Welcome to the SecAware blog

I spy with my beady eye ...

24 Dec 2015

Air Canada phone scam takes off

If someone from Air Canada calls you about a flight booking, there's a good chance it's a social engineer trying to steal your credit card number and/or other valuable info.

I guess the scammers in this case might be calling people totally at random on the off-chance that some of them have recently booked flights on Air Canada, but given the specificity of the scam, it's more likely they are working their way through a list of Canadians who routinely travel by air, or at the very least people with Canadian phone numbers. Possibly they have discovered a way to identify specifically those people who have booked with Air Canada. Maybe the info is deliberately published on a public website or service for some reason (e.g. for passenger safety or visa checking?). Maybe Air Canada's booking systems have been compromised/hacked, or those of an intermediate such as a travel agent, booking agency, flight scheduling company, airport, loyalty card scheme, or ISP or .... well that's the point really: there are lots of people, organizations, systems, networks and services involved in the process, all of which need to be well secured. All it takes is one teeny leak to bring the entire dam crashing down.

By the way, the same concern applies to other airlines besides Air Canada, and to many other kinds of booking systems/processes (hotel bookings, hire car hirings etc.). In fact the fundamental security issue is much broader: virtually any situation in which someone hands over or submits online their credit card number or other info could be used by social engineers as a pretext to call or email or text them "to check a few things" or "audit the records" or "correct an error" or "re-run a failed transaction" or "run a quality check" or "do a quick customer survey" or "offer a free entry in our prize draw" or whatever. The door is wide open for creative social engineers, and don't they know it.

What makes this worse is that many organizations routinely contact their customers for legitimate reasons in ways that are practically identical to competent social engineering attacks. The savvy ones are concerned to identify the customer on the other end, typically asking personal questions ... which is of course an excellent pretext used by social engineers. Few organizations, even the good ones, consider the customer's security/privacy perspective. 

If someone claiming to represent, say, my bank or insurance company calls or emails me about something, how am I meant to determine that they are genuine? 

If I have done something recently through the bank, and if they refer to that specifically up front in the call or emails, I'm more likely to assume it is a genuine contact ... but as the Air Canada scam demonstrates, that's a rotten control. The same issue applies to phishing emails which just happen to come from a company that I've been dealing with around the same time. By sheer coincidence, there's a higher than normal probability of me swallowing the bait.

Some organizations have thought this through and have the capability for mutual authentication. A pretty good technique is to offer a 'secure messaging' facility through their websites, so on receiving an ordinary phone call or email from them, customers can authenticate the website (e.g. by checking its URL and SSL certificate), login (i.e. identify and authenticate themselves), then access the secure messaging function to interact and deal with issues online. But social engineers can exploit that rigmarole (e.g. classic phishing emails with URLs to fake websites that capture the credentials from people who don't check the true destination), and it delays and complicates the process.

Another technique is for the organization to hold and prove ownership of a unique password for each customer, in much the same way that customers present their unique passwords at login ... but this is also vulnerable to social engineers who first make one or more calls to the organization to capture that password, then call the customer and 'authenticate' with the captured password (an example of a TOCTOU attack that exploits the time delay between Time Of Check and Time Of Use). Mutual authentication needs to be simultaneously performed in both directions, or at least in the course of a single interaction.

What worries me more is that a substantial proportion of people have absolutely no understanding of, or interest in, this issue. Many of us these days are broadly aware of identity theft in general terms, having experienced it first- or second-hand but I seriously doubt that many appreciate just how creative, cunning and ruthless the social engineers have become, nor how easy it is to create and execute novel scams such as the Air Canada thing. The black hats have the upper hand, leaving us on the back foot. There's only so much we can do in the way of security awareness, even if we utilize social engineering techniques ourselves.



  1. This is one of the biggest crime ring and there have been so much money lost because of these phone scammers. I don't know why there are still some people who don't know about these scams. I can even find almost everyday reports and warnings about them, mostly at some complaint boards like http://whycall.me and another similar sites. We should have been aware of them.

  2. Thanks Bruce. I'm happy to do my bit to spread security awareness.

    Merry Christmas from all at IsecT Ltd. The sun is out down here in New Zealand, looks like a cracking day ahead. Might even hit the beach later!