Shostack + Friends Blog Archive


Preserving the Internet Channel Against Phishing, Part 2

At this point I was pretty sure this was a social engineering attack, so I started to quiz her about why she needed the information. She said it was for a “security check”. I told her I was uncomfortable giving out information like this to a cold caller over the phone and she said it was nothing to worry about because it was all covered by “the data protection act”.

I e-mailed Orange customer support via their website with details of the call and the number it came from (07973 100 194, which looked like a mobile number to me and had further fuelled my suspicions). I just received their reply – the call really was from them!

So writes Simon Wilison in “Social engineering and Orange.” I’ve discussed the problem of how companies enable the phishing problem by bad business practice in the past in “Preserving the Internet Channel Against Phishers” and the two blog posts that lead to that, “Don’t Use Email Like a Stupid Person” and “More on Using Email Like a Stupid Person.”

At some point, poor behavior on the part of companies will start to train users that these things are ok. That will in turn lead to liability when customers behave the way you ask them to behave. It’s gonna get expensive.

(Thanks to Saar Drimer for the pointer.)