I've heard of this happening from time to time but I've never experienced it myself until just now... I received a telephone call from a Bank with whom I have an account - they asked me to tell them two digits from my security code so that they could authenticate me. I refused to do so as I had no way of verifying THEIR identity. It just made me wonder how often such requests are made and how many people (outside the security industry) freely divulged such information without question?
Social engineering IMHO is the oldest form of hacking and is likely to remain so. How can we ensure that our friends family and customers are aware of how to protect themselves from such attacks?
Initiatives such as GetSafeOnline aim to increase the level of security awareness of the general public. What can we do above and beyond existing schemes to get the word out to those at risk?
I must say I've never received calls from my Bank yet. But I have received calls from my mobile phone service provider who just asked for my password. I hesitatingly provided it but then immediately changed my password. It turned out to be the provider but still I have to agree with you. I had no way of verifying their identity. I guess you could provide incorrect info intentionally a few times to verify their identity.
In my first week at Microsoft, I received a phone call from outside campus. The caller identified himself as a VP that I'd never heard of, and insistently demanded that I transfer him to another extension. Since I didn't know how, I declined - he then got snippy and started demanding direct phone numbers for a few people out of the directory. What would you do? I gave him the phone numbers of the reception desks in the buildings of the people involved, because that seemed to make the most sense.
Alun> I'd have done the same as you. Quite often head hunters may cold call and ask for telephone numbers - many receptionists are trained in how to deal with blatant attempts
You are starting to do it by using your blog to raise awareness.