Any security system can be beat. The key is to use a multi-layered
approach to security to make it more costly to the hacker in terms of
time and frustration than your data is worth. There are plenty of
sitting ducks out there they can go rob more conveniently.
I suggest you use a retinal scan & fingerprint ID with quantum
encryption as a precursor to them calling you and then when they call
act like you've never heard of them before. If they are a hacker they'll
assume they've stolen the wrong identity and hang-up. If they are
indignantly surprised they are legit. Alternately, answer the phone in a
foreign language and require your customer to respond in a DIFFERENT
foreign language based on which language you initiate with. For example,
if you speak Thai they must answer in German but if you initiate in
Swedish then they must answer in Hindi. The language initiation and
response schedule should change hourly as well so the former sequence of
languages would only be good for one hour before changing. You should
learn to say, "Hello, how are you?"/"I'm fine but a little sleepy
today," in at least 12 different languages. You can keep your customers
appraised with an online web app as to which language they should
respond in. Don't even get me started on how you should secure that
thing though...
If you are still feeling a little insecure simply reject a third of all
callers "for security reasons" and make them change their password
online and call you back.
Sorry... I have been trying to puzzle this problem out and can't think
of anything. Maybe there is something helpful you can pull from all this
nonsense above.
-----Original Message-----
From: Sanders, Jonathan [mailto:Jonathan.Sanders@healthsouth.com]
Sent: Wednesday, April 20, 2005 8:56 PM
To: P. Rodriguez; John Pettitt
Cc: security-basics@securityfocus.com
Subject: RE: Steps to avoid Social Engineering
Definitely. Any number.
-----Original Message-----
From: P. Rodriguez [mailto:mailinglists@deltum.com]
Sent: Tuesday, April 19, 2005 5:43 PM
To: Sanders, Jonathan; 'John Pettitt'
Cc: security-basics@securityfocus.com
Subject: RE: Steps to avoid Social Engineering
Importance: High
I see. That is very interesting. How about mobile numbers, can that be
spoofed as well? E.g. Mobile to landline or mobile to mobile calls?
From: John Pettitt [mailto:jpp@cloudview.com]
Caller ID is not safe it's way too easy to spoof - see
http://www.camophone.com/
From: Sanders, Jonathan [mailto:Jonathan.Sanders@healthsouth.com]
Caller ID can be spoofed very easily using VoIP. All someone would
have to
do is set up an Asterisk gateway
(http://www.asterisk.org/) at their office or house even and spoof the
Caller ID.
Confidentiality Notice: This e-mail communication and any attachments
may contain
confidential and privileged information for the use of the designated
recipients named above. If
you are not the intended recipient, you are hereby notified that you
have received this
communication in error and that any review, disclosure, dissemination,
distribution or
copying of it or its contents is prohibited. If you have received this
communication in
error, please notify me immediately by replying to this message and
deleting it from your
computer. Thank you.
