number one entry point used by hackers to gain access to sensitive information remains password sharing.

Check back here next week. I have an interesting (if not scary) story to share about how some financial institutions are (mis)managing regulatory requirements.

Of course I don’t know anyone by the name Rebecca Keen and knew instantly that it was a phishing scam. It’s not the email by itself that made this a blog-worthy item.  What made Rebecca’s email this week’s topic was the reaction of someone close to me and their attitude about how to handle it.

At the risk of embarrassing anyone, I won’t go into specifics as to who the person is, but when I told them about the email as a way of educating them on how to identify and manage phishing attempts, they asked me how I knew it wasn’t legitimate.  Beyond the obvious fact that I don’t know now and have never known anyone by that name I’m not sure what else I’d need as proof this was a scam.

Here was the ensuing exchange:

“That may be true but what if they sent you the email by accident?  What if they misspelled the email address?”

To which I replied, “Still not my problem and I won’t respond because that establishes a dialogue which will only encourage the person further.”

“But shouldn’t you at least let the person know they reached the wrong person,” I was asked with a tinge of real concern.

“If I reply, that will send the message that they reached the right person. They’ll think I care, which will only open me up to additional pressures from the scammer”.

“People are so mistrusting these days.  I’d at least want to make sure this wasn’t someone who needed my help”.

And therein lies the problem: Despite this being a very obvious phishing attempt, it was only obvious to me. Despite the endless stories about people being exploited and robbed by an endless array of online and email scams, there are still people who respond favorably to these sort of things because of their basic decency. The person to whom I was talking wasn’t lacking in intelligence and isn’t typically naive, but when presented with these situations uses a different set of rules.

To make matters worse, the email from Rebecca Keen was properly formatted without spelling errors and actually looked like something I might receive from a legitimate source.  As a matter of fact, it presented itself so well that I actually opened it, which is a step further along than these things usually get.  But of course I knew instantly that it was just the latest example of how people are using the Internet to try and steal money.  And while the scam was obvious to me, there is at least one person I know who might actually have taken action upon receiving something similar.

You know what occurred to me today?  The reason that scammers continue to send out phishing emails is because they still generate the desired results.  Despite the endless marketing campaigns by a wide range of financial institutions to educate online users, there are still a large enough number of people who are victims waiting to happen.   And as long as even one person responds favorably to a phishing campaign, it’s considered a success.

I’m thinking that as a former New Yawker I should create a program for the FDIC based on my experiences growing up in New York City.

• Do not engage in any dialogue with anyone you don’t know about money in an unusual or inappropriate setting e.g. street corners, subway platforms, etc.
• If someone is selling something, offering to buy something or trying to distract you somehow when in an unusual or inappropriate setting (e.g. stopping you on the street, walking up to your table at a restaurant, etc.) immediately disengage and continue on your way or return to what you were doing without allowing the conversation to develop and/or continue.
• And if at any time your instincts tell you that something is wrong, amiss, out of place or odd err on the side of caution and do everything and anything to remove yourself from that situation.

P.T. Barnum was often credited with having said that “There’s a sucker born every minute” and apparently online there are somewhere between two and too many scammers waiting to take ‘em.

P.S. As I was about to publish this post I received an email update from Rebecca Keen letting me know that someone temporarily stole her email account and that there’s no emergency whatsoever.   Glad to hear it but I still have no clue who she is.

It’s February 2010, do you know when the last time was that your organization conducted a social engineering exercise?

I come across instances almost all of the time where financial institutions have obvious issues with regards to their staff and how they handle sensitive information.  I almost always find non-public personal information (NPPI) left unsecured on desktops, in printer/fax queues and displayed on computer monitors.  I can recall at least a half-dozen instances during the past year where I personally witnessed person-to-person exchanges where proper protocol was not followed in handling situations that are now supposed to be governed by the Red Flags rule.

It’s not hard to understand why these things happen; it involves human nature and that’s a wild card element that can’t be easily managed or controlled.  People are busy, people are inherently trusting and in their haste to help a customer or get their work completed, they lower their guard.  But it’s in those moments when good judgement is pushed to the side that an institution is most vulnerable.

A password is shared, a sensitive document is left exposed or a file loaded with account information is carted off on a USB storage device.  Ultimately, how it happens is never really the big story though, at least not for those impacted by the breach.  For the affected, it’s all about the damage, both potential and realized, that they’re confronted with.  And of course it then also becomes about the tarnished reputation of the institution connected to the breach.

Do something about it.

Schedule a social engineering exercise; it’s easy, it’s affordable and it works.  It tests the effectiveness of your security awareness program(s), illuminates what’s working and what’s broken, and allows you to adjust your training accordingly.  And you can vary the angles taken from year to year.  Start by seeing what happens when someone places calls to your staff trying to get them to share sensitive information.  Follow that up by doing the same with emails.  When you conduct your next internal vulnerability assessment, have the project include having the testing resources access secured facilities.  You can also mix in dumpster diving (a favorite of mine), fax phishing and eavesdropping (don’t laugh, it’s a great way to skim NPPI and impossible to trace).

The results will prove to be revealing – both good and bad – and will serve as remarkably effective fodder for your next round of training.  And the testing itself becomes an important tool because once people are aware that these tests are occurring, they begin to pay greater attention to their action. No one want to be tagged as being on the wrong side of the testing – trust me on this, I’ve seen this dynamic in play and it’s real.

At first blush, this story might appear amusing. Beyond some embarrassed people at the security firm conducting the social engineering exercise and some likely annoyed folks at the NCUA (a federal security alert is not a common or simple occurrence), it would appear you could chalk this up to “no harm, no foul.” From certain vantage points you might even consider this a wildly successful test. After all, the client reacted appropriately by contacting the NCUA and the NCUA reacted appropriately by identifying the actions as unsanctioned and potentially harmful and alerting their member institutions. But for those of us who practice in the industry, this is far from amusing and actually somewhat disturbing.

When one of our member practitioners or firms does something that brings negative attention to the industry or conducts themselves in a way the results in a black eye, it’s always extended to a certain to degree to all of us. At some point in the process, I would have thought that someone working for the offending firm would have reviewed a draft of the plan and flagged the part about including an uninvolved third party as unnecessary or inappropriate (and quite possibly illegal). And besides, grand and elaborate schemes aren’t really necessary. Most breaches that occur aren’t of the James Bond variety, so subtle tactics work best.

I’ve managed and conducted social engineering tests many times in the past and so I speak from experience. On one project, I had a renegade auditor who wanted to test data center physical security by trying to either force or talk his way into the facility. He was told in no uncertain terms that doing so was not authorized or acceptable and that if he did it and was arrested (a very likely scenario), we would not bail him out and he would be fired immediately. It was just a bad idea and not even remotely necessary to test the related controls. And then I was reminded of a story in which a well-known national security firm had their practitioners dress up in firefighting gear and arrive at a bank branch claiming there was a possible fire/smoke condition to see if they would be allowed access to private/protected areas of the bank. Of course they were granted the access and as a result were written up in an industry magazine and considered to be innovative and imaginative.

Social engineering is intended to examine how the human element reacts to a variety of scenarios designed to gain access to sensitive information or secured areas. There are many, many simpler and less obvious techniques available to poke and prod and test the effectiveness of related controls. So why was this test even necessary?

The short answer is that it wasn’t. It was a bad idea in design and execution.

At a basic level, I don’t understand is how this test was even conducted. A common element when executing any form of security work is to inform the key stakeholders of the plan so that things like this don’t happen. When the appropriate party was notified about the suspicious material received from the NCUA they should have known what to do (beyond escalating to the NCUA). We inform the primary security contact of our activities so that they know not to escalate outside of their own institution. We provide specific start and end times, all key details, and status updates along the way.

The wrong messages are sent as a result of these wayward tests. I’m thinking that credit unions will now require all sorts of crazy validation before trusting anything from the NCUA. I’m also concerned that for the bank involved in the firemen scenario, they may not properly evacuate the facility in the event of a real fire because they’ll wait for confirmation that it isn’t another test. Is that really the desired outcome of these exercises? Last year, I managed an exercised involving a phone based phishing test. Two days after we concluded the fieldwork, I received a message from our client sponsor asking if we were still executing the test. Turns out they were the target of a legitimate phishing attempt and because our activities had raised awareness, the situation was escalated appropriately. Doesn’t that make a bit more sense?

]]> http://itknowledgeexchange.techtarget.com/regulatory-compliance/test-what-makes-sense-not-headlines/feed/ 0 http://itknowledgeexchange.techtarget.com/regulatory-compliance/it-security-something-has-to-give/ http://itknowledgeexchange.techtarget.com/regulatory-compliance/it-security-something-has-to-give/#comments Wed, 20 May 2009 19:31:05 +0000 David Schneier http://itknowledgeexchange.techtarget.com/regulatory-compliance/?p=113 My practice has been busy lately helping a number of clients catch up on required tasks before their scheduled exams (it’s a case of the old “if it wasn’t for the last minute nothing would ever happen” philosophy).  And in authoring some of our reports we’re identifying issues and gaps that are in some cases minor but in others are big enough to drive a car through.  This is nothing new.

What is new is the ambivalence we’re experiencing from management.  It seems that a little known byproduct of our currently sad economic state is that keeping the doors open seems to be the only goal that really matters.  Management is not particularly concerned with much else, or so it would seem.  Not that this by itself is a new phenomenon either but there’s almost a reckless undertone emerging.

We’ve encountered some glaring issues recently that underscore a fundamental problem that I’ve struggled with for a long time: The FDIC and NCUA examiners just don’t pay enough attention to IT-based risks.  In some instances they touch on high-level issues and in rare instances can get a bit more granular, but we’ve collected empirical evidence that an in-depth review hasn’t been conducted for the vast majority of institutions that we’ve worked with.

Forget about industry best practices and forget about the fact that financial institutions are required by law to implement and maintain certain basic safeguards.  We live in an age where identify theft and credit card fraud are rampant.  Every day we are presented with more stories, more guidance and more information about how the criminal element is finding newer and more insidious ways to get at our money and credit.  My senior citizen mother and my grade-school aged children are all aware of the term phishing, have all been coached as to which email is safe to open versus which isn’t and know not to share personal information.  If I can convince them of the threats out there in the great digital void you have to think it’s fairly obvious, right?

So why is it that the examiners aren’t paying more attention to the IT infrastructure?  I had a chance to ask someone from the NCUA office a few months back that very question and while I didn’t like his answer, it made sense particularly considering the more pressing issues banks and credit unions are currently dealing with.  It comes down to resource availability.  Only so many hours are allocated to an exam  based on their size.  And so for the smaller institutions, the examiners prioritize the work based on risk.  Can anyone argue that scrutinizing the books is less important than auditing the IT infrastructure?

Even so, some of the institutions we’ve worked with and which I’ve personally reviewed have had issues for what has to be several years.  How is it possible that in the past five years not one examiner has ever noticed the absence of a business continuity plan?  Or any form of security around the firewall (and an unusually permissive firewall at that)?  Or the lack of strong (or even reasonable)  password controls?

Something has to give.  When you combine the lack of proper examiner supervision with a less than concerned management mindset the potential for serious issues becomes much greater (and likely).  Somehow the various entities that are responsible for providing oversight for those places we trust with our money need to figure out a way to provide reasonable assurances that at least the bare minimums are being met when it comes to IT controls.  With all the money being spent to keep the banking industry afloat can’t someone figure out a way to slice off a little bit in order to hire enough IT people to conduct the necessary examinations?  Congressman?  Senator?  Mr. President?  Anyone?