Cyberthieves Are Going Low-Tech, And The Only Way To Stop Them May Be To Go Even Lower

At a time when retail IT is getting better at locking down just about every avenue cyberthieves have of breaking in—PINpads, wireless networks, connections with processors—it's nice to know the bad guys are still able to hit retail security where it isn't. (OK, it's not nice, but you know what we mean.) According to FICO, scammers are now using a decidedly low-tech technique for stealing payment-card information from consumers—and there's no special reason the same trick won't work against store employees for the keys to a retail network.

It works like this: A cyberthief phones the target claiming to be from a bank and says that there's been suspicious activity on the target's card. If the target doesn't trust the caller, the thief encourages the target to phone the bank using a number the target trusts. The target hangs up—but the thief doesn't. When the target picks up the phone again to dial, the thief plays a recording of a dial tone. The target dials, but it's the thief who fields the call. From that point, it's all Social Engineering 101.

It's sublimely simple, and applicable to almost anything in a retail setting. The thief can call a store claiming to be from central IT, calling to set up time for a contractor to work on equipment. Or from the chain's processor, calling to confirm configuration details. Or from network security, Loss Prevention, accounting, or almost any other department. Most store associates won't notice even if the dial tone sounds a little odd, and many will just be using speed-dial anyway.

And once a store associate or manager is talking to someone at the other end of a trusted connection, no matter how odd the information requests get, the store personnel will probably still deliver. After all, how could a bad guy have hacked into speed-dial?

Best of all—OK, worst of all—there's no practical technical fix for this security hole. But there is a simple fix: Store personnel should always call that trusted number on a different line.

In fact, the easiest way to enforce that policy is to train managers and associates to make that trusted call after putting the original (cyberthief) caller on hold. If the call is legitimate, it will ring through to someone else at the processor, central IT, Loss Prevention or accounting. If the call is a scam, keeping the thief on hold will prevent the store personnel from falling for the fake dial tone.

And there's a certain elegance in a defense that's even more low-tech than the original attack.