Not sure how it is in USA/Europe - but in Australia, some of the biggest banks/telcos still ring up customers (from private numbers) and ask for <i>all</i> your personal details to confirm your identity before proceeding with the call. Some even ask for plaintext passwords over the phone. At the same time they have big warnings on their webpages about phishing and how they'll never ask for personal details over email.<p>More than once I've explained that providing all my details in this fashion directly contradicts the security policy of the banks, but it takes some convincing to get the phone operators to give you a number you can confirm is legitimate and call them back. Its clearly not on the call center script and they dont understand why I am being so pedantic.
> Let’s say the jolly IT guy calls you and he starts to ask you things that don't make sense. That’s when a red flag should go up.<p>That's an everyday occurrence in some offices.
He mentions putting a color swatch on the company intranet that changes daily as a form of authentication.<p>I wonder how well it would work to call people up and say, "Hi, this is Paul from IT, we're having some trouble with our intranet security color swatch generator this morning. You should be seeing pink. Is that right?"
His social engineering contest at defcon is always awesome to watch. It's incredible to see the big companies give out such internal information. The social engineer is inside of a glass protected booth and the crowd can watch and listen in. They have a points system where the harder to get info gets you a higher score. Ex: a high score was given if you could get them to hit social-engineer.org from their browser. One guy told the person on the other side of the phone that it was a social network for engineers. Also: Make sure To check out the contest on Friday/thurs as they can't really do the live over the phone hacking on Saturday/sun as most businesses are closed on the weekends.
This is a scourge. And of course most employees who get a call from someone purporting to be part of the company have a reasonable fear of creating problems at work and so often seem to err on the side of giving out more information.<p>The sad thing is that as we open up more and more ways to "do" things remotely (like move all your checking account funds from your account) the more danger involved. In many ways this makes the whole requirement that you authorize at a specific terminal in a secure space make much more sense.
If anyone from IT calls you, you should be able to call them back at their extension. Or that's a red flag.<p>We used to have fun with William the "Windows Tech team agent" (from India) . He (They) would call us at least once a week. I think they might have had a successful attempt otherwise why would they keep calling.
>WSJ: Hold up. How can I get a free plane upgrade?<p>> MR. HADNAGY: Airports are always stressful. These ladies are always getting yelled at. If we make someone happy before we can ask for a free upgrade, that could work.<p>So now the question is: how do you make the agent happy enough to give you an upgrade? Just be polite?
"LinkedIn: I have everywhere you’ve worked. Everywhere you went to college. Facebook: I have your family, your wife, your kids, your boyfriend, your girlfriend, your last vacation. Twitter: I have everything you’re doing throughout the day. If you’re on Foursquare, I can geolocate where you do it."<p>This is so true lol. Many people don't realize all the valuable info they put up on social media. Great article btw.