Customer Support and the Hazards of Social Engineering

Customer Support and the Hazards of Social EngineeringJournalist Mat Honan was playing with his daughter one fine Friday afternoon when his iPhone mysteriously switched off. He thought nothing of it, but since he was waiting for a call he plugged it back in. It abruptly rebooted.

In the minutes and hours that followed, Honan discovered that hackers had completely disrupted his digital life. And the attack was inadvertently assisted by the helpful customer support staff at Apple and Amazon.

Welcome to the era of social engineering. 

Social engineering is, broadly, the exploitation of human nature to produce or support a security breach. Examples can range from the novelistic – feeding the resentments of a disgruntled employee, or feigning a romantic interest in a lonely one – to the mundane. Such as the efforts of customer support people to be helpful to customers.

That is their job, after all. And because consumers are so often careless and confused, customer support often accommodates them – ignoring the very security measures designed to protect customers in the first place.

Read Honan's first-hand account for the specific horrid details of his experience. But in a nutshell, both Apple and Amazon made it easy for hackers to pose as a customer, gain access to accounts, and reset passwords – locking the real account owner out.

Hackers were able to do so with such minimal information as the four digits of a credit card number that are not masked, or X'd out, on receipts. 

In the wake of the Honan debacle, Apple and Amazon have hastened to tighten up their procedures. But the daily pressures of customer service will tend to push in the direction of laxness.

Social media widens the door to social engineering, by putting more personal identifying information. And the cloud era increases the risks – Honan's digital life was stored in the cloud, so when his cloud accounts were wiped he had no local backups to restore them from.

But for both individuals and firms, the lesson of Honan's experience is only you can safeguard your digital security. Don't count on vendors to do it for you. They are far too vulnerable to social engineering based on human nature.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."