cellio: (Default)
Monica ([personal profile] cellio) wrote2024-02-15 09:38 pm
  • Add Memory
  • Share This Entry
Entry tags:

Swiss-cheese security

Cory Doctorow's How I got scammed was a fascinating read. Phishing has gotten more sophisticated, but also, even people whose security practices are way above the norm can get hit when the stars (mis)align just so.

There's a name for this in security circles: "Swiss-cheese security." Imagine multiple slices of Swiss cheese all stacked up, the holes in one slice blocked by the slice below it. All the slices move around and every now and again, a hole opens up that goes all the way through the stack. Zap!

The fraudster who tricked me out of my credit card number had Swiss cheese security on his side. Yes, he spoofed my bank's caller ID, but that wouldn't have been enough to fool me if I hadn't been on vacation, having just used a pair of dodgy ATMs, in a hurry and distracted. If the 737 Max disaster hadn't happened that day and I'd had more time at the gate, I'd have called my bank back. If my bank didn't use a slightly crappy outsource/out-of-hours fraud center that I'd already had sub-par experiences with. If, if, if. [...]

The following Tuesday, I called my bank and spoke to their head of risk-management. I went through everything I'd figured out about the fraudsters, and she told me that credit unions across America were being hit by this scam, by fraudsters who somehow knew CU customers' phone numbers and names, and which CU they banked at. This was key: my phone number is a reasonably well-kept secret. You can get it by spending money with Equifax or another nonconsensual doxing giant, but you can't just google it or get it at any of the free services. The fact that the fraudsters knew where I banked, knew my name, and had my phone number had really caused me to let down my guard.

Years ago, I got a call on a weekend from someone claiming to be from my credit card and was just plausible enough for me to not hang up. (Also a claimed fraud alert.) But I got suspicious when the caller started asking me for private information and then claimed it was necessary to authenticate me (at my own phone number). So I said "I also need to authenticate you; what's my mother's maiden name?" Oh no, the caller said, we can't give you that information... but with all the data breaches we've seen, that technique is no longer safe. The phisher might have my mother's maiden name [1]. Doctorow's phisher had his unpublished phone number. Secrets aren't.

[1] Helpful tip: don't use the actual answers for security questions that people might be able to research or guess. As far as your bank is concerned, your mother's maiden name can be QjFVa6ufeqr_7.

Flat | Top-Level Comments Only
madfilkentist: (Default)

[personal profile] madfilkentist 2024-02-16 11:13 am (UTC)(link)
What makes it worse is that real businesses often expect you to ignore security practices. A credit union which I've finally fully dissociated myself from warned users not to trust any other website that claimed to represent it; but it outsourced some of its services to other websites, and links would take me with those sites without warning. By the credit union's explicit statement, it was not responsible if I lost money using them. When I called their attention to this, they gave me a runaround to the effect that the warning didn't apply in that case; I forget how they put it. I had no choice but to stop using their online banking.
goljerp: Photo of the moon Callisto (Default)

[personal profile] goljerp 2024-02-16 03:13 pm (UTC)(link)
I hate the security questions. Had to create a FAFSA ID for my son's financial aid application, and the questions were just so stupid.

"High School Mascot". Um, I have no idea what it was, and it's not so hard to figure out where I'm from, and what High School I probably went to, and what the mascot is.

"First movie". OK, this is probably something you can't google, but I don't remember! I can pick a movie ("Star Wars"), but how will I remember that? (Answer: I'll write it down somewhere, which isn't terribly secure either...)

Sigh...
cellio: (Default)

[personal profile] cellio 2024-02-16 03:29 pm (UTC)(link)

And "favorite X", as if that could never change or be ambiguous!

minoanmiss: A detail of the Ladies in Blue fresco (Default)

[personal profile] minoanmiss 2024-02-17 10:08 pm (UTC)(link)

Next time I have to set up security questions I must remember to lie, in a little system to help me remember.

cellio: (Default)

[personal profile] cellio 2024-02-18 04:25 am (UTC)(link)

Some sort of system really helps -- something that you can remember, that will generate unique answers (don't use the same lies with your bank and anybody else), that other people won't be able to guess. Security questions are really just passwords with different UI.

jducoeur: (Default)

[personal profile] jducoeur 2024-02-23 11:41 pm (UTC)(link)

The time that Very Nearly Got Me was an email from one of Querki's vendors. Centrally important company to my ecosystem, one that I'd had a relationship with for years, who I trusted deeply. The email clearly was from them, and sent me to a form that clearly was on their site. It claimed to need info for renewal, so I said, "Bother", but went and filled it in, and actually got to the point of my finger hovering over the Enter key before saying, "My Google password? Yes, this account talks to my Google account, but if they need my Google pwd they're doing something very wrong."

So I set that aside and emailed a friend who worked at that company. Within two minutes, I had a response of, "We've been hacked -- hang on", and within two minutes after that they had sent out an email to all of their customers, warning about the previous email.

Very much a wakeup call for me, and I've been that much more cautious about even perfect-looking forms on legit websites (which this totally was -- the hack was very well-constructed) if the data request doesn't smell right.

As for security questions, those get recorded in my vault, alongside the password and for the same reasons...

Flat | Top-Level Comments Only