Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Social engineering and Orange

I had a call on my mobile earlier today from a lady claiming to be from Orange (my phone service provider) who told me that my contract was about to expire. She asked me for my password.

Alarm bells instantly went off in my head, so I told her (truthfully as it happens) that I didn’t know my password. Then she asked for my postcode instead.

At this point I was pretty sure this was a social engineering attack, so I started to quiz her about why she needed the information. She said it was for a “security check”. I told her I was uncomfortable giving out information like this to a cold caller over the phone and she said it was nothing to worry about because it was all covered by “the data protection act”.

I said that I would rather conduct my business in an Orange shop, and she told me that she would have to put a mark on my record that I had failed a security check. I interpreted this as a threat, which convinced me that the call was an attempted con. I asked for her name and ended the call.

I e-mailed Orange customer support via their website with details of the call and the number it came from (07973 100 194, which looked like a mobile number to me and had further fuelled my suspicions). I just received their reply—the call really was from them!

Banks and other online services have learnt to repeatedly tell their customers that they will never contact them and ask for their password. Orange are leaving themselves wide open to social engineering attacks. This incredible lack of attention to basic security has given me serious second thoughts about trusting them with my business at all.

Posted 9th November 2005 at 8:52 pm

This is Social engineering and Orange by Simon Willison, posted on 9th November 2005.

Tagged , ,

View blog reactions

Next: Google Base is interesting

Previous: Yahoo!'s new twist on mapping APIs

42 comments

  1. I don't know what other phone options you have, but if I were you, I would immediately make a change. A company so lacking in a basic understanding of security and customer service deserves to be out of business right away. Do your part, my friend.

    Jeff J. Snider - 9th November 2005 21:19 - #

  2. No matter how long I live, people (and organizations of people) will never cease to amaze me with their profound cluelessness.

    I absolutely agree: it's time to bail. Especially given your contract's almost up, assuming she was right about that part. I don't know if you're allowed to transfer your mobile number between providers like we are here in the U.S., but even if you aren't, it's probably worth the change to get the hell away from Orange. Besides, with a new number you might get fewer calls.

    Eric Meyer - 9th November 2005 21:24 - #

  3. I work for a mobile content company (read: ringtone seller, though not the one responsbile for that godawful frog) and I've noticed that in terms of security most of the major British networks suck.

    Though we do set up some security - registered account holder, passwords, that sort of thing - it never gets checked. All you have to do is phone up and say "Hi it's xxx here from company yyy," and they simply say "Sure, what can we do for you?"

    You've got to love those security conscious types, haven't you?

    Graham Binns - 9th November 2005 21:41 - #

  4. Just out of interest, did you try ringing that number (07973 100 194) back?

    You do indeed get a recorded message that "One of our Orange departments tried to call you, and that we will try again shortly"...

    Stunning.

    How can such a big company be so completely clueless when it comes to security?

    (But then, the problems I've had with Orange customer support in the past it doesn't surprise me. If someone else carried the handsets I want, and did two lines on one phone, I'd change in a heartbeat.)

    Andy Warwick - 9th November 2005 21:55 - #

  5. Very interesting, I once had someone come up to me saying that there was a new cheaper Orange tarrif to get it I had to fax the top copy of my phone bill to this number. It was set in Times and had a rubbish Orange logo at the top, so I assumed it was bogus. It' still an odd thing, so you failed the security check and have a black mark next to your name, so what?

    btw: 07973 is Orange's area code if you like, 07973 100 100 is the operator and 07973 100 973 is the SMS message center.

    Tom - 9th November 2005 22:38 - #

  6. I've had two phone calls in the past week from people saying they were from Orange, and they asked me for details about my account - what phone I had, what contract I was on, how long it had been since I last upgraded. Surely these are questions they should already know the answer to, I thought to myself, so refused to answer and hung up on them.

    I can understand why companies want to try to get some extra business by ringing up their existing companies to sell them things, but if I want to upgrade I'll initiate the transaction myself. I guess it's like spam - as long as someone says yes, it will never stop.

    radiac - 9th November 2005 22:39 - #

  7. I'd be more scared about the companies moving their call centre's to Asia. We have a couple of our biggest telecommunication companies in Australia doing this at the moment and there was fear that they were leaking personal details for money.

    With that in mind, one of our reporting TV shows set out to see if they could aquire those details; yip - dead simple. They had two options, a $7AU or a $10AU option per set of details. The more expensive one included all financial details (bank accounts, tax file numbers, credit card details, ..).

    Scary scary times.

    Alistair - 10th November 2005 00:21 - #

  8. This is outrageous. I am fairly high up in Orange corporate (QA), and this is an absolutely unacceptable breach of standard security measures. Rest assured, I will be bringing this to the attention of our tech support department at a meeting this Friday. Please remit the details of your phone: -Phone number -Phone password -Current plan -Last time you renewed -to my email address, and rest assured that we will be acting on this laxness of security immediately. Doug Henning, Orange quality assurance

    bookishboy - 10th November 2005 05:10 - #

  9. I've had the same call in the past - I actually wrote to them to tell them how bloody stupid they are!

    Paul Lomax - 10th November 2005 08:39 - #

  10. I had almost exactly the same experience with Orange. My call was (supposedly) to reward me for being a loyal customer, so as you can imagine, I was even more suspicious.

    The guy who called me allowed me to change my password (I claimed I couldn't remember though I knew damn well what it was). I called Orange back to see if my password had really changed, and it had.

    Like you say, its break-taking how stupid this strategy for contacting customers is. That this appears to be a regular thing with Orange only makes me even more glad that I ditched them a year ago.

    Simon Speight - 10th November 2005 09:14 - #

  11. I phoned Orange a couple of months back, they asked for my password to which I replied (truthfully) I've forgotten.

    The guy gave me a hint to what it was! He didn't do any further Data Protection checks like address or postcode before hand either.

    Marc - 10th November 2005 15:09 - #

  12. Orange aren't the only ones. O2, Lloyds bank and even Barclaycard are making really stupid mistakes like this.

    Olly - 10th November 2005 17:04 - #

  13. I nearly bought an Orange phone a year or so ago. They asked a LOAD of compulsory questions that were not required for providing me with phone service and when they asked my marital status I went off in a huff and bought from a competitor.

    Peter - 10th November 2005 20:02 - #

  14. I had a call recently from someone purporting to be from Norwich Union Healthcare, with whom I do have an insurance policy. I have CLI display, but the number was withheld. The opening questions were the usual Mother's maiden name / DoB etc, "for security purposes", to which I asked how I knew they really were from NU. The reply was simply to repeat that they were indeed from NU and to ask the questions again. I refused to answer, and wrote to NU about this (it was them calling, it transpired). I pointed out the issue of identity theft and how they were effectively supporting it. They told me they would carry out an "investigation". I've recently written to them again to find out the outcome, and they've told me they can't change anything. Anyone know an investigative journalist?

    Keith Edmunds - 10th November 2005 20:28 - #

  15. BT does this as well, if your late paying your bill they will ring you up and try to get you to use your credit/debit card. My answer to this has allways been to say "Let me take you through security, can I have your full name, Company Name, Department name - when they start getting surly I then ask them how I should check out who's calling - if they say caller ID I point out that i do not know who owns the number being called from. Then say "please wait I will ring Directory enquires to get your phone number and call you back".

    William - 10th November 2005 22:32 - #

  16. Believe it or not, banks do the same. I have been called by my bank several times with the first question being:

    "Hi, I'm calling from [my bank] - can I have your birthdate ?"

    The trick is to ask *them* for your birthdate - they will then use a challenge-response algorithm where they will tell you your day of birth for example, you must then tell them what the month was and they will then tell you what the birth year.

    Crap banks will just expect you to give out your birthdate or other personal information regardless.

    Nuno - 11th November 2005 01:20 - #

  17. I'm amazed by the number of companies that do this! It seems like it's a much bigger problem than I had originally thought.

    Simon Willison - 11th November 2005 01:20 - #

  18. I had exactly the same thing from Vodafone when I joined them a couple of months ago. They called me a few days after I was connected and asked for my passcode, date of birth etc. I asked how I knew they were from Vodafone and he responded that the number was an Edinburgh number and that's where Vodafone customer service was based. Needless to say I refused to provide this information though I'm fairly certain it was from Vodafone themselves. I've had exactly the same thing with Barclays Bank in the past. If companies are going to cold call customers and then expect them to respond with security details there needs to be some kind of standard challenge - response mechanism. I've occassionally agreed to provide my details if the company will first let me know the post code or house number they have for my number but not everyone will do this and it's not really 100% secure since neither are impossible to find out.

    Tom Price - 11th November 2005 09:00 - #

  19. They often do that. They also have third-parties call you up if you haven't taken a new phone in a while. Companies you have never heard of.

    Ceri Davies - 11th November 2005 10:22 - #

  20. Well, it seems I've just been lucky with the Cooperative Bank then! I must admit, if they started ringing me up asking for my password, I might close my account just like I ended my mobile tarriff...

    Robert Brook - 11th November 2005 13:24 - #

  21. Some fascinating stories and comments here, especially since there seem to be two different problems present:

    1. Service providers demanding the callee's authentication details without authenticating themselves with the customer
    2. Service providers not demanding the callee's authentication details, or at least ot safeguarding them properly, before giving callee access to private information (see comments from Simon Speight and Marc)

    The challenge-response scheme from Nuno is an excellent idea - I'll have to give it a try next time.

    Yoz - 11th November 2005 14:26 - #

  22. If you're concerned about security, I'd not recommend Vodaphone either.

    PerfDave - 11th November 2005 15:45 - #

  23. I had a hilarious call from American Express last year, that went something like the following.

    Them: Hi, it's --- from American Express here. I need to check something with you, but before we do that, I need to get some verification from you. Can you give me your date of birth?

    Me: Hi - how can I be sure though that you are who you say you are though. I need you to prove to me somehow that you're calling from American Express. For example, can you give me the last 4 digits of my credit card as evidence you're calling from Amex?

    Them: Oh, I don't think so. Let me check with my supervisor. (Long pause of a couple of minutes). No, sorry I can't do that without you verifying who you are. Can you give me your date of birth?

    Me: No, sorry I'm not going to give out my date of birth to someone calling me out of the blue, without any evidence that you are actually calling from American Express. Unless you can give me the last 4 digits of my credit card, we might as well end this call.

    Them: Sorry, no I can't do that unless you verify first.

    Me: OK, well bye then!

    After I complained to them afterwards, the scary thing was that this call was only being made to SELL me car insurance! They'd outsourced this marketing campaign to a company in India, with a really bad script that gave the telemarketers no room to move.

    James - 11th November 2005 15:49 - #

  24. Sorry, going a little bit off-topic. What I'm starting to notice is a lot of these cold callers are starting to use "passing off" techniques. Had a perfect example last night The cold callers first words were "Hello, I'm **** from the Nationwide group" It was deliberate and blatenly obvious they were trying to make me (or any receiver of the call) think they were part of Nationwide and I assume designed to lul the receiver in to staying on the line. This has happened 5 or 6 times recently from different cold callers attempting to pass themselves of as others. It look to me like it is a new tactic which is being used by numerous cold callers, but I have yet to read or here about it anywhere.

    T.J. - 12th November 2005 11:30 - #

  25. Not as bad as this calling and asking for passwords, but eBay, one of the most common aliases for phishing attacks, regularly sends on unsolicited HTML emails which include only images and boilerplate legalese.

    These emails can't be "read" without fetching the images, but if you do that, the sender can gain some information about your computer (by passing it as querystring parms).

    Security's hard. It's not obvious that opening an email is a potentially dangerous action.

    Jeremy Dunck - 12th November 2005 23:27 - #

  26. This is definately a serious issue that needs looking at.

    In defence of Orange, they phoned me last week and again asked for my password. This time I told them that I have to be careful about Identity Theft etc and asked if they could tell me basically what the call was about and that I would ring Orange back to sort it out. The guy said this was perfectly acceptable, told me why they were ringing and hung up.

    However, this obviously only works if you, the customer, are aware in the first place. Companies should take a more active stance and not put the onus on us.

    Marc - 14th November 2005 14:39 - #

  27. Schneier's been banging that drum for a while.

    Jeremy Dunck - 14th November 2005 15:00 - #

  28. I was shocked recently to have a transaction receipt from Paypal encouraging me to "click here to login and check my account" What?! Shouldn't it be "If you'd like to log in and check your account, open a new browser and type in 'www.paypal.com'"? Simply unbelievable.

    Mike Purvis - 14th November 2005 17:28 - #

  29. My experience: they would not give the password (I forgot a digit) unless I gave my identity card number. But even then if my wallet was stolen, some one could impersonate me and do some risky business in my name. In any case, all these companies are dodgy: roaming, hard-selling, automation, ... Some of them even ask 1 euro50cents to call their support desk. This is the twilight zone anno 2005.

    Jo - 16th November 2005 03:08 - #

  30. Oh, I just love this:

    bookishboy wrote: I am fairly high up in Orange corporate (QA) ... Please remit the details of your phone: -Phone number -Phone password -Current plan -Last time you renewed -to my email address

    Sure he's probably just having a laugh, but if you plan on sending him the info, please also send me a copy. I'm writing a book on effective social engineering techniques.

    Please also send me -your bank account info -current balance -any offshore accounts you may have -and pertinent passport and visa information.

    Many thanks for your attention.

    James Mickelmann - 16th November 2005 20:11 - #

  31. Perhaps the 'security test' was to see whether or not you would give out your password to some cold caller. It sounds like you passed that test - good on you.

    mmj - 18th November 2005 01:18 - #

  32. I've had calls from HSBC, Egg and American Express along these lines. "Hi, we're from your bank - as a security check please confirm your name, password and date of birth." What's funny is that they know exactly who you are: they called you! It is interesting that Egg in particular will often persistantly call you to enquire "how your account is going", while then trying to sell you insurance - neatly sidestepping both cold-calling and data protection laws. I want to see action from the telecom companies. Why can't they block my weekly marketing SMSs? Why can't they have secure, confirmed phone calls in the same way as SSL Certificates on the Internet?

    Pingu - 27th November 2005 13:54 - #

  33. Just to confirm the official line on this, Orange Customer Services does call customers to let them know of new products and services (unless the customer has asked to "opt out" of these kinds of calls). Previously, we've been made aware that - in isolated cases - customers have been asked to confirm their full password. However, we have recently revised the process to ensure customers will be asked to reveal only two letters of the password. I also note that someone on this site has advised you to give him your details and that he will raise this with Orange. I strongly advise that you do not mail you details to this person. Stuart Jackson, Orange.

    stuart - 15th December 2005 11:21 - #

  34. Regarding the comments entered by 'Bookishboy', I can confirm that Orange do not have an employee named Doug Henning working for them and we strongly advise that you do not mail you details to this person. Dave Thomas, Orange.

    Dave Thomas - 21st December 2005 12:35 - #

  35. Just so you know, Orange are still making unsolicited calls from this same number asking the same dumb "for security purposes what is your (_whole_ )password?" I must admit it made me swear. Quite a bit.

    Pepper - 13th January 2006 18:43 - #

  36. Hi, Over the past 7months of me being an Orange customer i have had nothing but problems i felt i was the only one... i am planing or writing a strong email to the CEO of Orange outlining the flaws within its company i was woundering if you all would sign an online petition for me expressing your vieews and dismmay Orange have cause you and i would be more then happy to submit this wiith my letter. please email me ur thoughts, thanking you in anticipation MR.M.Ashikali CEO Ashikali Enterprise

    Mr M. Ashikali - 14th January 2006 20:28 - #

  37. Hi, Sorry i forgot to leave you my email adress it is biffo786@btinternet.com please fell free to contact me! Many thanks and best wish's for the new year!

    Mr.M.Ashikali - 14th January 2006 20:35 - #

  38. HSBC UK have always been quite good about this. Not so the Carphone Warehouse, who resell Vodafone service to me. Two *days* after I got my new handset last year I had someone call me and try to sell handset insurance. It had "scam" written all over it b/c they wanted all my credit card and account details prior to sending me a policy. Um, no... That's bad enough, but what's worse is this was a new account. I'd hardly even made any calls on it. So someone at CPW must have sent my details along to these guys. More recently CPW have taken to cold calling me about handset upgrades. The first time, I said I wasn't interested and could they please refrain. So by the fourth time it happened I was unfortunately getting pretty rude with them. I'm rapidly coming to the conclusion that all mobile companies (in the UK at least) are b@st@rds.

    Shaun - 18th January 2006 23:02 - #

  39. Well my Orange contract is nearing its end and i've had several calls over the last week from companies who know my contract is about to expire but but when asked they know nothing else, my name, address - nothing! - has Orange been giving these scumbags lists of numbers? I can only think so.

    Bob - 1st February 2006 23:08 - #

  40. Well here is another security risk. You call orange, 150 billing. You know who they are and you are ok to give your [FULL] password. Now if I am sitting in a social gathering and I dont want to speak out loud what should I do? Another one, if they want to get *secure* they also ask for your complete Date of Birth. Cant you just ask 2nd and 6th letter of your password? or Can you just confirm the year from DOB? all this randomly, so that a listening thief can not steal your ID. Plus for everybody who is recieving calls from orange related companies TPS is the solution. http://www.tpsonline.org.uk/tps/ I registered with it and have only got 2 calls since last May. and I *TOLD* those two that I am on TPS.

    Kamran - 8th February 2006 10:43 - #

  41. just because the number seemed like it was an internal one used by orange doesnt mean that it was an internal employee making the call, it is possible with enough knowledge to change what the recipient of a call will see on his caller ID.

    Mike T - 7th June 2006 05:55 - #

  42. I have recently had a call from Vodafone who asked me for my Nmae, address, postcode and D.O.B. (which I gave them!), rang Vodafone and they deny it was them making the call to me, has anyone had this experience with Vodafone?

    Trevor Irwin - 9th August 2006 19:02 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2005/11/09/orange

A django site