Did you read the article? The victim who've had their phone number stolen weren't the ones that fell prey to social engineering - it's the customer service people at the phone provider who are persuaded to do a port of the phone number.
Unless you operate your own phone carrier, it would be hard to avoid this attack.
How, exactly, would you prevent someone in a call center on the other side of the world from being convinced to port your number away?
Outgoing port "blocks" are nothing more than a note in your file - what's to say that the attacker couldn't just make up a story? "I know I called a while back and asked you to prevent porting, but I really want to switch to X carrier to get their exclusive new handset. Can you remove the block request, my mothers maiden name is..."
Pretending like you could prevent this sort of attack is laughable, which is why it's so dangerous.
As I said, like the DNS system : you lock the number, only allowing porting upon presentation of a secret that only you know. Default state is : locked.
I don't agree with his post. However it was clearly a reasonable position and not "unsubstantive comments and rants" as you are claiming. That is not a reasonable claim at all. Your post is unwarranted and is highly abusive. Just stop. Bullying valid minority viewpoints is not cool and does not contribute to the quality of polite rational debate and discussion.
No, you totally, utterly fail to understand the interaction here and it is you that should stop. If you want to second guess the moderation here you're on very thin ice, this is a pretty clear cut case of someone purposefully ignoring the meat of an article to stir the pot.
Note that the victims here are not party to the exchange, contrary to what is claimed in that comment, it is the call center employees of the phone company that are being social engineered into making an unauthorized change to a subscribers record.
If you want to limit the use of the words 'social engineering' to the cases where the victims are the ones being social engineered you're ignoring about 3 decades worth of use of the term to apply to any situation where through clever exchanges an elevated level of access was achieved to some resource or other, and those exchanges do not have to be directly with the victim.
Typical example: call the secretary from the 'IT department' to gain access to the system of the boss.
The comment in question was in poor taste by mocking victims of hacks for being stupid, and the premise of it was wrong anyway (not understanding that it's the telco customer service at fault more than the people who got hacked).
That's about as unsubstantive/low quality as comments go, and really doesn't qualify as "polite rational debate and discussion". It makes sense for a mod to step in and say something.
I must disagree with this. Monsieur Lerie clearly and specifically objects to the use of the term "social engineering". This does in fact deal with situations where naïve persons can be fooled by con artists. This is a problem in the field. A problem we are all aware of.
Denying that it is a problem is counterproductive. Denial does not address the core issues, of exploits that utilize and depend upon the naïvity of the mark.
I do not agree with him that a solution is to prevent the technologically naïve from having access to phones. Nonetheless, this is still an issue that must be addressed. Security schemes intended to protect the general market of customers must not rely upon the customer's sophistication in defense against social engineering scams. Many customers, quite reasonably, are technically naïve in some aspect or another. In is completely improper as a security protocol for mass market products to rely upon customers having enlightened opsec.
The part you are missing is that the mark is not the one being socially engineered. The attacker is getting a completely random telco to hijack the mark's phone number by socially engineering the telco. There is nothing 'the mark' can do to prevent this.
If a bad actor gets your data in a breach, the article posits that only person that has to fall victim to any level of social engineering is the customer service rep of your cell provider or some other service you use.
So while you might be above nigerian prices, free cruises, and the like - do you have the same faith in the as-cheap-as-possible customer service rep from your provider?
The problem is that you can socially engineer the Telecom service desk. It's not that hard. I did it when I pretended to be my dad (at his request) to switch his phone plan.
