This kind of scam goes way back to the early phreaking days in the 80's, and probably longer. Just read old issues of Phrack to see what I mean. I think social engineering attacks like this can be greatly reduced, because they all rely on poor authentication systems to be successful. Public-key cryptography (when used correctly) is a wonderful way to defend against this. Most vendors (like your ISP, Phone Co., Address Space provides, etc.) are good about taking special requests to ensure proper authentication before making account changes.

My advice:

Call up your ISP (or Phone Co., Bank, etc.) and see if they use PGP. If they do, tell them that you don't want them to trust ANY requests made to your account unless they have your digital signature. At the very least, give them a phone number to recognize via Caller ID, a verbal password, callback service, or agree that all valid requests will come from a special email address which you setup and don't give out.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/5654/20429#20429