The second telephone hacking attempt I received in as many months.
A few weeks ago, I wrote a post about a phone call I received from someone claiming to be from Microsoft. Imagine my surprise today when I got another call, this one on my cell phone, from another Social Engineer with a different attack, the AT&T Social Security Number Scam.
The Setup and Technique
I was sitting at my desk at work and my company-provided cell phone rang. I looked down at it and I saw that the caller ID listed that I was calling myself. Yes, you read that right. The number identified as the caller was my own work cell phone number. This little bit of trickery is easily explained, as you’ll soon see.
I did wonder if there was something coming from the phone company. You know how you can call your own cell number and get your own voicemail? Well, I answered to see what would happen. A recording stated that my account had been “flagged for security reasons” and asked me to enter the last four digits of my social security number. Can you say, “RED FLAG”?
A Side Note on Social Security Numbers
Personally, as a security professional, it makes me crazy how many people and companies ask for your social security number. Your SSN is intended for the government to identify you for tracking and record keeping purposes. While it originally was intended for your social security account, I understand that the government who provided it decided to use it for other purposes as well, such as taxation. Keeping track of people is difficult business. How better than ensuring that each one has a truly unique identifying number? It saves the government from saying, “Which John Smith are you?” My personal issue is that so many companies, doctor’s offices, etc., have decided that they have a right to ask you for yours. The primary reason most of them do this is to have a “unique identifier” per person. My doctor doesn’t need to know my social security number. Neither does my insurance company. But they both ask for it, and they won’t actually do business with me unless I provide it. This is what makes attempts like this social security number scam so prevalent. Even the Social Security Administration says you can refuse to provide it to a business, but they also say that the business then has the right to refuse you service. Really? Okay, I’ll get off of my soap box now.
Back To Our Story
So, why would I get a call from “AT&T” saying that my account had been flagged and asking me for my social security number? Well, with the widespread use of SSNs for the purpose of identification, especially the last four digits, those four little numbers are of great value to an identity thief, social engineer or hacker.
How Did They Call Me From My Number?
You may be wondering how they actually called me from my own number. You may also be surprised to know that this is extremely easy to do! I’ve given live hacking demonstrations in the past, and one of the best things to do to get an audience’s attention is to spoof someone’s phone number. The easiest way to do this is with one of many apps that simply provides the receiver with the wrong number of the caller. Phone conversations have a lot of data going back and forth between the phones (computers), and one piece of information exchanged is “what number I am calling from”. Without getting into a long technical explanation, this piece of data is not what’s actually used to route the call between the phones, and can therefore be changed to whatever you want it to be. Using the right app, you can call someone and make it look like the call came from their doctor’s office, the White House switchboard (I highly recommend against using this one), or a loved one if you have that number. One example I’ve used with this is to show how kids can easily be tricked into thinking a call came from a trusted friend or relative. Some of these apps even let you disguise your voice, including as a member of the opposite sex.
So, What Did I Do?
Well, I obviously didn’t give in to the social security number scam. I just hung up. That’s all that’s necessary. I can’t even block the number, because I don’t have real the number to block! I did look around online and found a question on the AT&T support forums on this very topic. AT&T’s response is that they would never call and ask for your social security number. It also says that people have historically used this hack to act as you and add phone lines to your service. Doesn’t that sound like fun? They use it for a month, and by the time you realize it, they have run up your phone bill!
What Should YOU Do?
Stay smart, use your head. Always remember the sniff test. If something smells funny, it’s probably not good for you.