Just recently, two things got me thinking about just how hard security can be – whether online or offline.
Earlier in the week, Lastpass – a service that securely stores usernames and passwords – issued a security incident report. Lastpass is a reputable company with a team of highly skilled security engineers, and their business is security. They have highly sensitive data and a strong business reason to protect it.
While the response from Lastpass was speedy and transparent, the best laid security was compromised – albeit partially.
My second experience was a bit closer to home, and made me painfully aware how difficult it is to remain secure, and just how cunning the bad guys had become.
Online Security and Offline Realities
Before I share my story, perhaps some background to set context. When it comes to security, in particular online security, I’m pretty much off the charts on paranoid. I use different, strong passwords for all sensitive services (bank, email, …). I use two factor authentication for email, ignore phishing email as a matter of course, restart my browser before doing online banking, only use backup services that encrypt locally, reinstall my operating system at least every year ‘just in case’, religiously update my software and run Secunia to catch those updates I missed. I never install software off the Internet except from trusted sites, check up on processes running I don’t recognize and only connect over https when using unsecured wireless.
My paranoia even extends offline. I shred all documents with anything more than my name and address on them. Old credit cards, purchase receipts and backup DVDs also meet the same fate. When someone from the bank calls I politely hang up and call them back on the number listed on the website. I even go so far as to make life difficult for myself by not giving out my social security number to anyone (even my bank) without a fight.
But the bad guys are smarter
I have no idea how, but I was just hopeful enough, and the bad guys had just enough information to engineer a successful social engineering attack on me.
I had been working with Bank of America on some issues with my account – accounts were showing up when I logged in online that weren’t mine. The cause of this was apparently some database maintenance gone awry by Bank of America – I guess they have more than one Vanessa Howell as a customer. BoA was working diligently (and slowly) to rectify the issue, and as far as anyone could tell, there was no fraud involved just a bit of bad programming.
Then this week I got a few calls from the Bank of America fraud department. Or, at least I thought so at the time. After ignoring two of them, I (foolishly) thought that perhaps this had to do with the issue I was working on with them and called them up.
Mistake 1 – Not calling the number on the back of my card, but calling the number they left in the voicemail.
In hindsight I seriously can’t understand why I did this – perhaps a strong desire to close the issue I was working through coupled with the convenient timing of a call from the fraud department lowered my guard.
Mistake 2 – The person answering the call didn’t clearly state the bank they were from, and at this point alarm bells should have been going off in my head, but weren’t.
Mistake 3 - I gave them some of my information, including my credit card number.
Hook, line and sinker. Now they did the classic trick of telling me my information didn’t match, putting me on hold, then transferring me to another department. And my brain finally started working. I realized my stupidity and did the only sensible thing all day – I drove to the bank, cancelled my credit cards in person and had them put some extra security on my account.
Knock on wood, but I think I caught it in time. Nothing has been charged to my account and the bank is now aware of the situation.
But boy, the bad guys are smart
There were so many subtle cues that this was legitimate. Not only did they have enough information to mount a convincing attack, but even the hold music played was exactly the same as that of the real bank.
Once I hung up the phone I received a followup call confirming that I had called their fraud department. Very smart, assuage any doubt that may have developed and lull your target into inaction just long enough to do damage.
So, security is hard but…
Remember LastPass? Security savvy yet still partially compromised. For a minute after I hung up the phone I felt terribly ashamed at my cluelessness. Then I realized that even the best security can be compromised, and that fast and aggressive response is every bit as valuable as a strong security defense.
In learning my lesson I probably broke my security paranoia dial by turning it from 11 to 12. But what’s done is done. I wanted to share this with you for two reasons. First, be on the lookout – the bad guys are cunning. Second, don’t be ashamed if you make a mistake, just correct it as quickly as you’re able to.