Defcon schedule 20191/18/2024 ![]() "And then it's important to remember that on the attacker side, these are entire criminal organizations, not just a single person, with lots of manpower and time to spend, already aggregating information on individuals," explained Murdock.įinally, Murdock suggested asking your telephone company or your financial institution to set a verbal passphrase or verbal PIN (six digits or more) that anyone who calls for the account must know. In addition, with all the information available after the Equifax and the Capital One breaches, attackers now have a really robust profile on a large portion of the American population. And the checklist is pretty similar among multiple financial institutions including what is your most recent charge? Can you verify this pending request? Do you have credit cards on the account? So now with all this information, you can pretty much tap off your ID account folder and the financial institution will confirm the account number for you.Īlthough the hack is a multi-tiered attack involving several calls to the same financial institution, "the threat is that subscription services are usually a fixed amount and anyone who does research on the vendor can figure out what that fixed rate is." So then you call back a second time and you're armed with all of these details and you say 'Hey, can I verify the account number? But I don't know my social security number', and they're like, Okay, let me go through this checklist. So you slowly use the first call to build your knowledge-base around the account: You already have knowledge about what this user spending on subscription services and other openly available information. And you, as the attacker, say 'Sweet, now I have the last few charges, and I have the account balance'. And a lot of times the person to be helpful will hand over all the seemingly inconsequential information very easily. ![]() And then you can keep going 'Can you just verify the prior few charges for me, I just want to be sure that no pending charges that are going to change the balance. So now, you know, the most recent charge (Netflix) and you know the account balance, two critical piece of information. And they'll be like, sure, here's your account balance, you're like, great. And you'll say, 'hey, so I got this weird text message, one of the short numbers, you know, and it said that my Netflix subscription renewed yesterday, that should be my most recent charge on this account, could you to verify the balance. So when you call first, you don't ask for the account number first and you're going to use the fact that you know the subscription services that were recently charged to the account to prove that you have knowledge of the account. Banking institutions will use publicly available information, like your birthday, your address, your full legal name, even where you opened the bank account, which is very easy to find out, especially if the user has not moved around a lot. So the vulnerability comes in when you call to get more information about an account, but not quite the account number, they won't verify as hard. You can then calculate the day of the month that that Netflix subscription, or whatever subscription will renew and use that piece of information with a banking institution to prove ownership of an account. So, if the consumer don't have that and they don't have a credit card on them they will go through a set of questions. And if you just search Netflix on Twitter, you have a whole bunch of people who recently posted like, 'Hey, I just got a new Netflix subscription', and you're like, It's August 1, and they just bought a new Netflix subscription today. But generally, in multiple cases, they'll ask first for the last four digits of you social security number, but a lot of times people don't know that or you're might be in a place where you don't want to disclose that. ![]() ![]() And this will vary from like institution to institution. ![]() They then have a set of rules to follow on how to release that account number. So if you call and say, 'Hey, I'm traveling, I'm having some issues with my mortgage payment, can you please confirm the account number, I don't have it memorized'. What happens is that many financial institutions have policies for when users forget their account number. Here's how she described the way an attacker could use your Netflix account to access your banking information: ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |