The Risk Presented when Individual Services Overlap

Have you ever found yourself in a situation where you needed access to a bank account or credit card account but you didn’t have access to either the mobile app or the account information? Most  financial institutions have policies in place that dictate how users can access their accounts when calling the institution directly, and these policies often include multiple options for verification. For example, the institution may ideally want the account number for verification, however, if  the caller does not know the account number, the institution will seek to validate the caller’s identity by asking for other seemingly private and unique information. While this may score the institution points in customer service, there is some risk involved depending on the level of detail included in company policies. I recently tested the level of security as it relates to access to two specific services many adults use: subscription services and financial institutions. The results underscore the importance of protecting ourselves in a world where many of us regularly use  multiple overlapping digital services. The areas these digital services overlap can potentially expose us to nightmare scenarios including financial and identity theft. 

To paint this scenario, I set up a personal account, in my name, using my information that included standard information I know can be found on the internet about me. Then, I called the financial institution and attempted to access this new account in my name using only publicly available information under the pretext that I was traveling and didn’t have my account number on me. In this scenario, I was reluctant to disclose my social security number over the phone as I was in an airport surrounded by strangers . The institution in my test , had a policy in place that allowed agents to offer  an alternate means of verification over the phone . As I have spent many years as a security consultant with financial institutions, I am aware that these “alternate details” often involve some combination of date-of-birth, home address, location the account was opened, current account balance, confirmation of a recent transaction, and/or some number of recent vendors used. While at first glance these data points appear to be unique, much of this information is available through open-source intelligence (OSINT) gathering. The data points that are the most challenging to find through OSINT are:

• Current balance on the account 
• Price of a recent transaction
• Recent vendors used

However, our use of technology has, in some cases, outpaced the very policies that are intended to protect us. The information listed above that should be private is. in some cases, able to be discovered online or is easily obtained by a savvy malicious actor whose goal is to  elicit private information from an unwitting employee of the financial institution. 

With the rising use of subscription services, our purchase history may not be as private as we think. If a person likes to share their favorite TV shows on social media, or if they live with a person who discloses this information, a hacker  may be able to easily deduce the price and date that those subscription services charge accounts. In fact, the percentage of adult households who have at least one subscription service has increased to 70% in America and 40% in the United Kingdom (Fitzgerald, 2019). This means that that 70% of households have a routine, regular charge of a publicly known amount given the nature of the subscription service business model. If this information is shared publicly, a malicious actor can use this information to gain access to your financial accounts. I recently made a presentation at DefCon 27 and taped an on-demand webinar t where I demonstrated  how this scenario can play out.

This presentation illustrates only one example of how overlapping services can be used to compromise the PII of an individual, but there are many other similar situations that present risk to an individual.  For example, when a service provider sends a text or calls a code to a specific cell phone number, this too, is a scenario that can leave individuals vulnerable. . Should the owner of that cell phone number lose control of the number to a malicious actor, be it through thievary, phone porting, or SIM jacking (Summerson, 2018), any account with a service provider that uses that number as verification is at risk of being overtaken. This is a common example of the threat overlapping services present. The two service providers that rely on each other, but do not create policies together, in this scenario are the cell phone provider and any service that uses that cell phone number as a means of verification.

So, how can we protect ourselves? In the modern world, it would be challenging to have a professional career and completely avoid having a bank account and cell phone number (not impossible, but deeply challenging to be sure), therefore the answer to protecting ourselves is not complete avoidance of these services However, we can bolster our operational security by taking the following security measures into consideration :

• Regularly audit the services you are using and whether you need to continue using the service, if they are offering any increased security precautions such as Multi-Factor-Authentication (MFA);
• If the MFA option presented is strictly SMS or text-messaging based, contact the institution to see if they have stronger methods that can be used such as token-based authentication;
• Call cellular providers and financial institutions to request either a verbal passphrase or personal identification number (PIN) be required for any requests or changes that are made over the phone; and
• Avoid sharing unnecessary information on social media. Even seemingly innocuous information such as renewing a certain subscription to get access to a certain show can present a minor threat to a  person’s PII.

For further details into how these types of attacks are used against individuals, to hear examples of what an attacker may do on the phone, and for further tips and tricks on how to protect yourself, be sure to listen to my on-demand webinar..

About GuidePoint Security

GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. By taking a three-tiered, holistic approach for evaluating security posture and ecosystems, GuidePoint enables some of the nation’s top organizations, such as Fortune 500 companies and U.S government agencies, to identify threats, optimize resources and integrate best-fit solutions that mitigate risk.

Contributing Author

Cat Murdock, Security Analysis, GuidePoint Security

Cat Murdock, began her consulting career in 2012. Her professional experience includes threat analysis, threat research, social engineering engagements, open source intelligence investigations, red teaming, penetration testing, security awareness training, and policy review. She has led and participated in social engineering and red teaming engagements for Fortune 500 companies in a variety of sectors.

Before moving into the technology space, Cat spent two years as a corps member with Teach for America facilitating math and science learning for 4th and 6th graders. In 2010, she received her Bachelor of Arts degree in Public Policy. Additionally, she holds a graduate certificate in Cyber Security, is a certified Social Engineering PenTesting Professional (SEPP), and is a licensed private investigator in Colorado.

Sources

Fitzgerald, Toni; March 29, 2019; “How Many Streaming Video Services Does The Average Person Subscribe To?”

Summerson, Cameron; Feb 14, 2018; “What Is a Phone “Port-Out” Scam, and How Can I Protect Myself?”