Do you think your job is important? Probably. Are other people’s jobs important? Maybe, or maybe not. There is an irony that we complain about colleagues not showing enough support for our objectives whilst we neglect to take much interest in theirs. This inconsistency can have serious consequences. In particular I can think of plenty of cases where RAFM practitioners have demonstrated scant interest in security. The two fields should be naturally aligned. Every RAFM practitioner believes everyone else in the telco should care about preventing leakages and frauds, and we all know that security is the responsibility of everybody. And yet, RAFM teams may exhibit an oddly complacent attitude to security.
Consider the security implications of rewriting lots of usage records, or just being able to draw inferences about individual customers by inspecting billing data. Consider that some RAFM consultants habitually exchange files using USB memory sticks, even though we know they are a vector for malware. Some fraud managers appreciate the threat that RA practitioners could engage in insider fraud. However, what do fraud managers think about their own risky behavior? We know that plenty of fraud managers allow their email addresses to be shared widely outside of their business, and they engage in social interaction with total strangers over the web. Have they never heard of the concept of spear phishing, or do they think the risks do not apply to them?
Spear phishing has the same goal as regular phishing, where the objective is to gain access to sensitive data and/or spread malware by sending the victim a phoney electronic message which appears to be from a trustworthy source. The only difference is that spear phishing is targeted at one specific individual. For example, the CEO may be the intended victim. However, when I think about potential targets, I can think of no better target than a member of the fraud department.
The fraud team has access to lots of sensitive data, and can obtain it without much scrutiny from other functions. They may not be paid well, and may not feel appreciated. They may lack proper training, and know little about security. If an attack was successful, they may attempt to cover it up because of the fear they will be sacked. Most importantly, it would be easy for fraud analysts to gain the desired information about target individuals.
If I was launching a spear phishing attack at a fraud analyst, I would begin by seeking to obtain pertinent information about the analyst from their activity on social networks. Then I would send the victim a sycophantic message, telling them they are a respected expert and have been invited to speak at a conference, nominated for an award, asked to participate in a survey… you can see where this is headed. We know people in our line of work fall for flattery from total strangers, because that is how some conference organizers attract speakers. To turn this into a phishing attack would require only one additional component: tricking the recipient into opening an executable file, or into following a hyperlink to a dodgy website.
In the world of security there are ‘white hat’ hackers, who make it their job to identify security weaknesses before a criminal or terrorist can take advantage of them. I have yet to hear of white hat fraudsters, and maybe that is a sign that we are less professional about countering fraud than protecting security. Perhaps we need somebody outside the telco to test our fraud teams, by checking who can be tricked into making basic security mistakes. If I were a white hat fraudster, this is the technique I would use:
- Adopt a pseudonym and create a new identity for myself on the internet.
- Use this identity to purchase contact details for fraud managers from a disreputable conference organizer.
- Use social networks to gather more information about the people on the contact list. Send them ‘friend’ requests wherever possible.
- A bogus email would be sent to the targets. This would contain information obtained from the social networks. There would be plenty of praise for the target’s career and promises of rewards, increased status etc. depending on whether the recipient chooses to follow a link and/or open an attached file.
- Being a white hat attack, the goal would be to gather sensitive data without revealing it. What would be publicly revealed is the number of targets that were successfully compromised, and the exact methods used to trick them.
As well as highlighting lax attitudes to security, it is important to recognize how social media could be used against us, and why we should be using it to protect ourselves instead. Criminals and liars can obtain information about us using our profiles on social networks. How many of us think to do the same when we receive an unsolicited message?
In his article about LinkedIn scammers, Vimpelcom fraud manager Dan Blackband told us how he receives plenty of connection requests from fake identities. Blackband explains how to verify requests before accepting them. However, we can assume that many fraud managers do not perform these simple checks, and so accept invites from profiles that have been faked. Otherwise, the fraudsters would be forced to change tactics.
The sad truth is that there are many people in RAFM who believe what strangers say about themselves, without checking if it is true. The more the stranger tells us nonsense that suits our prejudices – we can have the job we want, we can obtain a promotion, we will be taken more seriously, we will become a recognized a professional and treated with the respect that comes with that – the more likely their claims will be accepted at face value.
As illustrated by Blackband, we should be using social media to protect ourselves, instead of just allowing it to be used by our enemies. All staff should be trained to check the social media profiles of anyone who sends them an unsolicited message, and advised about tell-tale signs of a fake identity. We could also go a lot further. If your employees wear gold watches and drive fancy cars then maybe it is evidence of their involvement in crime or corruption. Are we using social media to investigate employees and find evidence of unexpected sources of wealth? The citizen journalist website Bellingcat has an excellent article discussing how they found damning evidence of corruption just by reviewing the information and photographs that people had posted about themselves to the web. It is also possible to check web profiles automatically, which means we could review the identities of all our prospective customers. WeDo have shown how artificial intelligence could be used to rapidly review a person’s social media footprint.
Criminals will exploit any resource to gain an advantage over us. We should be prepared to use every legally available resource to defeat them. The legendary 1980’s US police show Hill Street Blues featured a character called Sgt. Stan Jablonski, who always ended his morning briefing by telling his cops to “do it to them, before they do it to us.” He was not exhorting the police to engage in violence; he was reminding his colleagues that they were in competition with the criminals, and either the cops win, or the crooks win. The fight against fraud is no different. We must stay sharp, and use every legitimate means at our disposal, because we know the criminals will use every possible means to steal from us. So be careful out there, and think about the following pep talk from time to time.