• Choose a category
• All
• Classic-Fiction

When she calls back, he says it’s all set up, and gives her the information—her extension number and temporary password. He asks whether she knows how to change the voice mail password, and she lets him talk her through the steps, though she knows them at least as well as he does.

“And by the way,” she asks, “from my hotel, what number do I call to check my messages?” He gives her the number.

Shirley phones in, changes the password, and records her new outgoing greeting.

Shirley Attacks

So far it’s all been an easy setup. She’s now ready to use the art of deception.

She calls the customer service department of the company. “I’m with Collections, in the Cleveland office,” she says, and then launches into a variation on the by-now familiar excuse. “My computer is being fixed by technical support and I need your help looking up this information.” And she goes on to provide the name and date of birth of the person whose identity she is intent on stealing. Then she lists the information she wants: address, mother’s maiden name, card number, credit limit, available credit, and payment history. “Call me back at this number,” she says, giving the internal extension number that the voice mail administrator set up for her. “And if I’m not available, just leave the information on my voice mail.”

She keeps busy with errands for the rest of the morning, and then checks her voice mail that afternoon. It’s all there, everything she asked for. Before hanging up, Shirley clears the outgoing message; it would be careless to leave a recording of her voice behind.

And identify theft, the fastest growing crime in America, the “in” crime of the new century, is about to have another victim. Shirley uses the credit-card and identity information she just obtained, and begins running up charges on the victim’s card.

Analyzing the Con

In this ruse, the attacker first duped the company’s voice mail administrator into believing she was an employee, so that he would set up a temporary voice mailbox. If he bothered to check at all, he would have found that the name and telephone number she gave matched the listings in the corporate employee database.

The rest was simply a matter of giving a reasonable excuse about a computer problem, asking for the desired information, and requesting that the response be left on voice mail. And why would any employee be reluctant to share information with a coworker? Since the phone number that Shirley provided was clearly an internal extension, there was no reason for any suspicion.

mitnick message

Try calling your own voice mail once in a while; if you hear an outgoing message that’s not yours, you may have just encountered your first social engineer.

THE HELPFUL SECRETARY

Cracker Robert Jorday had been regularly breaking into the computer networks of a global company, Rudolfo Shipping, Inc. The company eventually recognized that someone was hacking into their terminal server, and that through that server the user could connect to any computer system at the company. To safeguard the corporate network, the company decided to require a dial-up password on every terminal server.

Robert called the Network Operations Center posing as an attorney with the Legal Department and said he was having trouble connecting to the network. The network administrator he reached explained that there had been some recent security issues, so all dial-up access users would need to obtain the monthly password from their manager. Robert wondered what method was being used to communicate each month’s password to the managers and how he could obtain it. The answer, it turned out, was that the password for the upcoming month was sent in a memo via office mail to each company manager.

That made things easy. Robert did a little research, called the company just after the first of the month, and reached the secretary of one manager, who gave her name as Janet. He said, “Janet, hi. This is Randy Goldstein, in Research and Development. I know I probably got the memo with this month’s password for logging