Customer Impersonation

 < Day Day Up > 

If there ever is a place that needs social engineering testing, it is a customer service center. Customer service representatives have access to account numbers, credit card numbers, and, in the United States, social security numbers. Imagine this scenario of a penetration tester calling up a credit card customer service center:

PenTester: Yes, I am calling to check the balance on my card.

VictimUser: Sure, what is your account number?

PenTester: I am sorry, but I do not have that handy. I have my address, though. (You can discover this easily through the phone book.)

VictimUser: Without your account number, I cannot look up your account information.

PenTester: Please? It is my fifth wedding anniversary, and my wife is in the hospital. I was hoping to go after work to buy her something special, but I am not sure we have enough money available in our account. Could you please just check what our balance is?

VictimUser: Okay. What is your address?

After the address is given and the support representative tells the balance, the conversation continues:

PenTester: You know what? I think I might order something online and have it delivered today as a surprise. Oh, but I do not have my account number near me right now. Could you read that off to me so I have it?

VictimUser: Sure, it is...

Most of your larger credit card companies would not fall for this. One of the reasons why they do not fall for this simple trick is because they hire penetration testers to act as social engineers to test their support representatives and enforce strict penalties if not termination against any employees who give out customer information without verifying the identity of the caller.

Because of this, it is often easier to appear as a caller within the company. Sometimes this is as easy as calling one department and then transferring to another so that the call appears to have originated inside. Some social engineers arrive onsite and attempt to connect into the telephone line with a wiretap, which also makes the call appear from the inside. Employees are more trusting of fellow employees, and if they see that the call originated inside the company, they might give out customer information that they would not otherwise disseminate.

Corporations that utilize customer service centers should have strict policies never to give out customer information without identify verification, and then only limited information should be offered. They should have a similar policy for the exchange of information within the company.

     < Day Day Up > 


    Penetration Testing and Network Defense
    Penetration Testing and Network Defense
    ISBN: 1587052083
    EAN: 2147483647
    Year: 2005
    Pages: 209

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net