posted by ![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
ctseawa at 09:26am on 09/01/2011 under faked service call, fraud, scary, social engineering, sprint
ctseawa at 09:26am on 09/01/2011 under faked service call, fraud, scary, social engineering, sprintYesterday I got a text message from Sprint:
"9569: To finish the PIN process enter the code on sprint.com ONLY. Sprint personnel will not ask you for it. If you shared it by mistake, call *2. ######## Call back #: #######"
Note the part where it says "Sprint personnel will not ask you for it" - their trick was to call as I got the page and say they are trying to track some service problem and ask me to read the 8 digit number. Thus directing my attention to the end of the page and skipping over the improtant security warning. I was distracted by what I was doing so I questioned it briefly but read him the number. I immediately received another message saying my PIN and "secret question" (note the sneer marks) had been accessed.
My suspicions were raised by this second message - Sprint should never need that information. They were confirmed when he called back asking for "just your first name on record, to confirm your identity". At this point I was no longer distracted but was paying attention only to the phone call. I asked him to prove he was with Sprint and he said he'd have his supervisor call me and got off the phone. Of course, no supervisor called.
The call came from 206-567-3943 (located on Vashon Island). The fact it wasn't a 1-800 number was another clue that it wasn't from Sprint.
Within seconds of the second call I was on the phone with Sprint. They confirmed they would never have placed such a call to me and transferred me to the fraud department - which, it turns out, was closed. I went to the web site and changed the PIN and question within a few minutes of the initial contact.
I think the only thing that "saved" me from being burned really badly was the fact that I used a unique PIN and question on that site. They shouldn't be able to use them for any other access. However, they did have access to my Sprint account which means they can find out other information about me (I'm not sure how bad the leak is yet, I haven't spoken with the fraud department yet). So far I don't see any new lines of service or long distance/international calls. I don't know if the sprint site would have required them to re-authenticate once I changed the PIN.
Social engineering is the most pernicious and most difficult form of cracking to fight. If I'd had (or taken) 30 seconds to read the text of the page instead of letting him direct me to just the part he wanted I wouldn't have been had at all. By keeping me distracted and knowing enough about the text of the page he managed to get the information he wanted.
The easiest way to stop this kind of fraud: If someone calls from your credit card company, phone company, or any other company, and asks you to read a number or otherwise interact tell them you'll call them back - and call back the main number, not the number they give you.
"9569: To finish the PIN process enter the code on sprint.com ONLY. Sprint personnel will not ask you for it. If you shared it by mistake, call *2. ######## Call back #: #######"
Note the part where it says "Sprint personnel will not ask you for it" - their trick was to call as I got the page and say they are trying to track some service problem and ask me to read the 8 digit number. Thus directing my attention to the end of the page and skipping over the improtant security warning. I was distracted by what I was doing so I questioned it briefly but read him the number. I immediately received another message saying my PIN and "secret question" (note the sneer marks) had been accessed.
My suspicions were raised by this second message - Sprint should never need that information. They were confirmed when he called back asking for "just your first name on record, to confirm your identity". At this point I was no longer distracted but was paying attention only to the phone call. I asked him to prove he was with Sprint and he said he'd have his supervisor call me and got off the phone. Of course, no supervisor called.
The call came from 206-567-3943 (located on Vashon Island). The fact it wasn't a 1-800 number was another clue that it wasn't from Sprint.
Within seconds of the second call I was on the phone with Sprint. They confirmed they would never have placed such a call to me and transferred me to the fraud department - which, it turns out, was closed. I went to the web site and changed the PIN and question within a few minutes of the initial contact.
I think the only thing that "saved" me from being burned really badly was the fact that I used a unique PIN and question on that site. They shouldn't be able to use them for any other access. However, they did have access to my Sprint account which means they can find out other information about me (I'm not sure how bad the leak is yet, I haven't spoken with the fraud department yet). So far I don't see any new lines of service or long distance/international calls. I don't know if the sprint site would have required them to re-authenticate once I changed the PIN.
Social engineering is the most pernicious and most difficult form of cracking to fight. If I'd had (or taken) 30 seconds to read the text of the page instead of letting him direct me to just the part he wanted I wouldn't have been had at all. By keeping me distracted and knowing enough about the text of the page he managed to get the information he wanted.
The easiest way to stop this kind of fraud: If someone calls from your credit card company, phone company, or any other company, and asks you to read a number or otherwise interact tell them you'll call them back - and call back the main number, not the number they give you.
There are no comments on this entry. (Reply.)