You Might Be Forced to Reveal Your Password: How to Determine If It Is Safe to Do So
Law enforcement agents or border police officers asking suspects and travelers for passwords or biometric data so that they can search through electronic devices. It's a relatively new scenario and one that has sparked quite a lot of controversy.
Some people argue that this is a gross invasion of privacy that ignores basic human rights and is bending the law. Others say that it's no bigger a deal than having your suitcase X-rayed before boarding a plane.
When law enforcement asks for our password
Many people have many different ideas of what you should do before and after a person of authority asks you to unlock your phone. Advice ranges from "ignore the request and ask for a lawyer" through "don't carry any electronic devices with you" to "unplug the ethernet cable and go live in a cave." These tips may sound perfectly reasonable to some while being completely impractical to others.
There is no one-size-fits-all solution, but because search warrants for electronic devices are a bit of a legal grey area, one thing everybody could do is check local legislation and see how they are treated in their part of the world. You could also do worse than think about how likely you are to be asked to unlock your phone. Based on this, you should be able to decide for yourself what your best plan would be.
While we're not saying that you shouldn't be prepared, most of you will probably never face the problem because police officers tend to search through devices only if they're suspicious of something. But what if the person asking you for your password doesn't wear a badge. Being caught in a situation like this is far more likely.
When organizations ask for our password
Banks, financial institutions, and other organizations handle our PINs and passwords, and they frequently ask us to provide them for the purpose of authentication. One of the biggest problems with this is that scammers can pretend to be representatives of the said organizations and request our passwords as well. They are constantly coming up with new, clever ways of doing it. That's how the classic phishing scam was born.
Over the years, it has evolved quite a lot. The fake login forms are now more convincing than ever – they look exactly the same as the real deal, and some of them even have the all-important green padlock which instills trust in people. With that said, while there are still plenty of users taking the bait, many have realized that clicking links in emails is a terrible idea. Unfortunately, scammers are adapting as well.
Vishing – phishing's talkative sibling
Vishing (which comes from "Voice phishing") is one of the tactics they've created. Like phishing, vishing's goal is to socially engineer you out of your sensitive data. The main tool, however, is different – a phone call rather than an email.
The typical vishing attack is aimed at bank customers. The scammers usually pretend to be customer service agents, and to create a sense of urgency, when they call you, they say that there have been unauthorized charges on your credit card. Obviously, the old card has to be replaced, and the pretend customer support person is more than happy to set the process in motion. They just need a few minor details, including the full card number, the three-digit code on the back of the card, and your PIN. Before you know it, a counterfeit copy of your credit card is used to buy things hundreds of miles away from where you live.
Of course, this is just one scenario. There are many different examples, and some are more believable than others. You might think, however, that no matter how convincing the person on the other end of the line, you will be able to spot the scam because the call is coming from the wrong number. Don't be so sure.
Caller ID spoofing tools have been around since 2004 which means that the seemingly correct number you see on the screen might not mean a thing. On Monday, Brian Krebs described several separate vishing attacks which showed that the crooks are actively using these tools. His report also proves that when it's carefully thought through, vishing could be extremely lucrative and effective.
It would appear that the crooks Krebs described did their homework before picking up the receiver. To ensure that the victim took the bait, they not only spoofed their phone number but also used personal information about the account owner which included portions of Social Security numbers. This type of data, as Brian Krebs points out, is not that hard to find, but the fact that the scammers put it all together, were prepared to address the victims' concerns, and managed to sound convincing enough shows that we're talking about a serious criminal operation rather than a handful of teenage pranksters with too much time on their hands.
Phishing has one distinct advantage over vishing – it's all but automated. Unfortunately, it seems that the scammers are trying to make vishing attacks more hands-free as well. In his report, Brian Krebs noted that some of the recent attacks use recorded voice messages and machines to fool victims. In one of the cases, a human being was acting as a backup for whenever the software got stuck, but in another, the entire operation relied on voice recognition technology to choose the right pre-recorded reply. Sure, the lies weren't as convincing as when a real person was telling them, but the use of technology does show where the crooks are headed.
How can you protect yourself from vishing?
As we established already, the phone number isn't a reliable indicator, and although you might be able to spot some of the less sophisticated scammers by their funny accents and their trembling voices, the professionals will be cool as cucumbers and proficient when it comes to language.
If someone is trying to pry some personal information out of you over the phone, think about whether these people really need it. For a variety of complex reasons, some banks and organizations think that requesting sensitive information like passwords and PINs over the phone is perfectly fine, but that doesn't mean that you shouldn't be careful, especially if the supposed support agent initiated the call. If that's the case, tell them that you have something to attend to and that you'll call them back in a minute. Then, hang up and either call a number which you're sure belongs to that organization or, better still, go to a physical office and complete the procedure using eye-to-eye communication.
Vishing is still not as widespread as phishing and it probably never will be, but it is a threat worth watching out for, especially considering how advanced some of the crooks have become.