Hello, this is Santa… I need your password.
How many sources of information do you use, every day, that you implicitly trust? And should you trust them?
In the course of a risk assessment we’re conducting at the firm, I hired a company to do a number of security penetration tests.
Yes, Sneakers was actually a documentary. Also, yes, I did include that just to see how it works.
Anyway, this as you might imagine generates a variety of interesting complaints from some users. The most common is a sort of general complaint that the tests aren’t fair because they’re undisclosed and trick the user, and include a warning that this means they won’t trust things like Caller ID.
To which I can only say… good?
It isn’t hard to trick Caller ID. Telemarketers do it all the time, and they’re not exactly overflowing with amazing technical skills. So if you’re trusting Caller ID to verify that the person on the other end of the phone is who they say they are… you’re in trouble.
This is not to say “don’t trust anything!” either. Just that, if someone’s asking you for information you wouldn’t normally give up – verify that you really are talking to who you think you are. If someone calls claiming to he be the bank, and all they’re doing is giving you information, well, you can probably trust that it’s the bank. Or a really weird prank. But if they call and want information from you – think about how to verify that it really is the bank. Simplest method? “Give me a ticket or call number, and I’ll call you back.” Then, no matter what number they give you, call your local branch and ask to be rerouted. If it was legitimate, they’ll be able to do that very quickly and easily. But if it isn’t, well, isn’t it worth one quick phone call to find that out?