Social engineering: Mind the identity verification gap

Billions of personal data records are up for sale on the Dark Web as data breaches continue to occur at an alarming rate. According to Risk Based Security’s 2019 Midyear Data Breach report, there was a 54% increase in data breaches in the first half of 2019 compared to the same time period in 2018. In fact, they found that there was a 50% increase over the last 4-year period. The firm attributes the substantial rise to the fact that in the first six months of 2019 there were over 1,300 documented data leaks which mostly exposed email addresses and passwords.

Password and email combinations are utilized in automated credential stuffing attacks which have a high success rate due to password reuse. In Verizon’s 2019 Data Breach report, 49% of breaches involved the use of stolen credentials. Once an attacker is able to compromise an account, they either sell account access, for example what happened with Disney+, or they work laterally until they can find something to make the effort worthwhile – personal data, financials, etc.

Beyond compromised credentials, attackers leverage personally identifiable information (PII) gathered on specific targets to launch social engineering attacks or reset the victim’s account password to take over the account. Social engineers armed with data can easily source the answers to knowledge-based questions, which are the primary form of user authentication during a password reset, to take over the account.

Imposters exploit data

Social engineering, in the context of IT, refers to the manipulation of people to perform actions or give up confidential information through the use of deception, persuasion, impersonation, and the abuse of trust. It’s a broad concept that encompasses various attacks, including phishing, which is the most pervasive.

Attackers use different phishing techniques from sending targeted emails (e.g. spear phishing) or text/SMS messages (e.g. smishing) or making phone calls (e.g. vishing), but ultimately, they all rely on establishing a level of trust or credibility. This can easily be achieved given the endless supply of data, ranging from account credentials to PII, available on the Dark Web.

Proofpoint’s 2020 State of Phish report found that 55% of organizations fell victim to a successful phishing attack in 2019. Impacts of these attacks include loss of data followed by credential/account compromise and ransomware infection. Organizations are starting to measure cost of a breach against user downtime, remediation time, and reputational damage (e.g. loss of customers), with average costs ranging from $200,000 to $3.9 million dollars.

In the end, data breaches create a vicious cycle. Massive amounts of data enable attackers to exploit areas of weakness – compromised credentials, weak user verification methods, and unsuspecting users.

Teen hacks US government agencies

A teen targeted the CIA, FBI and the US Department of Justice databases in 2015/2016, obtaining sensitive documents on various military and intelligence operations. The method of attack was vishing at call centers. First, he called a Verizon call center while impersonating a Verizon employee and the former CIA chief John Brennan. He conned the agent into providing sensitive information including Brennan’s account number, his four-digit PIN, the backup mobile number on the account, personal AOL email address and the last four digits on his bank card.

Armed with this information the teen called AOL, impersonating Brennan, faking an account lock out. The AOL agent then reset the account’s password granting the teen the ability to obtain sensitive information that Brennan had forwarded from his work account. The teen also called the FBI helpdesk impersonating former Deputy Director Mark Guiliano and conned them into changing his database password. This permitted the attacker to gain unauthorized access to the US Department of Justice’s network where he ultimately obtained sensitive court case files including the Deepwater oil spill.

In this case the teen did not demand funds however he did leak sensitive data and information which put national security at risk. Without the proper user verification policies and tools at call centers, this attack vector will continue to be an area of exploit for attackers. With access to sensitive information and the ability to perform high risk tasks such as password or pin resets, the helpdesk needs to be equipped with the appropriate security mechanisms.

Protecting your organization

Many IT departments at small to mid-sized organizations deem themselves as unlikely breach targets but this cannot be further from the truth. The previously cited Verizon report found that 43% of data breaches involved small businesses as the targets. In fact, a 2018 Ponemon Institute report uncovered that 58% of SMBs experienced a data breach in 2018, and that phishing/social engineering continues to be the number one attack they experience.

Regardless of organization size, attacks are becoming more targeted due to the proliferation of data. This calls for IT departments to close the identity verification gaps. With passwords serving as the primary form of authentication, organizations need to start with setting a secure password policy that eliminates low hanging fruit such as the use of easily guessable passwords or the use of leaked passwords. Beyond this, organizations need to implement multi-factor authentication especially for high risk use cases such as password resets. The long relied upon form of user authentication known as knowledge-based authentication (KBA) or security questions needs to be eliminated, especially in a world where personal data is easily available.