Trick Or Treat?

During the Halloween season we all see the warnings about what is a Trick and what is a Treat. These educational messages are meant to alert us to those things that might seem enjoyable but, in reality, are really scary. When I see these warnings I am reminded how in the world of information security it seems like new tricks come out everyday.

When I started working with credit unions in the late 90s, we primarily relied on our information systems staff to alert us to the threats and other scary things our systems and information were subjected to.

However over the past few years, the goblins have moved into most other aspects of the credit union and even ventured out to our members' homes, as well. While good IT practices are still critical, they can't protect us from the person who gives away their user-ID and password to someone in an official costume that rings the doorbell and asks for it.

We've all heard the story of the deposed Nigerian diplomat who promises to send a generous share of $10 million if you will simply cash the check for him. You've probably received an e-card from a loving secret admirer and I am sure you have gotten something from Paypal or a financial institution you have never heard of asking for all of your personal information. While we all know of these monsters and we know not to open the door when they come knocking, have you heard about vishing, postal phishing, pharming, or even worse, the fraudster in costume?

It's impossible to catalog all the possible scenarios, but important to get a taste of what could be out there.

A Verbal Request

Just like a phishing attack asks us to click a link that may do something dastardly, vishing does the same thing, just verbally. Imagine an attacker calling an employee, for instance, posing as a supervisor or co-worker and asking for log-in information in order to check out a new website or to do some testing on the system. Combine that with the ability to change the caller id that shows up on their phone and the caller's disguise looks legitimate. A similar attack involves an e-mail or voice message leaving a call-back number where they can leave the important information. While your staff might be better able to fend off that attack, what about your members? Do they know what to do if someone calls?

What about the member who gets a letter in the mail asking them to log into a "special" CU website and confirm their information? This "special" website looks just like the official one with the addition of an Account Verification link that asks all the personal information an identity thief would want. The only difference is that this gremlin shows up in the mailbox instead of the inbox. In a recent test of this with a credit union, there was a 10% response rate to this type of attack. We know not to click on a link in an e-mail but what about typing the link in a letter we get-what can be the harm in that right?

Problems Down On The Pharm

"Pharming" is another popular way of getting users to trust a site enough to enter their personal information. While more technical in nature, imagine if you typed in a legitimate web address and ended up at a similar looking site that was malicious. Through DNS poisoning or corrupting the "host" file on your computer, that is exactly what can happen. If you call directory assistance and ask for my number but get someone else's the problem is not that big, unless of course they pretend to be me and you give them personal information that was to be between us. Similarly, if your members type in the correct home-banking website and are presented an identical malicious one, imagine the issues that would present.

Most kids love Halloween because all they have to do is put on a costume, ring a doorbell and get free candy. Surprisingly, one of the easiest ways to collect information from an institution is to dress up and walk right in as well. A social engineering attacker can be a master of disguise. Maybe she's a vendor on a sales call who brings an accomplice who asks to use the restroom any chance he gets. Or a fire inspector who has complete access to the facility by law, demands respect and is seen as a trusted figure. Does your staff know how to spot these Trick or Treaters and what to do when they call?

This Is No Treat

While we all need to be aware of the Tricks that are out there, what about the Treats? Have you ever been sent a free USB storage device or a CD with sample software? Don't be so sure these are the Treats you think they are. Just think of the attacks you could do when someone plugs in the USB device to see what is on it or loads up the CD to watch a nifty presentation. Both types of devices can auto-run and load all sorts of malicious software from viruses to keyloggers. In a worst-case scenario, what would happen if the CDs were sent to your members with your credit union's name on them?

So what can we do to protect ourselves from these new gremlins? In my opinion, education and awareness are the main solutions to these new attacks. Just like continual updates and testing are standard practice for IT assets, they should become standard practices for staff and members as well. Holding a member education day with fun seminars can help protect the credit union and serve as a great loyalty builder as well. Similarly, staff training sessions followed up by spot testing can provide huge dividends. And spot-testing is easy to do. Simply calling staff members and asking for their user-id and password can let you know if your efforts are working. There is so much information available to help, there is no reason to not make the investment-and avoid the tricks.

Joseph A. Cooper is Director of Financial Services at TraceSecurity, Inc., and can be reached at jac<at>josephcooper.com. (c) 2007 The Credit Union Journal and SourceMedia, Inc. All Rights Reserved. http://www.cujournal.com http://www.sourcemedia.com