Social Engineering is a real problem that plagues call centers everywhere. When almost every company that handles customer’s data consider off-shoring/outsourcing, it should be poignant to understand the mechanics around how customer data can be manipulated. In this entry, I will describe how a number of social engineering attacks can be applied against call centers.
This information is to be used for legitimate, legal, and moral purposes. My intent in this is not to encourage you to “hack” into people’s accounts; rather, encourage all people to learn the aspects to social engineering so they can adequately defend themselves. Knowledge is power, use it wisely.
What is Social Engineering?
Social Engineering is manipulation of another person by means of “social” vulnerabilities like emotion, retribution and cognitive thoughts/actions. Often, successful social engineering takes place over weak mediums like telephone, e-mail and Instant Message; however, the art of social engineering doesn’t preclude in-real-life (IRL) interactions. Legally, Social Engineering is known as pretexting and False Pretenses. (Which now carry felonies, by the way.)
The result from a successful social engineering (abbreviated, “social,” as a verb) attack is information. Information that can be used to access one’s private accounts, e-mail, financial accounts, and even obtain government identification. It’s all up to the attacker to determine their ultimate goal. Lately, social engineers perform attacks for humor and sport, rallying to one-up each other for the depth of information or steps their targets carry out.
Socialling someone’s information from a target’s account is ultimately dependent on two factors: the person who submitted the information making sure their account authorizations are limited and uncommon; and the company who is supposed to shield such information.
Social Engineering has been very propitious in carrying out such attacks against AOL to compromise their internal customer information system, T-Mobile to compromise Paris Hilton’s illicit pictures and video on her cellular service and breach into Lexis Nexis’ information database. No company, no consumer is armed to prevent these types of attacks.
What is needed to “social” something or someone?
Social engineering may requiring some additional tools, but essentially a successful social engineer is one who is able to think on their feet, exhibit “game,” and maintain confidence. Some might say that a good social engineer is like being a good pimp.
The prerequisites for an attack are:
- Some prerequisite information on the subject. For starters, a name, address and phone number.
- Solid understanding of the target company’s security policies. If you spend a day or so asking general security questions (password resets, account updates), you will memorize the way to traverse it. It’s important to also get a feel for the limitations of employees (in call centers).
- A VoIP account, along with a good pair of headphone + microphone. Skype is free to use for toll-free phone numbers. You may also opt for trying services like SpoofCard, a popular provider for Caller ID spoofing, call recording and a number of other features. Caller ID Spoofing services are able to let callers manipulate the Caller ID that is sent out in typical telephone call routing.
- A friend who is of the same gender as the subject.
- A notepad or recording software/hardware so you can take notes and/or replay the attack. (Optional)
Other that, make sure you are in a reasonably quiet area and get comfortable. Again, you are the subject for the moments that you will call their target company. Let’s hustle!
How to Social Engineer?
There isn’t a definitive tutorial on social engineering, but I will share some pointers on how to successfully exert your social engineering skills. I will hit on three methods of attack against call centers: emotion, mumbling and warm-transfers.
Social Engineering with Emotions
As I’ve already established, social engineering is all about manipulating people. One of the best ways is to evoke emotions is to make reference to a negative/horrific event. One word of advice, many companies such as AOL, have policies instructing how to take over an account in the event of death — so saying someone died will be handled properly, resulting in secure and legitimate account transfer.
Here are a couple hustles with emotion:
- “My husband/son is in Iraq, and he’s not able to call in. I just want to send him a letter…”
- “My wife/daughter is in the hospital with <disease>, I just want to let her friends know how she is doing…”
Now, these may or may be as successful as they was were a few years ago, but you get the idea. Simply by crafting a negative event, though realistic, the target may divulge information pertinent to the takeover of the account.
Social Engineering with Mumbling
When using weak communication devices, um, phones; it’s important to always consider the mechanical limitations of it. Many company deploy policies that ensure they are in compliance with the American with Disabilities Act; that leaves accounts open and companies free from potential litigation/bad press. When mumbling you should have a reason and be consistent when mumbling from start to finish to the end of the call.
Here are a few reasons to mumble:
- You’re back from the dentist and you are numbed out from the anesthesia…
- You have a speech impediment, and are protected under the Americans with Disabilities Act…
- You’re intoxicated or under the influence… (LOL!)
Again, don’t over-do it, otherwise the customer service agent will raise suspicion. Be consistent, and don’t be afraid to feel depressed or volatile because of your “condition.” When you are carrying this out, feel free to go off on the customer service rep if they ask you if it’s a prank call or aren’t adequately meeting your demands.
Social Engineering with Warm Transfers
Have you ever been in a situation in customer service where two customer service agents speak to each other to transfer you? In the industry, this is known as a warm-transfer, as opposed to a cold-transfer. The exploit of this, is that in many companies if an agent states the customer is verified (and provides a piece of verification info), the next agent will assume the caller is fully verified and can disclose it. When doing a warm transfer, it’s important to have someone to help you, otherwise it won’t work.
Think of realistic examples on how this can work. Here are a few examples that were successful in the past:
- (Tech to Billing) – “Hello, this is John in Tier 2, I have Mr. Smith on the line and he’s having trouble updating his address and I’m not able to. I’ve verified his current information and he’s pretty frustrated. I’m going to transfer him, OK?”
- (Billing to Tech) – “Hello, this is Stacey in Billing, Ms. Smith is on the line, she updated her account with just a moment ago. I had trouble accessing the system to reinstate her account. Can you put in an override and reactivate her service?”
- Tech to (Billing to Tech) – The trick in this to be transferred twice to raise the variables; first to be transferred legitimately, then to be transferred back to tech for manipulation. “Hi, I’ve been on hold for 40 minutes, and have been going in circles here. Can you please just stay on the line and transfer me to Billing? [Waits for warm-transfer] … “Hi, this is Tier 2 in Tech, my name is David, I have Ms. Smith on the line and we verified her information and need to have you update it. Our systems are down for processing account updates…”
It’s good to get some practice performing warm-transfers, since typically are harder to pull off unless you know the exact company policy and lingo. The benefit from these though is that most customer service IVRs drop the ANI after the first or second transfer and will rely on the word-of-mouth from the customer or the “agent” in this trick. Warm transfers are also raising the stakes, since customer service reps will trust each other over customers.
How to Prevent Social Engineering?
Employee and consumer education is the answer. It’s really that simple, but it’s costly; which is why a lot of companies fail to implement it. By educating employees to detect and react properly to a social engineering attempt, they are improving the overall customer service (and duty) they provide for customers. By educating consumers, they will know the expected questions that customer service may ask, the alternate verification methods and frequent updates to contact/verification information.
Blanket legislation which prohibits tools that aid in social engineering won’t address the problem, other than fueling it to become untraceable overseas. I would however be open to limit Caller ID manipulation to “good-faith purposes,” which is vague enough to let legitimate uses function and enable illegitimate purposes be punishable when used in a crime.
The additional solution is to accept that Caller ID is not a security protocol. It’s a feature for general screening of phone calls. It should have as much consideration as the weather outside when verifying a customer’s information.
Some companies have responded to their exploits by letting customers request additional protections on the account such as an “account password” or an “universal verification question.” Make the password difficult, personal, but not based on anything about your identity. I know from my experience, AOL secures high-profile accounts such as celebrities within their Fraud department, effectively preventing all of customer service (except their Fraud department) from accessing the account. It would be nice if more folks would have access to enabling their form of fraud prevention.
Social Engineering is not something that should necessarily be viewed negatively. It should be viewed as an measurement of how well customer information is retained behind the walls of your employees. Repeated education and frequent regression testing should be done to maintain a high compliance. The best way employees can protect customer information, is to note the date/time/ANI of the attacker into the customer records and advise they call back at another time; or advise they contact the company’s Fraud department separately for assistance.
I started experience my experience at social engineering when I was able to have a friend contact my ISP on my behalf and despite him getting the information wrong, he was able to proceed with actions on my account. From there I decided to explore it on my own with my cellular provider, my ISPs and other places I retained accounts with. No, I won’t social engineer on your behalf; for one it’s not legal, it’s not guaranteed, and it’s not something I could monetize well.
Use this information wisely and secure yourselves, from yourselves.
[Image by jgrimm on Flickr]