Why should you care about Social Engineering (or people-hacking)?

Posted on June 29, 2017 by Bas Jaburg

Let’s start with a statistic: nowadays 97% of all hacks involve exploiting people. From (spear)-phishing (email), baiting (infected USB), or impersonation (also known as Vishing, or Voice Solicitation).  As we take more technical measures, fraudsters are moving towards social engineering. Please have a  look at the following video:

The woman in the video uses a few techniques to trick the call-service agent: the crying baby to up the pressure, diversion - requesting access for someone else (“Can my daughter get access?”) and empathy (“My husband said get this done by today”).

 

As people become the weakest link, organizations need technical tools to protect them against fraud. Tricking the Call Center Agent is the easiest way in committing fraud and pretty much all efforts are pointed towards exploiting this channel.

 

Another example.

Recently I applied for a change in my mortgage rate. This is how the conversation went:


Me:
Hello this is Bas Jaburg, I would like to change the interest rate of my mortgage


Helpdesk:
Sure. Before we go further, can you please give me the following info?

1. What is your first initial?
2. What is your date of birth?
3. What is your postal code and house number?

Me
B, 17th of March 1969, 1225 AR, 154

Helpdesk
That is correct. What was your question again?

As this data is almost all publicly available anyone could impersonate me.

So what does this mean? It must be assumed that the Call Center Agent is not sure who he/she is talking to and therefore only low-risk services can be performed. This has significant effects on the rest of the organisation as additional channels or processes need to be in place to offer required services. Moreover, as it will take longer to identify the customer, customer satisfaction will go down and so will the Net Promoter Score (the willingness to encourage other people to use same service) which will have a negative effect on the bottom-line eventually. And as the risk of fraud rises, costs will rise as well as you need more expertise and trained personnel in order to stay ahead.


So we need a higher Proof of Identity
Please have a look at the infographic below. Basically, it all comes down to trust: if you are more sure about who you are talking to it will cause a positive effect on all parts of the organisation.

Proof of identity.png

 

The Onegini Authenticator

Onegini has developed an easy to use, but most of all, easy to integrate solution to the problems above.

When someone calls the helpdesk...

      1. In stead of asking the obvious question, the Call Center Agent sends a push notification to the caller and asks to respond.

      2. Depending on the level of assurance, the caller answers this notification with the proper response, either by acknowledging the push, entering the PIN code or scan his/her Fingerprint.

      3. The Call Center Agent receives the response immediately and can either:

        • Continue with the call
        • Ask for a step up (add an additional verification step)
        • Stop the call and possibly take additional measures (block, report or otherwise)

proof of identity - how it should go.png

White paper: Digital Transformation Insurance Companies

Stay up to date

Get updates per mail