Simon Willison’s Weblog

Social engineering and Orange

9th November 2005

I had a call on my mobile earlier today from a lady claiming to be from Orange (my phone service provider) who told me that my contract was about to expire. She asked me for my password.

Alarm bells instantly went off in my head, so I told her (truthfully as it happens) that I didn’t know my password. Then she asked for my postcode instead.

At this point I was pretty sure this was a social engineering attack, so I started to quiz her about why she needed the information. She said it was for a “security check”. I told her I was uncomfortable giving out information like this to a cold caller over the phone and she said it was nothing to worry about because it was all covered by “the data protection act”.

I said that I would rather conduct my business in an Orange shop, and she told me that she would have to put a mark on my record that I had failed a security check. I interpreted this as a threat, which convinced me that the call was an attempted con. I asked for her name and ended the call.

I e-mailed Orange customer support via their website with details of the call and the number it came from (07973 100 194, which looked like a mobile number to me and had further fuelled my suspicions). I just received their reply—the call really was from them!

Banks and other online services have learnt to repeatedly tell their customers that they will never contact them and ask for their password. Orange are leaving themselves wide open to social engineering attacks. This incredible lack of attention to basic security has given me serious second thoughts about trusting them with my business at all.