Humans are STILL a Weak Link in Risk Mgmt

Checking out today’s current events from Feedly I ran across Bruce Schneier’s comments around a social engineering attack that resulted in ~ $300,000 loss to Apple in products.

apple store

If you don’t care to follow the links, Mr Parrish attempted to purchase equipment using debit cards that were declined and then offered to call his bank for override approval.  Upon placing the call (he dialed the phone), he would give the retail employee an override code that matched the pattern for override codes from banks for debit transactions on these cards and voila, he’s the owner of a new whatever-he-wanted.

Had the retail employee refused to accept the code (which only has to be in a certain format to be valid, the characters are meaningless other than to be unique) on the grounds that they must initiate the call or if they had initiated the call in the first place, the scam wouldn’t have worked.

Weak compensating controls such as override approval that is verifiable only by its format, allowing the customer to initiate part of the transaction and no rapid and consistent audit process for the overrides contribute to Mr Parrish’s success.

Failures within systems such as those in this story are why governance within businesses matter.  With an appropriate application of people, processes and technologies the scam wouldn’t have been successful.  You have to ask yourself, would you be offended if you wanted to buy something and upon having your card denied the retail employee insisted that he/she make the phone call to your bank for you to ensure the approver was the right party even if the phone was passed to you once the call was correctly placed.  The employee would only have the information of which bank you used (which is already on your debit/credit card) and you would be free to engage the bank personnel.  That simple process control would change the success of this story and would cost the consumer absolutely nothing in time lost or extra fees.