Friday, August 2, 2024

Cyber Security Case Study 2

 New Scam Tactics



Here is another update of Social Engineering techniques used by people using Door dash. There have been several scams on the app over the past year, but I encountered a new one while dashing the other night after a long shift of work.


  I would be remised to skip the back story in this event. I have just had a whirlwind of a year, with several housing changes and employment surprises, having started travel agency work late in 2023, and had a contract ended suddenly by a company due to discrimination reasons in North Carolina, while in the process of trying to financially recover. This spawned the opening of an EEOC case that would not be heard for another 6 months. In the meantime, I was in an employment gap, that thankfully, my agency was able to lessen and get me reassigned, prematurely albeit to the North East region. As you already know, travel and re-establishment of housing is in itself a huge expense. I took this on in the middle of financial crisis and relocated for the impromptu assignment. I  was needless to say, behind behind the 8 ball. Being that there is a delay before getting the first payment of your assignment naturally, the recurring bills I have piled up to the sky in the process, to the point where side jobs and gigging became necessary to provide daily food needs and get by. I had a few contracts come up with my business, but they were from contacts still assuming I was in the NC area, so I had to decline. At that point, the first check would probably not get me ahead at all, or even on track, but just close the gap. I turned, during this time to the Dash app, having no idea what I was in store for.....


I have to start paying more attention to the texts and the orders themselves. There's a lot of dialogue and text on the screen to unpack, and I tend to do this while multitasking at my main job. I have found a new scam which was embarrassing for me because I am cyber security. Apparently, door dash knows about it and puts the exclaimer in the authentication text then send, but if you are flying around like I was, you likely won't read it. These people put in an order, watch for when you arrive, and call you from a number listed as Door Dash. When you answer the phone, you are asked several authentication questions, to verify your account. Right there, because this is common practice when you call Door Dash, it is the first concealed flag. After taking this information, they confirm that you will get paid for the canceled dash, and to confirm the last 8 digits of your dasher direct card. They carefully craft the dialogue they use, because if they asked slightly more or less, even though flustered and busy, I likely would have caught them.

 They generate a few codes to be sent to authenticate your account, and ask that you read the code to them, another thing that many companies do in fact do. After this, they tell you to check the app and that the balance should have increased to reflect pay for the canceled job. It doesn't show anything, and then they say to proceed, and that the change should reflect within the next few minutes. At this point, it is highly likely that you have not read the messages in full yet. And then there are the people that were under attack before Door Dash caught it.

 Honestly, these kinds of issues can be further mitigated with self-authentication on the client side. Your token should be self-generated and acknowledged on your device. This can eliminate the need to differentiate the devices and ensure they are the actual user. A phone number is its own token and points to the holder of the authentic device. You should never be in scenarios at all where you are asked for authentication information at any point. And by conditioning users to do this on occasion, you lower their guard. Now it seems like a legitimate approach. I've always had an issue with this in general because it's sloppy protocol.

  One thing I noted was that when I called customer support after I was very suspicious at the call, the call intakes mirrored each other, and I noted this to the agent. I commend the fact that they released messages to alert the scam activity, but there should be protocol changes made. A few months ago, a woman was murdered because the Dash app did not protect from a malicious user who set her up to be shot trying to retrieve money from a customer for a ransom. She was in the dark, and the scam artist was effectively in the dark themself. All they do is use the app as a customer and use that to launch the scam. You should not be able to authenticate absent the phone device that you use. That is your token. And it is a good idea to implement mandatory biometrics. It would be all too possible in the near future to intercept key information and authenticate on another device. If a phone number is used as a tag, a connection should be established between the phone device to complete authentication. With that strategy alone, the attack I fell victim to would have never worked.

 Going forward, I personally will, and encourage others to always read the dialogue of any message carefully, no matter how long it takes. Consider all information you are asked for as sensitive. Many companies will act irritated with you for doing due diligence, but that is because they are ignorant to the cyber security dangers. Ignore that and slow it down. Your money, and even life can be at risk.