advertisement
advertisement
advertisement

Cyberthieves Are Going Low-Tech, And The Only Way To Stop Them May Be To Go Even Lower

Written by Frank Hayes
June 18th, 2013

At a time when retail IT is getting better at locking down just about every avenue cyberthieves have of breaking in—PINpads, wireless networks, connections with processors—it’s nice to know the bad guys are still able to hit retail security where it isn’t. (OK, it’s not nice, but you know what we mean.) According to FICO, scammers are now using a decidedly low-tech technique for stealing payment-card information from consumers—and there’s no special reason the same trick won’t work against store employees for the keys to a retail network.

It works like this: A cyberthief phones the target claiming to be from a bank and says that there’s been suspicious activity on the target’s card. If the target doesn’t trust the caller, the thief encourages the target to phone the bank using a number the target trusts. The target hangs up—but the thief doesn’t. When the target picks up the phone again to dial, the thief plays a recording of a dial tone. The target dials, but it’s the thief who fields the call. From that point, it’s all Social Engineering 101.

It’s sublimely simple, and applicable to almost anything in a retail setting. The thief can call a store claiming to be from central IT, calling to set up time for a contractor to work on equipment. Or from the chain’s processor, calling to confirm configuration details. Or from network security, Loss Prevention, accounting, or almost any other department. Most store associates won’t notice even if the dial tone sounds a little odd, and many will just be using speed-dial anyway.

And once a store associate or manager is talking to someone at the other end of a trusted connection, no matter how odd the information requests get, the store personnel will probably still deliver. After all, how could a bad guy have hacked into speed-dial?

Best of all—OK, worst of all—there’s no practical technical fix for this security hole. But there is a simple fix: Store personnel should always call that trusted number on a different line.

In fact, the easiest way to enforce that policy is to train managers and associates to make that trusted call after putting the original (cyberthief) caller on hold. If the call is legitimate, it will ring through to someone else at the processor, central IT, Loss Prevention or accounting. If the call is a scam, keeping the thief on hold will prevent the store personnel from falling for the fake dial tone.

And there’s a certain elegance in a defense that’s even more low-tech than the original attack.


advertisement

Comments are closed.

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.