Monica

Swiss-cheese security

2024-02-16T02:49:08Z

Cory Doctorow's How I got scammed was a fascinating read. Phishing has gotten more sophisticated, but also, even people whose security practices are way above the norm can get hit when the stars (mis)align just so.

There's a name for this in security circles: "Swiss-cheese security." Imagine multiple slices of Swiss cheese all stacked up, the holes in one slice blocked by the slice below it. All the slices move around and every now and again, a hole opens up that goes all the way through the stack. Zap!

The fraudster who tricked me out of my credit card number had Swiss cheese security on his side. Yes, he spoofed my bank's caller ID, but that wouldn't have been enough to fool me if I hadn't been on vacation, having just used a pair of dodgy ATMs, in a hurry and distracted. If the 737 Max disaster hadn't happened that day and I'd had more time at the gate, I'd have called my bank back. If my bank didn't use a slightly crappy outsource/out-of-hours fraud center that I'd already had sub-par experiences with. If, if, if. [...]

The following Tuesday, I called my bank and spoke to their head of risk-management. I went through everything I'd figured out about the fraudsters, and she told me that credit unions across America were being hit by this scam, by fraudsters who somehow knew CU customers' phone numbers and names, and which CU they banked at. This was key: my phone number is a reasonably well-kept secret. You can get it by spending money with Equifax or another nonconsensual doxing giant, but you can't just google it or get it at any of the free services. The fact that the fraudsters knew where I banked, knew my name, and had my phone number had really caused me to let down my guard.

Years ago, I got a call on a weekend from someone claiming to be from my credit card and was just plausible enough for me to not hang up. (Also a claimed fraud alert.) But I got suspicious when the caller started asking me for private information and then claimed it was necessary to authenticate me (at my own phone number). So I said "I also need to authenticate you; what's my mother's maiden name?" Oh no, the caller said, we can't give you that information... but with all the data breaches we've seen, that technique is no longer safe. The phisher might have my mother's maiden name [1]. Doctorow's phisher had his unpublished phone number. Secrets aren't.

[1] Helpful tip: don't use the actual answers for security questions that people might be able to research or guess. As far as your bank is concerned, your mother's maiden name can be QjFVa6ufeqr_7.

comments

now pull the other one

2023-05-19T13:45:53Z

There is an old joke about a man who is talking with his doctor after having surgery on his hands. He asks the doctor, "will I be able to play the piano when I recover?". The doctor says yes, he'll make a full recovery. "Great," the man says, "I've always wanted to know how to play".

This morning I got email -- sent through the contact form on my personal web site -- from someone with "hacker" in the address (yeah, right):

( Read more... )

<snark>

Gosh, I'd sure like to have that database full of employee and customer information. Wow, I have employees and customers! And a database! Maybe as a show of good faith you could tell me some of the information you "extracted"? Or if that's too hard, let's start with: what kind of database did you say that was? Surely you can tell me that.

I'm also curious about why you took the inefficient route here. Your email to webmaster got filtered as spam; I happened to notice it but could easily have missed it. Since you have my database full of contact information, why didn't you contact me directly? Just a helpful tip for reaching your future "customers" -- take the direct path.

Oh, and since you've got remote control of my server anyway, could you upgrade to the latest Emacs? I've been meaning to do that. You do want a good review for customer service, right?

Finally, since your proposal includes commitments to future actions on your part, please provide a verifiable contact address in case I need to make a claim.

</snark>

comments

user interfaces are hard, but this isn't even trying...

2017-09-26T21:05:56Z

Wow, that was convoluted. Having solved the problem, I'm recording it here for future-me or anybody else out there who stumbles across this post when in need.

Like everybody else, I've been getting lots of spam calls on my cell phone, most of which use caller-ID to lie (no you are not local...) or mask their identities. I don't answer calls from numbers I don't recognize, but it's still annoying.

Sometime in the last several weeks, my phone (ZTE Axon 7 running Android Nougat) offered me some settings for dealing with incoming spam, including a shiny checkbox for blocking calls from private numbers. I've never gotten a legitimate call from a private number on my cell phone, so I checked it.

Yesterday I was in a Google Hangout with somebody, which involved much audio fail that I will save for another time. Rather than continue to debug while the clock was ticking, I said "hey, how 'bout I join the hangout from my phone?" (so, using video and screen-sharing from my computer and phone for audio). I couldn't figure out how to join the hangout. No problem, someone on the other end said, I'll invite you by phone.

Except he blocks his phone number, so his calls were auto-rejected before I even had a chance to pick up. Bloody nuisance. Hey look -- my first legitimate private call!

We solved the hangout problem, but afterwards I wanted to turn off that setting. And could find nothing in my phone settings. That checkbox was nowhere to be found. I went to the rejected call in my call log, found a settings menu, and chose "unblock", but doing that has no effect. (Next time I looked, it was blocked again.)

Some googling told me that I was probably dealing with an app named Hiya, which ZTE apparently bundles with Android. The app doesn't show up in the usual place where you go to launch apps, though. Some more googling led me to Settings -> Apps -> System Apps, where I found it -- but my choices were force-stop and disable, but no "run" or "open".

Ok Hiya, you are -- somewhere! -- holding some configuration settings hostage. Out with it!

More googling led me to this comment explaining how to open the Hiya app: find a blocked-call notification in the log (an actual number, not "private") and open it, which brings up a "limited" part of the Hiya app. This limited app includes settings, so I was finally able to find my way to that checkbox and uncheck it.

Who thought that was a good idea? Un-freaking-believable. Is it so hard to include a hook for Hiya settings somewhere in the phone app (which it is obviously modifying already)?

It's possible I'll need this information again within the lifetime of this phone and I sure won't remember that. Hence this post.

comments