Fairly early Saturday morning, my phone
rang. Although I didn't recognize the number, I answered, learning
during this election period that if I ignore the pollsters attempts
to contact me, they just call back, again, and again...(I don't know
if it is that my opinion is extremely valuable or if there are just
lots of pollsters that I receive so many calls. I suspect the
latter.)
“Hello?”
“Yes, hello, Lee. My name is Marcus,
and our servers have detected some hacking in your computer, and I am
calling to help you.”
I don't know about you, but it always
throws me off a little when a stranger calls me by name. However, I
was instantly alert, mostly due to the use of a verb (hacking) in
place of a noun, and the accent. I would place Marcus in India. I
would expect his servers to find a virus or malware – the results
of hacking. Not completely certain how they would detect the act
of hacking without detecting the results of hacking.
“Marcus, please tell me my computer
IP address where you detected the hacking.”
“Lee, I don't have your IP address,
but I do have the ID of your Windows computer.”
“Continue, Marcus. What is my
computer's ID, and please, which version of Windows am I running?”
The version question was just to string
him along a little. I realized as I asked it that there was a good
chance he could guess correctly – I think there are only 3 versions
remaining in widespread use. I chuckled, thinking of the scene in the
movie Elf where Elf asks the department store Santa, who he believes
is fake and wants to prove it, “Yeah? If you're the real Santa,
what song did I sing for you on your birthday?” “Why, Happy
Birthday, of course!”
I was really intrigued, and a little
concerned, that he might actually have my computer ID. So, I wanted
to play along just to see. While we continued talking I was busy
pulling up the two values that he might have: My computer ID and my
Windows ID, just to see which he might give me as 'proof' that his
servers had indeed detected hacking on my machine.
Marcus was pretty slick, too. He didn't
attempt to answer the Windows version question, deflecting with “I'm
not talking about your OS. I'm talking about your computer ID”
“I'm ready, Marcus. Please, give me
my computer ID.”
“888DCA60-FC0A-11CF-8F0F-00C04FD7D062”
Whew. That was neither my windows ID
nor the number on the back of my computer. Didn't match my MAC
address, either. But what was it, and why would Marcus think I would
accept it as my number?
“That's not my computer ID, Marcus.”
“Sir, it is your CLSID. Please, press
your windows key, and then 'r', and type the command 'assoc'”
Some more time occurred as I acted
stupid and had him explain several times where the windows key was
and how to recognize it. (For humor imagine a non-English speaker
attempting to describe what that key looks like – nothing I was
hearing made any sense!) I know well what windows+r would give me the
command prompt, and I wasn't going to start running unfamiliar
commands that some caller asked me to. So, while he was busy
attempting to get through to me what to do, I was searching (I don't
'google', since, #1, Google is a noun, and should not be used as a
verb, and #2, I don't use Google has my search engine, having
switched to DuckDuckGo) for
'Assoc scam'. Which I found, here.
I also typed help assoc in the command
window, and realizing that the assoc command by itself was only
Marcus' attempt to 'prove' his legitimacy, I typed it. And sure
enough, there is the CLSID that matches the string Marcus gave.
Fortunately, the CLSID is not unique to any particular computer, and
so I now knew that Marcus possessed no identifying information on my
computer.
It was time to end this phishing call.
“Marcus, that value is not unique. In fact, that is a known scam,
and that makes you nothing more than a common thief, a worthless
piece, a horrible human being, and a waste of resources. You should
find something constructive and productive to do rather than attempt
to steal.”
I suspect that Marcus did not want my
(well meant) advice: He hung up on me! Oh well...
But my taking this call had become a
useful teaching opportunity for me. My children had been following
along wondering just what was going on. They were very excited by the
conclusion, but we were able to go back over the details: How I had
revealed nothing to the caller, not answering any of his questions,
asking my own to stall, searching details, being very suspect of his
motives. We talked about good security – I absolutely didn't run
any command he asked me to, and that I could have just ended the call
early (which is probably best) – and that legitimate companies will
not call and ask you to allow a connection to your computer.
The final point is the most important:
Your bank, your doctor, your credit card company, none will initiate
a call to you and ask you for personally identifying information or a
connection to carry out their business. Neither will the FBI or any
other legitimate institution.
It is interesting, with all the high
profile stories in the news about hacking, the majority of theft of
ID or financial information still occurs through phishing – one
person talking to another, and manipulating the victim into giving
out the necessary information. As we've become more sophisticated in
our understanding of phishing, so the phishers have gotten more
clever at presenting 'proof' they are who they represent to be.
The stakes keep growing, too, as more
and more personal information is gathered on us and stored on
Internet connected devices. As we've seen, through the breach of
Target, Home Depot, and Sony, large companies are not up to keeping
our data safe.
Which poses the question: Should they
even be allowed to maintain data on us? Should it even be a
possibility that Marcus could have obtained (perhaps through a hack
of a major computer reseller) my actual computer ID? Or my user
profile as stored up by Google, Microsoft, Yahoo, Amazon, etc.?
Security expert Bruce Schneier thinks
about this a lot. Through
reading his book 'Data and Goliath' and rebuffing attempts like this
morning, I've started thinking about it more, too.