{"id":12265,"date":"2019-10-09T14:02:07","date_gmt":"2019-10-09T18:02:07","guid":{"rendered":"https:\/\/www.duck9.com\/?p=12265"},"modified":"2019-10-09T14:26:43","modified_gmt":"2019-10-09T18:26:43","slug":"phishing-is-when-people-fish-for-your-pin","status":"publish","type":"post","link":"https:\/\/www.duck9.com\/blog\/phishing-is-when-people-fish-for-your-pin\/","title":{"rendered":"Phishing is When People Fish For Your PIN"},"content":{"rendered":"
\n
\n

By Larry Chiang<\/span><\/p>\n


\n<\/span><\/p>\n

Phishing. <\/span><\/p>\n


\n<\/span><\/p>\n

1\/ Social engineering<\/span><\/p>\n


\n<\/span><\/p>\n

Building trust by asking questions they know the answers to. <\/span><\/p>\n


\n<\/span><\/p>\n

2\/ attack surface is anything with emotion<\/span><\/p>\n


\n<\/span><\/p>\n

Humans. <\/span><\/p>\n


\n<\/span><\/p>\n

3\/ texts can be spoofed<\/span><\/p>\n


\n<\/span><\/p>\n

Texts and emails can be spoofed<\/span><\/p>\n


\n<\/span><\/p>\n

Any asset touching the Internet that\u2019s accessible by \u201cPIN\u201d is in jeopardy. <\/span><\/p>\n


\n<\/span><\/p>\n

Read Pieter Gunst\u2019s tweet and comment what your thoughts are<\/span><\/p>\n\n\n\n\n
<\/span><\/td>\nPieter Gunst (@DigitalLawyer<\/a>)<\/b><\/td>\n<\/tr>\n
\n
10\/7\/19, 4:20 PM<\/font><\/a><\/div>\n
Oooof. Was just subjected to the most credible phishing attempt I’ve experienced to date. Here were the steps:<\/p>\n
\n
\n
\n
\n
\n

1) “Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?”<\/p>\n

Me: no.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

<\/span><\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n


\n<\/span><\/p>\n<\/div>\n

\n\n\n\n\n
<\/span><\/td>\nPieter Gunst (@DigitalLawyer<\/a>)<\/b><\/td>\n<\/tr>\n
\n
10\/7\/19, 4:20 PM<\/font><\/a><\/div>\n
2) “Ok. We’ve blocked the transaction. To verify that I am speaking to Pieter, what is your member number?”<\/p>\n
\n
\n
\n
\n
\n

Me: <gives member number> (that number, by itself, is useless).<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

<\/span><\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/span><\/p>\n<\/div>\n

\n\n\n\n\n
<\/span><\/td>\nPieter Gunst (@DigitalLawyer<\/a>)<\/b><\/td>\n<\/tr>\n
\n
10\/7\/19, 4:20 PM<\/font><\/a><\/div>\n
3) “We’ve sent a verification pin to your phone.”<\/p>\n
\n
\n
\n
\n
\n

~ Gets verification pin text from bank’s regular number ~<\/p>\n

Me: <reads out the pin><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

<\/span><\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/span><\/p>\n<\/div>\n

\n\n\n\n\n
<\/span><\/td>\nPieter Gunst (@DigitalLawyer<\/a>)<\/b><\/td>\n<\/tr>\n
\n
10\/7\/19, 4:20 PM<\/font><\/a><\/div>\n
4) “Ok. I am going to read some other transactions, tell me if these are yours. ~ Reads transactions ~”<\/p>\n
\n
\n
\n
\n
\n

Me: Yes. These are all legitimate transactions I made<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

<\/span><\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/span><\/p>\n<\/div>\n

\n\n\n\n\n
<\/td>\nPieter Gunst (@DigitalLawyer<\/a>)<\/b><\/td>\n<\/tr>\n
\n
10\/7\/19, 4:20 PM<\/a><\/div>\n
5) “Thank you! We now want to block the pin on your account, so you get a fraud alert when it is used again. What is your pin?”<\/p>\n
\n
\n
\n
\n
\n

Me: Are you effing kidding me, no way.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

By Larry Chiang Phishing.  1\/ Social engineering Building trust by asking questions they know the answers to.  2\/ attack surface is anything with emotion Humans.  3\/ texts can be spoofed Texts and emails can be spoofed Any asset touching the Internet that\u2019s accessible by \u201cPIN\u201d is in jeopardy.  Read Pieter Gunst\u2019s tweet and comment what […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40],"tags":[],"class_list":["post-12265","post","type-post","status-publish","format-standard","hentry","category-deep-underground-credit-knowledge-via-subroutines"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/www.duck9.com\/blog\/wp-json\/wp\/v2\/posts\/12265","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.duck9.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.duck9.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.duck9.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.duck9.com\/blog\/wp-json\/wp\/v2\/comments?post=12265"}],"version-history":[{"count":0,"href":"https:\/\/www.duck9.com\/blog\/wp-json\/wp\/v2\/posts\/12265\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.duck9.com\/blog\/wp-json\/wp\/v2\/media?parent=12265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.duck9.com\/blog\/wp-json\/wp\/v2\/categories?post=12265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.duck9.com\/blog\/wp-json\/wp\/v2\/tags?post=12265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}