Scam calls... something we've forgot about?

Scam calls... something we've forgot about?

Summary: I was thinking about the problem of identity theft today and looked back at notes I took during Nitesh Dhanjani and Billy Rios's presentation at Black Hat and Blue Hat recently and I came to the realization that our government should be doing more about this crap.You see, identity theft is an economy itself.

SHARE:

I was thinking about the problem of identity theft today and looked back at notes I took during Nitesh Dhanjani and Billy Rios's presentation at Black Hat and Blue Hat recently and I came to the realization that our government should be doing more about this crap.

You see, identity theft is an economy itself.  It has demand, thieves trying to use the stolen information for their own financial gain, and supply, the stolen IDs.  In fact, there's a whole sales process of selling phishing kits, IDs, skimmers, etc.  Think of all the places that keep record of your personal information... banks, your employer, your cell phone provider, your cable company, your apartment complex, the government, your doctor, etc. etc. etc.; now also think of all the places where you readily scan your information to be stored, ATMs, the Redbox, etc.  All of these data warehouses are potential places where your data could be stolen from.  The attacks are well known these days, phishing, web application compromise, skimming, etc., but we've forgotten about something.  Scam calls.

For the past 20 days I've been getting calls from the number 480-543-1320, listed as SSPL.  It appears I'm not alone.  For me, I've never heard anything but dead line on the other end.  Calls back have been met with a busy tone.  However, for others, they've received prank calls, calls asking for their social security number or credit card directly (not very intelligent callers it would seem), claiming the call recipient has won a free cruise (just provide your SSN and credit card number), or claiming the call recipient has won free gas (just provide your SSN and credit card number).

You know, I thought this crap was illegal.  Apparently it is, but only if you are on the "Do Not Call" list... well, I joined that a long, long time ago.  There's also been  a lot of complaints registered against this number, yet nothing has been done.  I thought it was interesting and thought, maybe I should investigate the 480 area code (Arizona).  The list of scam calls from that area code is absurd, but I have no idea if it is any more than any other.

Being a security consultant in my primary job, I know just how easy it is to social engineer someone into giving you something you want.  I hope our government is considering more proactive measures than this "Do Not Call" registry, as obviously all the complaints against this number have done nothing to punish those making the calls.

-Nate

Topics: Banking, Government, Government US, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

85 comments
Log in or register to join the discussion
  • Keeping Telemarketers At Bay with Asterisk

    [url=http://nerdvittles.com/index.php?p=75]FYI[/url]
    Not for everybody but it should be well within your grasp.
    D T Schmitz
    • What about Obelisx?

      He could hit them all with his Menhir's or Getafix could make you a potion!

      Not for everybody - but might work for Goscinny & Uderzo.
      DigitalPenGuy
      • Folks, you'll have to go read up on Asterix to get anything from that

        nt
        D T Schmitz
        • Asterix

          Was there a point to that comment? I don't mind obscurity but what ABOUT Asterix? Is it phone software, a we bsite and how is it relevant?
          shermanenergy
          • NOT RELEVANT

            Stupid gamers - it's from a series of French comic strips.
            NGENeer
          • Not even close to being relevant

            nt
            D T Schmitz
          • Are you kidding!?

            Asterisk is absolutely relevant. It is a very cheap and easy way for a somewhat tech savvy person to filter their calls with a spare box you might have laying around, and if you use something like trixbox to install it it eliminates a lot of the tedious configuration. The blacklist and privacy manager are extremely useful to eliminate calls from unwanted parties, also you can build in custom things like, time conditions that don't put calls through at all during dinner for example.

            Also,
            Asterisk is relevant because with the right origination provider, you can cheaply use it to defraud people. If your provider doesn't verify it, you can set your outbound caller ID to anything you want, including the 800 number of any bank.

            I can understand if you don't know about VOIP, but don't be so quick to discount something you don't understand.
            zdnet@...
          • Asterix and Obelix

            I was refering to the reference to "Asterix and Obelix" (see http://en.wikipedia.org/wiki/Asterix) not the Asterisk open source telecom software PBX system.

            Even so, considering that most people here are somewhat scam savvy, the Asterisk PBX system ain't gonna do much for the average Joe & Jane - especially the older folks who are most likely to be scammed.
            NGENeer
  • RE: Scam calls... something we've forgot about?

    Why can't the phone companies trace these calls and shut them down?
    lmenningen
    • Pretty sure they can...

      but why would they? Less money for the phone company, more cost. Until our government makes stronger, more punishing laws around this, nothing will happen.

      -Nate
      nmcfeters
      • They can and they should but they won't...

        The long and the short of it is, there's no money in it and the phone companies will not do anything about it unless they are ordered to by either Congress or the FCC or your local state PUC (Public Utilities Commission.)

        I work for one of them and I know this for certain. If you want to stop them dead in their tracks it is simple. Just vote for politicians who give a SH#T about the people who elect them and not the people who bribe them with lobby money and all will be fine.

        But that is a tall order isn't it!!!
        ja4509
        • and that's the sad truth...

          You can't get elected without one of your political backers having an agenda they need you to push...
          Four-Eyes
        • Correct

          And the government probably has no real incentive to do this the right way either... so many lobbyists.

          -Nate
          nmcfeters
  • People don't care

    I've gotten a call from "Citibank" saying there was potential fraud on my card call a number to verify that it wasn't. Classic signs of phone fraud in my mind.

    Except it *was* really Citibank. I reamed them about it, and other searches say it's been going on for years yet they still don't fix it.
    rpmyers1
    • People do care...

      You're talking about a legitimate call, which is the fault of a company for not making it more clear it was a legitimate call, or for asking you for whatever sensitive information was in question.

      I was speaking of legitimate social engineering calls.

      -Nate
      nmcfeters
      • Bad process

        It's harder to teach people to not fall for the scams when the real company does it.

        "Maybe it's real". It can *NEVER* be real for people to learn. Each company must push, very loudly, that any calls asking for information are invalid, even ones that ask for a callback to a number. The most they should do is say "call the number on the back of your card".

        Wells Fargo is guilty on the e-mail front as well. There's one e-mail I got that I assumed was a phish, and it took about three hours for me to do enough verification that yes, it was real.
        rpmyers1
    • I hate to support s***ybank but,

      If they did not ask you for any personal info including card number SS etc then it was probably fine. Banks need a valid way to alert someone to potential fraud. If all they are doing asking you to call a number and verify a purchase (sans card #) then that should be safe for us to do (not releasing any info) and helps prevent the use of our cards should our "identities get stolen".
      bernalillo
      • Agreed

        I don't understand the problem with this... I want my bank to call me when they are concerned about fraud.

        -Nate
        nmcfeters
        • re-read the post

          He said that they DID ask for his card number which is why he thought it was a scam. Happened to me too with a different company that purchased a large CC company that started with an M. I refused to give them information and then I called THEM back. And yes, I read them the riot act, but it didn't make any difference.
          library assistant
          • I reread it.

            I still don't see where they asked for his #.
            bernalillo