And you, as the attacker, say 'Sweet, now I have the last few charges, and I have the account balance'.
And a lot of times the person to be helpful will hand over all the seemingly inconsequential information very easily. And then you can keep going 'Can you just verify the prior few charges for me, I just want to be sure that no pending charges that are going to change the balance. So now, you know, the most recent charge (Netflix) and you know the account balance, two critical piece of information. And they'll be like, sure, here's your account balance, you're like, great. And you'll say, 'hey, so I got this weird text message, one of the short numbers, you know, and it said that my Netflix subscription renewed yesterday, that should be my most recent charge on this account, could you to verify the balance. So when you call first, you don't ask for the account number first and you're going to use the fact that you know the subscription services that were recently charged to the account to prove that you have knowledge of the account.
#DEFCON 2019 SCHEDULE FULL#
Banking institutions will use publicly available information, like your birthday, your address, your full legal name, even where you opened the bank account, which is very easy to find out, especially if the user has not moved around a lot. So the vulnerability comes in when you call to get more information about an account, but not quite the account number, they won't verify as hard. You can then calculate the day of the month that that Netflix subscription, or whatever subscription will renew and use that piece of information with a banking institution to prove ownership of an account. So, if the consumer don't have that and they don't have a credit card on them they will go through a set of questions. And if you just search Netflix on Twitter, you have a whole bunch of people who recently posted like, 'Hey, I just got a new Netflix subscription', and you're like, It's August 1, and they just bought a new Netflix subscription today. But generally, in multiple cases, they'll ask first for the last four digits of you social security number, but a lot of times people don't know that or you're might be in a place where you don't want to disclose that. And this will vary from like institution to institution.
#DEFCON 2019 SCHEDULE HOW TO#
They then have a set of rules to follow on how to release that account number. So if you call and say, 'Hey, I'm traveling, I'm having some issues with my mortgage payment, can you please confirm the account number, I don't have it memorized'. What happens is that many financial institutions have policies for when users forget their account number. Here's how she described the way an attacker could use your Netflix account to access your banking information:
0 kommentar(er)
