From the horse’s mouth
Metropolitan Police (London)
Very often, I have heard and read crime-prevention articles touching on the issue of “distraction burglary”. This is where a person gains access to someone’s home or business under the pretext of a legitimate reason such as to read the meter or do some inspection and takes advantage of this to commit or facilitate crimes, typically burglaries.
The material often encouraged people to check that the visitor is real and legitimate and has a legitimate reason to visit before admitting them to their premises. One of these campaigns that I considered notable was the “Stop Chain Check” campaign in the UK that was ran by various UK police forces in concert with TV Licensing and other utilities where older residents were to have the door chain on before they opened the front door and to verify the credentials of that visitor.
Even IBM ran an awareness campaign through the 70s targeting Selectric typewriter owners who had equipment-maintenance contracts with them warning them of bogus service representatives. Here the bogus repairmen to claim that the customer’s Selectric needed workshop attention and would take the machine away for “repair”. Similarly, businesses had to be careful about people showing up as official telephone-company representatives to perform work on their telephone equipment because of this being used as a cover for planting bugs or phone taps.
Recently, there was a hacking incident targeted at Barclays Bank in Swiss Cottage, London where someone gained access to the bank branch’s IT equipment under the pretence of doing IT support work for the bank. Here, they attached a KVM-over-IP switch and a 3G mobile-broadband router to a computer at that branch and used this setup to commit a very large fraud against Barclays.
The hallmarks of this fraud was an unannounced service call by people pretending to be the bank’s IT staff or contractors. It was very similar to the aforementioned distraction burglaries with the criminals acting like the fake meter readers who were gaining access to people’s homes. There is also another similarity to the new practice of “spear-phishing” which is similar to the classic “phishing” attacks where official email from a bank or similar organisation is used to siphon confidential data from customers, but the attack is targeted at a particular employee of a particular company for access to highly-confidential business material.
A good practice for businesses who have IT-service contracts is to maintain a single point of contact between the business and the contractor. Here, you have an ability to pre-arrange any work that needs to be done on the equipment and be aware of any impending work, whether to rectify a fault or improve the IT system. As well, people in the business or similar environment need to know what equipment is currently in service or available for service.
Also we have to be suspicious if someone is forcing upon you the installation of hardware or software, the modification of existing hardware or software or the removal of hardware especially if the work hasn’t been arranged previously. This is more so if the work isn’t explained, the equipment’s owner or organisation’s management aren’t kept in the loop or at worst they insist that no-one is in the office while the work is underway.
In conclusion, even if you do have your house in order when it comes to Internet-based security threats, you also need to be sure of what is going on if someone visits you to work on your computer equipment.