Social engineering scam: Your password's worthless

Photo courtesy Flickr user Andrew Magill

(MoneyWatch) By now -- in the final days of 2012 -- if you ever have a financial account compromised because of your password, it's almost certainly your own fault. Here's some tough love for you: Banks and stores typically have such good online security that odds are you've been cracked because you use a weak password, the same password at your bank as on Facebook, or one you left taped to your monitor at work.

But what if I told you that your password can be all but irrelevant? Smart criminals can access your account by sweet talking customer service reps who mean well, but who value customer service ahead of your account's security.

Take the case of Chris Cardinal, for example. Chris is a partner at Synapse Studios and creator of Threadcakes, and he recently explained how his Amazon account was successfully scammed over at HTMList.

Chris recounts how he woke up last week to find emails from Amazon confirming replacement orders for recent purchases he had made -- and the replacements were being shipped to a strange address.

You should read the entire post at HTMList for details, but essentially, a scammer had conducted an online chat with Amazon customer service to determine the order number of some of Cardinal's recent purchases. Then, in a different customer service session, the scammer reported the items as lost in the mail, and requested that they be replaced and shipped to a new address. The worst part: Unlike transactions with Amazon via the Web, none of these chats required the crook to prove he was Cardinal via a password. He didn't even need to know the credit card used to make the purchase.

This is very troubling, and clearly a security hole that Amazon will eventually need to address. But Amazon isn't the only site with this sort of problem. As Melanie Pinola at Lifehacker recently pointed out, you can do more or less the same thing at many financial institutions. That's why Pinola recommends calling your bank and trying to social engineer customer support yourself, to see how malleable their processes are. Can you get access to your account or reset your password without providing a PIN or answers to security questions? If all you need to provide is your email address and your social security number -- two relatively unsecure pieces of information -- consider switching to a bank with better security.

Photo courtesy Flickr user Andrew Magill

Comments

Market Data

Market News

Stock Watchlist