covering the islands, technology, music, small business, and whatever else i think of

The AT&T Social Security Number Scam

Facebooktwittergoogle_pluspinterestlinkedintumblrmailFacebooktwittergoogle_pluspinterestlinkedintumblrmail

The second telephone hacking attempt I received in as many months.

A few weeks ago, I wrote a post about a phone call I received from someone claiming to be from Microsoft.  Imagine my surprise today when I got another call, this one on my cell phone, from another Social Engineer with a different attack, the AT&T Social Security Number Scam.

The Setup and Technique

By atpons [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia CommonsI was sitting at my desk at work and my company-provided cell phone rang.  I looked down at it and I saw that the caller ID listed that I was calling myself.  Yes, you read that right.  The number identified as the caller was my own work cell phone number.  This little bit of trickery is easily explained, as you’ll soon see.

I did wonder if there was something coming from the phone company.  You know how you can call your own cell number and get your own voicemail?  Well, I answered to see what would happen.  A recording stated that my account had been “flagged for security reasons” and asked me to enter the last four digits of my social security number.  Can you say, “RED FLAG”?

A Side Note on Social Security Numbers

Social_Security_CardsPersonally, as a security professional, it makes me crazy how many people and companies ask for your social security number.  Your SSN is intended for the government to identify you for tracking and record keeping purposes.  While it originally was intended for your social security account, I understand that the government who provided it decided to use it for other purposes as well, such as taxation.  Keeping track of people is difficult business.  How better than ensuring that each one has a truly unique identifying number?  It saves the government from saying, “Which John Smith are you?”  My personal issue is that so many companies, doctor’s offices, etc., have decided that they have a right to ask you for yours.  The primary reason most of them do this is to have a “unique identifier” per person.  My doctor doesn’t need to know my social security number.  Neither does my insurance company.  But they both ask for it, and they won’t actually do business with me unless I provide it.  This is what makes attempts like this social security number scam so prevalent.  Even the Social Security Administration says you can refuse to provide it to a business, but they also say that the business then has the right to refuse you service.  Really?  Okay, I’ll get off of my soap box now.

Back To Our Story

So, why would I get a call from “AT&T” saying that my account had been flagged and asking me for my social security number?  Well, with the widespread use of SSNs for the purpose of identification, especially the last four digits, those four little numbers are of great value to an identity thief, social engineer or hacker.

How Did They Call Me From My Number?

512px-Cell_phoneYou may be wondering how they actually called me from my own number.  You may also be surprised to know that this is extremely easy to do!  I’ve given live hacking demonstrations in the past, and one of the best things to do to get an audience’s attention is to spoof someone’s phone number.  The easiest way to do this is with one of many apps that simply provides the receiver with the wrong number of the caller.  Phone conversations have a lot of data going back and forth between the phones (computers), and one piece of information exchanged is “what number I am calling from”.  Without getting into a long technical explanation, this piece of data is not what’s actually used to route the call between the phones, and can therefore be changed to whatever you want it to be.  Using the right app, you can call someone and make it look like the call came from their doctor’s office, the White House switchboard (I highly recommend against using this one), or a loved one if you have that number.  One example I’ve used with this is to show how kids can easily be tricked into thinking a call came from a trusted friend or relative.  Some of these apps even let you disguise your voice, including as a member of the opposite sex.

So, What Did I Do?

Well, I obviously didn’t give in to the social security number scam.  I just hung up.  That’s all that’s necessary.  I can’t even block the number, because I don’t have real the number to block!  I did look around online and found a question on the AT&T support forums on this very topic.  AT&T’s response is that they would never call and ask for your social security number.  It also says that people have historically used this hack to act as you and add phone lines to your service.  Doesn’t that sound like fun?  They use it for a month, and by the time you realize it, they have run up your phone bill!

What Should YOU Do?

Stay smart, use your head.  Always remember the sniff test.  If something smells funny, it’s probably not good for you.

Facebooktwittergoogle_pluspinterestlinkedintumblrmailFacebooktwittergoogle_pluspinterestlinkedintumblrmail

3 comments

    • RH on October 28, 2017 at 4:47 PM

    Reply

    So what if you weren’t smart and gave the last 4 of your ssn? I am freaking out here…. What can I do now?

      • Jerry on October 30, 2017 at 8:11 PM
      • Author

      Reply

      If all you did is provide the last four digits of your social security number, you should be okay. That alone isn’t commonly enough to steal your identity. Identity thieves usually try to aggregate data from multiple sources. They get your social in one place, your birth date in another, your mother’s maiden name in a third, etc. Once they get enough, they can put it together and build a whole profile. Two things you can do… When you sign onto your bank/credit card/etc., be sure to enable the questions they ask you, and choose odd ones. Instead of “What’s your mother’s maiden name”, many offer questions such as “Who was your favorite teacher?” or “What is the name of your first pet?” I like these types of questions because I think the information isn’t as readily available as someone’s mom’s maiden name, which you can often get from Facebook. Even better, some sites let you create your own question!

      The second, and even more important thing is to use a credit monitoring service. For around $10 per month, you can have your credit locked so no one can open accounts or take out loans in your name. Granted, this won’t help if someone gets your current credit card information, but it does greatly help if people are trying to steal your identity and open a card in your name that you don’t even know about, running the balance up before you get the bill! There are a lot of reputable credit monitoring agencies out there. Google around, look for reviews on them, and sign up. It may cost you $120 a year or so, but it will be money well spent if you can avoid the expense and headache of having your identity stolen!

        • RH on October 31, 2017 at 11:34 AM

        Reply

        Thank you Jerry. I feel better today. I just found out I have identity theft protection from my employer through a group called InfoArmor. I will be calling them. I did put a freeze on all 3 of the credit bureaus to ensure no new accounts could be opened.

        Appreciate your response.

Leave a Reply

Your email address will not be published.

Please prove you're not a computer: * Time limit is exhausted. Please reload CAPTCHA.