Stories From Your Computer Guy Vol. II

in #hacking7 years ago

As a budding cyber security professional it is often my job to teach the less techy folk in my company about potential hazards when communicating with others online and even in person or over the phone. Folks like myself at the first ones to be questioned should an incident occur and we are bombarded with paper work and logs to go over. So it go's without saying that we prefer to prevent an incident rather than correct or even sometimes fight it while its happening.

When it comes to the topic of hacking, people generally think that attackers are genius coders, foreign scammers, and seasoned security experts gone rouge. These hackers are like ghost that leave little to no trail and if you yourself are not a IT professional you will never see an attack coming. However this is far from true. Anyone could be a hacker, and it is seldom that real world hackers are computer whiz's.

When I started my job a XYZ company (They shall remain unnamed for security reasons) I was very eager to start my career in cyber security, I saw myself securing networks, testing out software and patches for vulnerabilities, advising what the company should look into for security options, and doing security audits and penetration test. While the things just mentioned where certainly part of my job, sometimes it is my job to find out what my fellow coworkers are doing very wrong. One user in particular believed that it was our job and solely our job as the security team to keep hackers out of our systems and that computers are the only way a hacker could attack.

This user was an older lady (Lets call her Jane) who had been with company far before computers where the dominant force keeping operations going. Jane was a customer support specialist and her job was quite simple, answer phones, send an email or two, help customers with account issues and things of that nature. The way Jane saw things, she rarely ever needed her computer to do the majority of her job so she didn't care to learn about them.

One day Jane answered a phone and was greeting by a lovely sounding old lady who complained she couldn't get into her online account and that she admittedly wasn't very good with computers but she had her grandson with her to help her out. Jane asked the required information of this pleasant old lady and most of it checked out except 1 thing; She gave the wrong phone number we had on file, and gave wrong numbers multiple times before admitting she has had her phone number changed many times recently because of robocalls being made to them. To Jane, this wasn't much of a red flag as she her self could totally relate to those annoying robocalls. She allowed this nice sounding old lady to changer her account password and she was able to get into her account finally with the help of Jane and her grandson. Everything seemed okay and Jane felt good for helping out.

Weeks had gone by and Jane had long since forgotten about the nice sounding old lady who she helped. Then one day Jane gets a call from her supervisor who was away on vacation and on the other line on hold (according to him) was a very distressed customer who he had to talk to on his vacation. Normally this is not something that would happen in the company but something was very different about what the cause of this customers distress was. Someone had gotten into her account and stolen very vital information that cost her over $100,000 in damages.

As it turned out, a few weeks earlier the account was accessed by someone after having the real customer's password changed. After going over a few logs it was there clear as day that shortly before the unauthorized access, Jane had changed the password on the compromised account. After a long conversation with her supervisor about what happened, she was told to leave for the day and to not come in the following day, but she wasn't fired and her supervisor was going to have to cut his vacation short and come in to have a meeting with Jane and some other people in the company.

Jane came back for her meeting 3 days later which she was greeted by her supervisor and myself. We lead her to the conference room where the meeting was to take place. Waiting in the room were about a dozen other individuals, including police and the victim of the stolen account. Jane's face quickly showed fear and her eyes immediately began to water upon the sight. After her supervisor calmed her down a bit we began the meeting.

As it turned out, the person who called in was clearly not the account holder who was actually a middle aged business woman who had invested interest in our company. Thanks to the collaboration of my team and police we had tracked down the fraudsters to a group of teenagers who had used a voice modulator to make themselves sound very different in order to pretend to be the real account holders. These teens were quite good at what they where doing as they had done the same thing to many accounts all over the country over the course of the week the incident occured. With the help of another group of teens they met on facebook that bought and sold information like social security numbers over the darknet, they where able to get enough information to fake it and call in to change passwords for accounts.

After explaining what had happened, it was Jane's turn to be questioned. The first question was along the lines of, "Why did you authorize the change to the account password?" Jane explained that all of the information they gave was correct and there was no way she could have known. The next thing we did was listened to the recording of the conversation (our company always recorded calls from customers). It was admittedly a convincing act on the teens part, but they couldn't confirm the correct phone number. We made it very clear that in our company if anything at all wasn't correct and couldn't be confirmed, customers had to come in person to verify their identity. Jane had let them get through without all required information. This was unfortunately, entirely her fault for not following company policy.

Jane was let go from her position she held for 30+ years. Myself and my team often told other employees the dangers of not following our verification method to the tiniest detail. In this case many people where made victims thanks to a group of stupid teenagers. Stories like Jane's are all too common in my industry, and it seems impossible to stress the importance of security measures to employees. Perhaps this story will save someone from the same fate as Jane.

Sort:  

Congratulations @derpdragon! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of upvotes

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Upvote this notification to help all Steemit users. Learn why here!

Congratulations @derpdragon! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 2 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Do not miss the last post from @steemitboard:

SteemitBoard Ranking update - A better rich list comparator
Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Congratulations @derpdragon! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

Click here to view your Board

Support SteemitBoard's project! Vote for its witness and get one more award!