Clareity Consulting - Publications - Real Estate focused Security Articles

Real Estate Information Technology Consultants

2006 Security Articles

A Dangerous Chat: How Hackers Can Abuse Your Trust

Author: Matt Cohen, Clareity Consulting (www.callclareity.com)

Does this sound familiar?

"Hi, this is John Smith from [your MLS] help desk. I want to help make sure that your computer is set up so that some changes we'll be making here don't cause you a problem in accessing the MLS. First, please confirm your MLS username or public ID." After being told the public ID, John tells the MLS subscriber their address, phone number, and email address and has them confirm it. Then John says, "Are you near your computer and online? Great! Now, I want you to log into the MLS and change your password – but don't tell me what it is – for security reasons you should never tell anyone what it is." Finally, John helps the person download a patch to make sure the new MLS report designer will work when it is upgraded next month.

What just happened? The MLS subscriber just had their computer and all online accounts breached – including MLS, banking, and whatever other accounts they may have accessed from that computer. He or she was a victim of what hackers call "social engineering": breaching security by manipulating the person instead of the computer.

The hacker's aim was to build trust, then betray it. First, he went to the MLS web site, where he found the name of a support staff employee. He assumed that name when he called the MLS subscriber, whom we'll call the "victim." Using that identity, he appealed to the victim's fear of MLS service disruption to get him to provide information and make changes to his or her computer. The first thing the hacker asked for was the public ID. If all the hacker needed was a username and password to access the MLS, this got him halfway there. If the victim had not told the hacker his or her public ID, the hacker would have just said, "That's okay, I've looked up your account by name," and continued. The hacker had already gone online and looked up the victim's publicly available information on the Internet to make it seem as though the hacker were sitting in the MLS office reading off information in the victim's file. The hacker then told the victim to change his password, but not to tell him the new password for security reasons, seemingly showing care for the victim's security. Then he had the victim download a file from a web site that took over their computer, logged anything they typed – including any computer and online account logins on that computer – and sent the files to a computer where the hacker would later download it for analysis. At each step along the way, the hacker learned more and more sensitive information about the MLS subscriber – maybe even enough to get an actual MLS staff person to change the password for him. Finally, the crowning achievement: getting the victim to install foreign software that betrayed the victim's own system.

What other information would you provide to someone you believe is a staff person at your MLS or Association: credit card, Social Security, or license numbers? Would you change your password to "test," just for a moment while they "fixed something in your account"? Would you change a setting or run a command on your computer? Any of these things could cause you a security problem! Remember, sometimes people aren't who you think they are.

How would you validate that a request is legitimate? Remember, caller ID can easily be faked. An email from the MLS or Association could have been spoofed to only seem as though it came from them – just as the MLS system can send an email to the consumer that seems to come from you. A call to the main MLS number or sending an email to someone else you know in the organization would be reasonable steps. Remember, the hacker may try to make the situation seem urgent enough that you don't take any steps to verify their identity or "need to know," but do your best to validate that a request is legitimate when you encounter suspicious behavior.

Don't become a victim of "social engineering." Security awareness can help prevent the theft of your private and sensitive information.

About the author: Matt Cohen is Clareity Consulting's Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops and leadership retreats around the country on security related topics, and is a well-regarded real estate industry expert on software design, product management, project management, data center reliability, scalability, and security. Clareity Consulting was founded in 1996 to provide information technology consulting to the real estate industry and its related businesses.