“Hi, this is Phillipa from Citibank; I’m calling to confirm a few details.”
“Hi, this is Angela from Commonwealth Bank; I’m calling to confirm a few details.”
“Hi, this is Brad from ANZ; I’m calling to discuss your account.”
“Hi, this is Phil from American Express; I’m calling to discuss a recent transaction.”
Names of callers changed, I have taken a legitimate call that started the above way from each of the named financial institutions. (How do I know it’s legitimate? We’ll get to that in a moment.)
Consider however, what social engineering is:
“Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer systems access; in most cases the attacker never comes face-to-face with the victims.”
Much fuss is made each year about people being tricked by email scams or link baiting to handover the login and details to their electronic banking accounts, but here’s the truth of the matter: financial institutions have spent decades training people to believe that an unrequested contact is legitimate.
The fact that social engineering attacks work so regularly must partly be blamed on financial institutions.
Whenever I get an unsolicited phone call from a financial institution, the conversation works like this:
Caller: This is Phillipa from Citibank; I’m calling to confirm a few details.
Caller: Right, I’d just like to start by confirming your date of birth.
Caller: For security purposes we need your date of birth to continue.
Me: For security purposes I’m not providing my date of birth.
Caller: I see … but you have to provide your date of birth to continue.
Me: No, here’s how it’s going to work. I have no proof you really are from Citibank. So, you tell me the phone number at Citibank that I can call back in on and the department I have to request in order to discuss whatever it is you want to discuss with me, and I’ll verify that’s a Citibank number and call in.
Caller: But I’m on the phone now.
Me: And I have no proof that you are who you say you are, because I’ve not requested a call from Citibank or made any recent inquiries.
At that point the conversation either goes one of two ways – they incredulously refuse to give me the phone number, at which point I hang up, or they give me the phone number and department, I verify the number, and call back in. (For what it’s worth, it’s never actually been a social engineering attempt … a different call centre worker has called back at a different time and been more cooperative, or otherwise I’ve received a letter about the same topic within a few days.)
Nine times out of ten, when I call back in, I find that it’s for something totally irrelevant anyway. Citibank for instance is notorious at calling up to offer credit limit increases, insurance, other cards, loans and so on, all unsolicited. (All, I might add, contrary to explicit instructions I’ve insisted be placed on my account saying I’m not interested in any of that, too. I also suspect this is contrary to the current financial laws of Australia, too.)
If you get a call from a “financial institution” that you’ve not requested, I’d strongly urge you to, at minimum, follow that same security procedure (the paranoid amongst you might very well choose to be even more secure – such as insisting the request be sent out in writing, etc).
Back to the matter at hand though – we get financial institutions tut-tutting the general public for falling victim for social engineering attacks and link-baiting, and we also get the police tut-tutting the public for the same.
Yet, is there any evidence the financial institutions are doing anything to stop training customers into falling victim to these scams? Citibank for instance, with its online banking access, requires me to provide a mobile phone number now. When I attempt to perform particular actions with my account, it sends me a one-time code via SMS, valid for only a few minutes, which I must input to complete the operation. So they get the concept of security. They just don’t believe in it 100% of the time. Not when it’s inconvenient to them. They wave security in our faces when they’re required, but when they’re wanting to sell us new things or market changes to our products or cleanup their databases, they don’t give a damn, and they encourage you to not give a damn, either.
Financial institutions and law enforcement agencies can waffle on all they want about social engineering, but while financial institutions fail to consistently, always, walk the talk, they’ll be continuing to send mixed messages to customers. In fact, it’s worse than a mixed message, it’s a downright stupid, dangerous message: “Hey, don’t believe that it’s us contacting you unless we tell you it’s us contacting you. But then don’t believe it unless it’s definitely us.”
How is that secure?
How does that train customers to expect intelligent, secure contact from their financial institutions?
If fingers must be pointed in social engineering, it’s time to stop just blaming the attackers and victims. It’s time to start pointing a finger squarely back at the financial institutions who expect, encourage and engender trust where none should be given.