Re: Re: Steps to avoid Social Engineering (voice recognition)

["Steve" <securityfocus () delahunty com>]

Somebody mentioned voice recognition as a possibility.  And while it might
be expensive for this certain purpose I read a very interesting article
recently about the use of such technology at a bank related to
authentication and authorization. See
http://www.nwc.com/showArticle.jhtml?articleID=48800445
The Payoff: Voice of Authority
Associated Bank, Green Bay, Wis.
Associated Bank is reducing customer calls by using voiceprint technology to
dole out personal ID numbers without human intervention.


STEVE
----- Original Message ----- 
From: "Steve" <securityfocus () delahunty com>
To: "Raoul Armfield" <armfield () amnh org>; "Tabs The Cat"
<tabsthecat () gmail com>
Cc: <security-basics () securityfocus com>
Sent: Thursday, April 21, 2005 12:20 PM
Subject: Re: Re: Steps to avoid Social Engineering


For email verification, could use PGP.

We have a service provider that makes us use keyfob (SecureID) to
authenicate when we call in.

STEVE
----- Original Message ----- 
From: "Raoul Armfield" <armfield () amnh org>
To: "Tabs The Cat" <tabsthecat () gmail com>
Cc: <security-basics () securityfocus com>
Sent: Tuesday, April 19, 2005 3:58 PM
Subject: [Re: Steps to avoid Social Engineering


Tabs The Cat wrote:
> Hello y'all,
>
>      I have a question for you guys (and gals). We all know about social
> engineering. Some of us use it on a daily basis. And we all know how
> it can be even more dangerous than any computerized attacks, but how
> can we protect against it?
>
>      I'll give you an example: we have a database based program that
> was written by and maintained by a third party that is in another
> city. In the past when they needed access for maintenance, we would
> provide them it via VPN. Recently there has been a problem so they
> were contacted. Earlier today someone from that company phoned me to
> discuss details about the VPN. I haven't given them any information
> yet. In this case I am fairly positive it is legit since they knew the
> company that we use as well as who lodged the complaint.
>
>      But how could I get this person (or any one in the future) prove
> to me that they are the people who are they say they are? Any advice?
>
> Tabs

I am a security newbie so take this with a grain of salt.

How about if you agree, in advance, on an (list of) email address(es)
you can send something to.  Then when they call send a message to that
email address and have them read off a keyword.  The reason I suggest
doing it in advance is that the person you speak with may give you a
fake address rendering this method useless.



-- 
Raoul Armfield
Support Specialist
IT-Call Center
armfield at amnh dot org
American Museum of Natural History
Central Park West at 79th Street
New York, New York 10024-5192
(212) 313-7258

5152 1277 A04B 04C2 BBE4
3EE8 8369 3541 8B93 42DA