Search This Blog

Wednesday, February 04, 2009


Continuing with the Liz Pulliam MSN Money column, red flags should have gone up all over the place when the crooks were developing their latest method of stealing our sensitive data. They would have if we had a CIA-type surveillance of the Internet underground. And why not? With the economy tanking, and identity thieves rushing to take advantage of the situation, this would be the perfect time for industry to step in and form a consortium to infiltrate the bad guys. The cost would be small across the board, and the results could be significant. It’s an idea that could happen; that is, if business is really serious about securing our private information.

Vishing is the latest consumer scam that is a spin-off from phishing, which is when the ID thief sends you an e-mail, claiming to be a legitimate company with the idea of heisting your sensitive data. Vishing, on the other hand, uses the telephone or cell phone to do the same thing by leaving a voice or text message that says your bank or credit card account has been compromised. Recipients are told to call a toll-free number where they are instructed to dial in credit card or bank account numbers, including PIN numbers.

It suddenly occurred to me while writing this article that one of the most unique factors in the identity crisis is the number of names we have had to come up with, almost on a daily basis, just to keep up with the spate of consumer scams.

Vishing has been around for a while, but has recently picked up speed according to a December 2008 FBI report identifying new techniques exploiting the software used in the scam. Asterisk is free software used with Voice over Internet protocol (VoIP), which allows the bad guys to call multiple numbers leaving their automated messages. You should never reply to these calls; neither banks nor credit card companies use this form of communication to contact customers. One documented incident as late as mid-January 2009 used American Express as the target company.

In another article in The Washington Post by computer security columnist, Brian Krebs, he outlines “The Anatomy of a Vishing Scam.” Krebs leads with a reality that has been troubling to Internet providers and users for some time; the fact that there are gaping holes in our technology that allow these breaches. It could lead one to believe that the scam artists are much smarter than the technicians that maintain our names and personal data. The piece confirms the use of the VoIP software, and documents the sophistication used by the crooks.

As an example, one group of attacks were directed to financial institutions’ customers’ cell phone numbers, but restricted to only the geographic area served by the bank to maintain credibility. After compromising a web site to serve as their host, they downloaded the phone numbers that would receive the vishing messages and they were on their way. What is frightening is the fact that Lawrence Baldwin, who was brought in to investigate the attacks, learned that from one server alone about 4,400 people actually called the bogus number, and worse, 125 of those (2.8 percent) entered their full credit/debit card number, expiration and PIN.

Like P.T. Barnum said: “There’s a sucker born every minute.”

No comments: