Connect with us

Anglais

Social engineering is the new method of choice for hackers. Here’s how it works.

Published

on

[ad_1]

Is your name and your phone number all it takes for a hacker to take over your cellphone account?

Marketplace‘s latest investigation has found that just a few pieces of personal information could leave you and your accounts vulnerable.

It happened to Erynn Tomlinson. The former cryptocurrency executive lost about $30,000 in cryptocurrency after hackers used a few of her personal details during interactions with Rogers customer service representatives to ultimately gain access to her account.

« I don’t know how to describe it. I was sort of in shock at the whole thing, » said Tomlinson about realizing hackers stole savings she was planning on using for a mortgage.

Tomlinson is a victim of the latest type of hack plaguing the telecommunications industry: it’s called a SIM swap, and hackers use what’s known as social engineering to make it happen.

Social engineering fraud typically happens through email, phone, or text — or in Tomlinson’s case, through online chat windows. Hackers use charm and persuasion to convince a customer service representative they are actually the account holder.

If at first you don’t succeed, hack again

The hackers might have a few pieces of publicly available personal information: a person’s name, email address, birthdate, postal code or phone number.

Hackers use some of those details to try to sweet talk a representative into handing over more information and ultimately gain access to an account.

« The attackers are very sophisticated. In this case, Rogers didn’t provide any friction for them and made it far too easy, » Tomlinson said of her experience.

In an increasingly cashless world, many people rely on digital apps for banking and online purchases. Experts say hackers are taking advantage of this. (Hannah Yoon/Canadian Press)

As far as Tomlinson can tell, the hackers had only her name and her phone number. Over a series of eight different online chats, the hackers managed to obtain her date of birth, email address, account number, the last four digits of her credit card, and other details about her account.

Armed with this information, the hacker convinced a Rogers rep to activate a new SIM card linked to Tomlinson’s account, which could then be placed into a phone in their possession. A SIM card is a chip used to identify and authenticate a subscriber to a service provider.

Once the hackers had executed the SIM swap, they were able to use their own phone to gain access to a number of Tomlinson’s sensitive accounts, including those tied to her finances.

  • Watch Marketplace‘s investigation into social engineering fraud at 8 p.m. Friday on CBC-TV and online.

Tomlinson used two-factor authentication on her sensitive accounts, an extra security step that sends a message to your cellphone before granting access. Tomlinson believes the SIM swap allowed the hackers to divert those incoming messages to a new device, effectively bypassing her security measures.

She first became aware something was wrong when her cellphone stopped working. After stopping by a nearby café to use the Wi-Fi, she realized one of her financial accounts was at zero. She rushed home and logged onto her other accounts, and also saw them being drained.

In total, the hackers managed to steal the equivalent of $30,000 in cryptocurrency.

« I hope this is a bit more of an extreme case, » she said. « But I think … every Canadian is at risk right now. »

Social engineering on the rise

Tomlinson’s losses may sound extreme, but companies around the world say social engineering attacks are on the rise.

Canada’s federal privacy commissioner now requires all companies to report any security or privacy breaches. Since November 2018,  there have been more than a dozen reports of social-engineering breaches in this country’s telecommunications sector alone.

In an email, the Office of the Privacy Commissioner told Marketplace the trend « clearly raises concerns. »

The emergence of social engineering fraud comes as no surprise to ethical hacker and cybersecurity expert Joshua Crumbaugh.

« Social engineering’s been a popular thing, I mean, since the beginning of time — we just gave it a new term. It’s the same thing that grifters and con men have been doing forever … they’re just exploiting basic human weaknesses or vulnerabilities. »

Joshua Crumbaugh is an ethical hacker and cybersecurity expert whose company, PeopleSec, teaches skills for avoiding cyberattacks. (David MacIntosh/CBC)

It’s human nature to want to help and avoid conflict, which is why Crumbaugh says the key to a successful social engineering hack depends on who picks up the other line.

Chances are if one person is not willing to help, the next person likely is, he says.

« It’s just psychology. So if you understand how somebody’s going to react to something, you can easily manipulate somebody into giving you information or access to things that maybe they shouldn’t. »  

Marketplace calling

To see how Rogers would respond to a social engineering attack, Marketplace asked Crumbaugh to try to hack into Marketplace host Charlsie Agro’s personal account, providing him only with her name and phone number.

On the first attempt, Crumbaugh called the company’s customer service line, posing as Agro’s personal assistant. The call ended quickly, with the rep refusing Crumbaugh’s access to the account unless Agro phoned and added him as user.

He called back minutes later and, with a different rep on the phone, instead posed as Agro herself. He did not disguise his voice. This time, the agent requested Agro’s birthdate and email address as verification, which Crumbaugh was able to provide after some quick searches online.

The agent also asked Crumbaugh to provide the PIN and postal code attached to the account. Crumbaugh guessed at a PIN number and, after another online search, provided a postal code. Both were off by a single digit but the agent still allowed Crumbaugh to access the account, which could have ultimately locked Agro out.

Watch how ethical hacker Joshua Crumbaugh uses social engineering to gain access to Charlsie Agro’s Rogers account:

Cybersecurity expert Joshua Crumbaugh hacks into Marketplace host Charlsie Agro’s Rogers account using only her name and phone number. 1:00

Crumbaugh believes companies need to better educate their customer service representatives on how to identify and prevent social engineering hacks.

« We have got to do more in making our people aware that these things happen, » he said.

Marketplace asked the Canadian Wireless and Telecommunications Association — the wireless industry’s main lobby group, representing Bell, Rogers and Videotron, among others — what it is doing to help protect consumers from social engineering attacks.

CWTA president Robert Ghiz said each of its members is responsible for their own security, but that the companies have measures in place to keep customers’ data safe, including PINs, passwords, security questions and voice identification.

He also said many telecommunications companies are undertaking training for their staff, and that he believes protecting consumers against social engineering attacks is a top priority for CWTA members.

« It’s got to be about educating those front-line services and training those front-line services — and it needs to continue to be vigilant into the future, » Ghiz said.

When Marketplace pointed out that an incorrect PIN and postal code didn’t keep our ethical hacker out of Agro’s account, Ghiz said he believes the security measures in place are largely working, noting there are millions of calls coming in every week.

« There’s always going to be some human error that’s going to exist, » he said.

Rogers responds

In an email, Rogers said it takes its customers’ privacy and security very seriously and the company is continually strengthening its security measures and verification processes. It reinforces those measures with « ongoing training in authentication best practices for front-line team members. »

When provided with the results of Marketplace‘s ethical hacking test, Rogers admitted its authentication steps were not followed and said action was taken to reinforce proper protocols with the agent involved.

As for Tomlinson, she says she was not happy with the solutions Rogers offered following her experience: she was initially offered three months of free service, then a year of free service.

She is now pursuing legal action against the company.

Although Rogers would not comment on Tomlinson’s case, as it is before the courts, the company argues it is not responsible for what happened to her.

« What I really want to see is, not just that they give platitudes, and say, ‘Oh, we’re sorry this happened’ from a customer service point of view, but that they make real changes to their policies and their training … so that this can’t happen, » said Tomlinson.

Kevin Mitnick, one of the world’s most famous hackers, says social engineering attacks are happening every day, as they’re relatively easy to perform, with little technical skill needed. (David MacIntosh/CBC)

Kevin Mitnick, an infamous hacker turned do gooder, agrees customer service reps need better training. « The companies need to have policies put into place to come up with a way to have a very high confidence that they’re dealing with the consumer, » he said.

Mitnick has hacked into more than 40 companies, from a McDonald’s drive-thru to Motorola, and was once one of the FBI’s most wanted — eventually serving five years in prison for computer and phone hacking. Today he runs a business that points out security flaws to the corporations he once targeted.

Social engineering attacks are happening every day, Mitnick says, and it is often the first technique hackers turn to, because « calling somebody on the phone is so much easier than doing the technical magic you need to break into a computer. »

Mitnick is adamant: Consumers need to demand more from their vendors. If you aren’t satisfied with the steps your provider is taking to protect your account, vote with your wallet, he says.

« It’s really up to the organizations that need to verify their customers’ information. They’re the ones that are in control … they’re the ones that could affect change, » he said. « The consumer can only demand change — and if they’re unwilling to do it, you go to a different vendor. »

Consumers can help themselves

Crumbaugh says there are some ways consumers can help themselves.

First, if possible, set a PIN on your account. Choose four digits at random; connecting them to an easy-to-guess birthdate or address is a bad idea.

He also suggests creating fake answers to common security questions like « What is your mother’s maiden name. »  For example, don’t use your dog’s real name and if you do, don’t make that information public.

Social media is one of the first places hackers look to for clues about your passwords and answers to common security questions, such as your birthdate and where you went on your honeymoon.

Watch as Marketplace asks Canadians how careful they are about their online passwords:

Marketplace asked members of the public about the strength of their passwords. 0:51

« So many people will use their children’s names or birthdates or their animals’ names as passwords, and then you go onto their social media, and they’ve posted a million pictures of the same dog with the name of their dog, and they’re basically putting their passwords out there for everyone to see, » said Crumbaugh.

Crumbaugh also suggests using security questions that require an answer only you know but is not a personal detail like a birthdate.

[ad_2]

Source link

قالب وردپرس

Anglais

‘Business as usual’ for Dorel Industries after terminating go-private deal

Published

on

By

MONTREAL — Dorel Industries Inc. says it will continue to pursue its business strategy going forward after terminating an agreement to go private after discussions with shareholders.

« Moving ahead. Business as usual, » a spokesman for the company said in an email on Monday.

A group led by Cerberus Capital Management had previously agreed to buy outstanding shares of Dorel for $16 apiece, except for shares owned by the family that controls the company’s multiple-voting shares.

But Dorel chief executive Martin Schwartz said the Montreal-based maker of car seats, strollers, bicycles and home furniture pulled the plug on a deal on the eve of Tuesday’s special meeting after reviewing votes from shareholders.

“Independent shareholders have clearly expressed their confidence in Dorel’s future and the greater potential for Dorel as a public entity, » he said in a news release.

Dorel’s board of directors, with Martin Schwartz, Alan Schwartz, Jeffrey Schwartz and Jeff Segel recused, unanimously approved the deal’s termination upon the recommendation of a special committee.

The transaction required approval by two-thirds of the votes cast, and more than 50 per cent of the votes cast by non-family shareholders.

Schwartz said enhancing shareholder value remains a top priority while it stays focused on growing its brands, which include Schwinn and Mongoose bikes, Safety 1st-brand car seats and DHP Furniture.

Dorel said the move to end the go-private deal was mutual, despite the funds’ increased purchase price offer earlier this year.

It said there is no break fee applicable in this case.

Montreal-based investment firm Letko, Brosseau & Associates Inc. and San Diego’s Brandes Investment Partners LP, which together control more than 19 per cent of Dorel’s outstanding class B subordinate shares voiced their opposition to the amended offer, which was increased from the initial Nov. 2 offer of $14.50 per share.

« We believe that several minority shareholders shared our opinion, » said Letko vice-president Stephane Lebrun, during a phone interview.

« We are confident of the long-term potential of the company and we have confidence in the managers in place.”

Continue Reading

Anglais

Pandemic funds helping Montreal businesses build for a better tomorrow

Published

on

By

Many entrepreneurs have had to tap into government loans during the pandemic, at first just to survive, but now some are using the money to better prepare their businesses for the post-COVID future.

One of those businesses is Del Friscos, a popular family restaurant in Dollard-des-Ormeaux that, like many Montreal-area restaurants, has had to adapt from a sit-down establishment to one that takes orders online for takeout or delivery.

“It was hard going from totally in-house seating,” said Del Friscos co-owner Terry Konstas. “We didn’t have an in-house delivery system, which we quickly added. There were so many of our employees that were laid off that wanted to work so we adapted to a delivery system and added platforms like Uber and DoorDash.”

Helping them through the transition were emergency grants and low-interest loans from the federal and provincial governments, some of which are directly administered by PME MTL, a non-profit business-development organization established to assist the island’s small and medium-sized businesses.

Konstas said he had never even heard of PME MTL until a customer told him about them and when he got in touch, he discovered there were many government programs available to help his business get through the downturn and build for the future. “They’ve been very helpful right from day one,” said Konstas.

“We used some of the funds to catch up on our suppliers and our rents, the part that wasn’t covered from the federal side, and we used some of it for our new virtual concepts,” he said, referring to a virtual kitchen model which the restaurant has since adopted.

The virtual kitchen lets them create completely different menu items from the casual American Italian dishes that Del Friscos is known for and market them under different restaurant brand names. Under the Prasinó Soup & Salad banner, they sell healthy Greek options and their Stallone’s Sub Shop brand offers hearty sandwiches, yet the food from both is created in the same Del Friscos kitchen.

Continue Reading

Anglais

Downtown Montreal office, retail vacancies continue to rise

Published

on

By

Some of downtown Montreal’s key economic indicators are heading in the wrong direction.

Office and retail vacancies in the city’s central core continued to climb in the fourth quarter of 2020, according to a quarterly report released Thursday by the Urban Development Institute of Quebec and the Montréal Centre-Ville merchants association. The report, whose first edition was published in October, aims to paint a socio-economic picture of the downtown area.

The survey also found office space available for sublet had increased during the fourth quarter, which may foreshadow even more vacancies when leases expire. On the residential front, condo sales fell as new listings soared — a sign that the downtown area may be losing some of its appeal to homeowners.

“It’s impossible not to be preoccupied by the rapid increase in office vacancies,” Jean-Marc Fournier, the former Quebec politician who now heads the UDI, said Thursday in an interview.

Still, with COVID-19 vaccinations set to accelerate in the coming months, “the economic picture is bound to improve,” he said. “People will start returning downtown. It’s much too early to say the office market is going to disappear.”

Public health measures implemented since the start of the pandemic almost a year ago — such as caps on office capacity — have deprived downtown Montreal of more than 500,000 workers and students. A mere 4,163 university and CEGEP students attended in-person classes in the second quarter, the most recent period for which figures are available. Border closures and travel restrictions have also brought tourism to a standstill, hurting hotels and thousands of local businesses.

Seventy per cent of downtown workers carried out their professional activities at home more than three days a week during the fourth quarter, the report said, citing an online survey of 1,000 Montreal-area residents conducted last month.

Continue Reading

Chat

Actualités1 heure ago

Containerteelt geeft voedselzekerheid boven 60e breedtegraad in Canada

Actualités1 heure ago

La COVID longue durée: aux sources d’un mal à long terme

Actualités1 heure ago

Le visage des défenseurs de Fairy Creek

Actualités1 heure ago

2,2 milliards de dollars pour rétablir l’industrie de la biofabrication au Canada

Sex3 semaines ago

Dix films avec des scènes de sexe non simulées qui ont fait polémique

Sex3 semaines ago

Sexe et cannabis : mélange miraculeux ou poison pour le couple ?

Sex3 semaines ago

Chantage émotionnel, dénigrement, harcèlement sexuel : Une jeune scientifique écrit aux comités nationaux d’éthique

Sex3 semaines ago

10 films sur le sexe et le plaisir pour oublier la distanciation sociale

Sex3 semaines ago

Les meilleurs sextoys pour le clitoris

Sex3 semaines ago

Dua Lipa, la reine du melting-pop qui allège le quotidien confiné de ses millions de fans

Sex3 semaines ago

Une série d’ici primée à l’étrange

Technologie4 semaines ago

TELUS adopte une nouvelle promesse de marque

Technologie4 semaines ago

La tech agricole Farmers Edge entre en Bourse à 18 fois ses revenus

Technologie4 semaines ago

NEC Canada accueille Combat Networks en tant que revendeur officiel de UNIVERGE® BLUE CLOUD SERVICES

Technologie4 semaines ago

La relance économique sera verte dans le Bas-Saint-Laurent

Technologie4 semaines ago

Ottawa injecte 2,75 milliards $ pour électrifier la flotte d’autobus au pays

Technologie4 semaines ago

L’entreprise montréalaise Native Touch fait l’acquisition du studio Candy Banners

Actualités4 semaines ago

Lionbridge conclut la vente de sa division d’intelligence artificielle (IA) à TELUS International

Actualités4 semaines ago

Le rôle stratégique et essentiel des métaux rares pour la santé

Actualités4 semaines ago

«Crypto-art» : l’œuvre numérique de la chanteuse Grimes vendue 6 millions de dollars

Anglais2 années ago

Body found after downtown Lethbridge apartment building fire, police investigating – Lethbridge

Styles De Vie2 années ago

Salon du chocolat 2018: les 5 temps forts

Anglais2 années ago

This B.C. woman’s recipe is one of the most popular of all time — and the story behind it is bananas

Santé Et Nutrition3 années ago

Gluten-Free Muffins

Anglais2 années ago

27 CP Rail cars derail near Lake Louise, Alta.

Anglais2 années ago

Man facing eviction from family home on Toronto Islands gets reprieve — for now

Santé Et Nutrition2 années ago

We Try Kin Euphorics and How to REALLY Get the Glow | Healthyish

Anglais2 années ago

Ontario’s Tories hope Ryan Gosling video will keep supporters from breaking up with the party

Anglais2 années ago

A photo taken on Toronto’s Corso Italia 49 years ago became a family legend. No one saw it — until now

Anglais3 années ago

Condo developer Thomas Liu — who collected millions but hasn’t built anything — loses court fight with Town of Ajax

Styles De Vie3 années ago

Renaud Capuçon, rédacteur en chef du Figaroscope

Anglais2 années ago

This couple shares a 335-square-foot micro condo on Queen St. — and loves it

Mode2 années ago

Paris : chez Cécile Roederer co-fondatrice de Smallable

Anglais2 années ago

Ontario Tories argue Trudeau’s carbon plan is ‘unconstitutional’

Styles De Vie2 années ago

Ford Ranger Raptor, le pick-up roule des mécaniques

Affaires2 années ago

Le Forex devient de plus en plus accessible aux débutants

Anglais2 années ago

100 years later, Montreal’s Black Watch regiment returns to Wallers, France

Technologie2 années ago

YouTube recommande de la pornographie juvénile, allègue un internaute

Anglais2 années ago

Trudeau government would reject Jason Kenney, taxpayers group in carbon tax court fight

Anglais2 années ago

Province’s push for private funding, additional stops puts Scarborough subway at risk of delays

Trending