22-11-2014, 09:53 PM
While the Cyber-attackers can explore the Web sites to find the weaknesses of applications and network holes, employees in many financial institutions just as vulnerable to social engineering tricks.
Why hack a site when all it takes is a phone call to get a bank account? It is a matter of Jim Stickey, CTO of TraceSecurity asked when audit of security measures in place, banks and credit unions throughout the country. Audit attention to physical theft, and the fact that Stickey called "virtual theft ', where the thieves use e-mail and phone calls to get the passwords required to remotely penetrate sensitive system.
LinkedIn is used to select the target
TraceSecurity Auditors busy thinking of cyber-criminals, to determine what would be sent, and what methods will be "most of the time, it's bank accounts," said Stickey.
The first step is to identify new employees, said Stickey. Find out who just started working on the target institution, for example, medium-sized regional bank or Credit Union, very easy in this day of social networking, so all the attacker has to do is search the target institution on LinkedIn.
After the attacker has a list of recent date, the next step will be masked as a Senior Manager.
"New staff to be gullible. They do not want to irritate their leaders, so they just do what they're told to do, "Stickey, adding that they are less likely to question suspicious incidents above involved.
Attackers can cause the total number of Credit Union directly to find out the name of the Manager Trick works best if the target institution is large enough to have multiple branches or offices, because then the attacker can find out the name and phone number of the Manager in various industries, said Stickey.
"New employees are less likely to know that the Manager is," said Stickey.
Phone spoofing
With a phone number and the name of the Manager, in part, an attacker calls the employee directly. The software is easily available online that allow people to cheat on their phone numbers. By using the software, the attacker modifies the caller ID information, so that, looking at the display of your phone, see the phone number that corresponds to the sample company uses and considers that it is legitimate to call. The employee is already thinking an attacker actually Remote Manager, have a sense of confidence now said Stickey.
It Manager might argue that the branch office network is down; She works on the computer Manager; or a host of other reasonable scenarios, why Manager cannot log on to the network and gain access to the customer's account. "Don't make it a big deal, just select it and go to the actual request," said Stickey.
Asking an employee that the account login which is used or read information, to check out some of the details, said the attacker got confidential information to hack account. Fake Manager can also convince the staff to change the password to something else "for security reasons", and then promise to call back at a specified time interval to change the password back, said Stickey.
"This is 45 minutes for the attacker to do what is necessary," said Stickey. Some attackers can even continue the masquerade, calling back and say that they were made.
New employees are reluctant to push back, so it is very important that the financial organization "empower" them to ask questions and feel comfortable pushing from the very beginning, said Stickey. Employees need to hear that it's OK to tell managers, ' no! ' or all rules go out the window, he said.
Pushing The
It is one thing to teach the staff policy, but it is better to teach them what to do when they are asked to violate policy, especially if it is a senior executive or President of the company. "Politics can be," not to be deprived of information on the phone, "which is good, but the reality is that when the Manager asked, you don't say no," said Stickey. Employees should be told that they can't do, and to offer to transfer the call to a Senior Manager. Hackers often hang up on this point, so the Manager can know the person they pretend and expose the scam.
Another common tactic of social engineering and relies on email. Many agencies have the corporate directory is available in the phone. They call late at night to go through the phone book.