A Geek With Guns

Chronicling the depravities of the State.

The Importance of Out-of-Band Verification

without comments

Yesterday I received an e-mail that appeared to be from a friend. It was a short e-mail asking what I thought about the contents of a link. The first red flag was that this friend seldom e-mails me. We have other forms of communication that we use. The second red flag was the e-mail address, which was his name at a domain I wasn’t familiar with. The third red flag was the link, it went to a domain I wasn’t familiar with.

Friends asking me about content on unfamiliar domains isn’t unusual. Moreover, friends e-mailing me from unfamiliar domains isn’t without precedence since new “privacy focused” e-mail domains pop up everyday and I have friends who are interested in e-mail providers who respect their users’ privacy. I smelled a scam but wanted to make sure so I contacted my friend through another messaging service and he confirmed that he didn’t send the e-mail.

The combination of social media with people’s general lack of security has made a lot of social information available to malicious individuals. If you want to specifically target somebody, the social information is often available to do it convincingly. Even if you’re not interested in specifically targeting somebody, the social information that is available is often complete enough that it can be fed to an automated tool that sends targeted e-mails to anybody it has information about. These types of scams can be difficult to defend against.

One method for defending against them is establishing multiple channels for communicating with your friends. Between e-mail, Signal, WhatsApp, Facebook Messenger, text messaging, Skype, XMPP, and a slew of other freely available communication tools, it’s easy to ensure that you have at least two separate means of communicating with your friends. If you receive a suspicious message that appears to be from a friend, you can use another form of communications to verify whether or not they sent it. Admittedly, such a tactic isn’t bulletproof. It’s possible for an attacker to compromise multiple communication methods. However, it’s more difficult to compromise two communication methods than to compromise one.

Written by Christopher Burg

November 15th, 2017 at 11:00 am