Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« CMS Announces Plans To Actively Audit Hospitals For HIPAA Compliance | Main | Improve Information Security And Privacy By Engaging Your Personnel And Their Children...Our Future Information Security and Privacy Leaders »

Social Engineering Schemes Increase: Great Case Study From An Actual Event

Last month I finished the second issue of my Protecting Information publication and the topic couldn't be more timely: social engineering.

Just today I have already read in my daily news items 5 articles about social engineering! One in particular, "CUNA Mutual Warns on Costly HELOC Scam," provides not only a great example of a current social engineering scam, but it would also make a great case study for social engineering training and within your awareness communications and activities. Here's a quick overview...

* Social engineering criminals are targeting CUNA Mutual Credit Unions (CUs) by requesting home equity lines of credit for $100,000 and more.

* The social engineering criminals call the CUs and ask for the funds to be sent to banks in the U.S., China and Japan.

* The account names they use typically have "Title" or "Construction" in the account name.

* The social engineering criminals use valid telephone numbers so that when the CU staff calls them back, they get the original requestor.

* Unbeknownst to the CU personnel, the criminal has had the valid number provided to the CU forwarded to the criminal's phone through social engineering the telephone providers.

* The CU's caller ID shows the call is going to the real CU member's number of record, so they think the funds request is valid.

* The criminals have apparently obtained the CU members' detailed account information, so they can answer the CU staff's identity validation questions correctly.

In response to this costly scam, here is what CUNA Mutual has sent to it's credit unions:

"The company said it also sent its bond policyholder credit unions a risk alert on Jan. 3, advising them of their responsibilities and offers these recommendations:

• Establish a password system for members prior to accepting funds transfer requests by telephone, fax or mail. Have a written agreement with the member for the use of these passwords. CUNA Mutual said credit unions are allowed to pass on liabilities to the member for any negligent use of their funds transfer password.

• If there is any doubt as to authenticity of the funds transfer request, credit unions are reminded they do not have to perform a wire transfer.

• Beware of large requests for wire transfers that draw against a HELOC, particularly HELOCs that have large available balances and little previous activity.

• Limit the amount of wire transfer that can be completed by a call center employee. Managers should approve all wire-transfer requests.

• Record conversations during the call-back and compare it to previously recorded conversations.

• Listen to the caller. Does he or she have an accent that is inconsistent to your membership?

• Perform an additional verification to the member’s work and/or cellular telephone number.

• Additionally, if the credit union has the information, send an e-mail to the member at home and/or work."

All good advice.

They also need to provide targeted training to all their CU personnel; not only once but on a periodic basis. Training should be updated as new social engineering schemes emerge.

The question remains; how did the crooks obtain the detailed information about the CU members' accounts? There have been so many data breaches that it would be very hard to tell.

1) It could have been through a breach that occurred within CUNA Mutual.

2) It could have been through a breach that occurred within one of CUNA Mutual's business partners who use the members' account information for some reason.

3) It could have been through a breach that occurred within one of the vendors to whom they outsource some of their data processing or customer relationship activities.

4) It could have been through an insider with authorized access who provided the information to the criminals.

5) It could have been through the loss of a computer or electronic storage device that contained un-encrypted member account details.

6) It could have been by the criminals taking copies of printed member details from trash bins, if the company does not shred their paper copies of customer information when disposing of them.

7) It could have been by the criminal social engineering the different CU branch locations to collect the customer details over a period of time.

8) And many, many other possibilities...

The fact is, it is very hard, if even possible, to determine where these kinds of criminals get the information they use for their social engineering crimes.

Your best defense against social engineering scams include:

* Clearly written information security and privacy policies and procedures
* Personnel, vendor and business partner training
* Ongoing awareness communications
* Strong safeguards

Tags:                          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on January 22, 2008 2:38 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/633

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.