Teaching people to get phished, old skool style!

Teaching people to get phished

No, this isn't a write-up on Twitterank, the latest example of 15 seconds of hype-fueled hysteria that the Internets whipped into a minor frenzy before moving on to the next sensationalistic headline.

(Yes, Twitterank asks you for your Twitter username and password but — wake up people! — so does every other Twitter app that needs access to authenticated features because the Twitter API only supports HTTP Basic Authentication. This is a limitation of Twitter, not Twitterank or other legitimate applications. The problem, of course, is that you cannot tell whether or not an application is legitimate or not, so Twitter, in this instance, is responsible for teaching people to get phished.)

No, this isn't a write up on Twitterank (believe me yet?)

It's not even about tech companies or web applications.

No, it's about old-school, real-world companies and how some of them are using an old-school, real work technology to teach people how to get socially engineered, or phished. The technology in question is none other than the trusty the telephone.

Yesterday, I got a call, supposedly from my health insurance provider. The call went something like this:

Voice on phone: Hello, I'm calling from Company X, before I continue, I need to verify some security information with you...

Me:OK, the problem with that is that I have no way of knowing that you are really who you say you are. Can you give me a number and a reference code so that I can call you back?

The sad thing is that it really was my insurance company calling, not a scam artist trying to phish my security questions from me so she could steal my identity.

What's worrying is that this appears to be a widespread practice. Clive Flint on Twitter reports that he has experienced the same thing with AMEX and James McCarthy experienced the same thing with AMEX and his bank:

'We need to talk to you but need to confirm it's you' And how I'm supposed to know it's them? No security there. (Clive's tweet)

I've recently had the same from Amex and Halifax too Banks really should know better. (James's tweet)

There really needs to be a law against this practice. Does anyone know where we would start trying to get more visibility on this issue in the UK with a view towards getting legislation passed?

Quite plainly, these companies are teaching people to get phished and that needs to stop.

Instead of calling you up to ask you your security questions, they should be asking you to call them. Something along the lines of:

"Hello, I'm calling on behalf of Company X. I know that you cannot verify that what I'm telling you is true, so, for security reasons, can you please call us back on the phone number on the back of your health insurance card and quote reference XYZ. We need to speak to you about your account."

And, beyond this, how cool would it be if we had the telephone equivalent of SSL so that your Caller ID not only told you the number that was calling but whether or not it was a verifiable entity with a valid security certificate.

Have your say!

As in all things, my approach to blog posts is that they should evolve over time and your feedback is invaluable in achieving this by helping me fix factual errors, fill in details, and expand the original post.

Have you received similar calls? Did you give your security information over? Have you been phished in this way by a malicious caller? Do you know of efforts to educate companies about the dangers of this practice or to pass legislation to stop it? Leave me a comment and let us know!

Photo credit: Kenneth Lu.