The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [44]
Defeating the two-factor authentication of a time-based token combined with a user’s secret PIN code sounds like a challenge right out of Mission Impossible. But for social engineers, the challenge is similar to that faced by a poker player who has more than the usual skill at reading his opponents. With a little luck, when he sits down at a table he knows he’s likely to walk away with a large pile of other people’s money.
Storming the Fortress
Danny began by doing his homework. Before long he had managed to put together enough pieces to masquerade as a real employee. He had an employee’s name, department, phone number, and employee number, as well as the manager’s name and phone number.
Now was the calm before the storm. Literally. Going by the plan he had worked out, Danny needed one more thing before he could take the next step, and it was something he had no control over: He needed a snow-storm. Danny needed a little help from Mother Nature in the form of weather so bad that it would keep workers from getting into the office.
In the winter in South Dakota, where the manufacturing plant in question was located, anyone hoping for bad weather did not have very long to wait. On Friday night, a storm arrived. What had begun as snow quickly turned to freezing rain so that, by morning, the roads were coated with a slick, dangerous sheet of ice. For Danny, this was a perfect opportunity.
He telephoned the plant, asked for the computer room and reached one of the worker bees of IT, a computer operator who announced himself as Roger Kowalski.
Giving the name of the real employee he had obtained, Danny said, “This is Bob Billings. I work in the Secure Communications Group. I’m at home right now and I can’t drive in because of the storm. And the problem is that I need to access my workstation and the server from home, and I left my Secure ID in my desk. Can you go fetch it for me? Or can somebody? And then read off my code when I need to get in? Because my team has a critical deadline and there’s no way I can get my work done. And there’s no way I can get to the office—the roads are much too dangerous up my way.”
The computer operator said, “I can’t leave the Computer Center.”
Danny jumped right in: “Do you have a Secure ID yourself?”
“There’s one here in the Computer Center,” he said. “We keep one for the operators in case of an emergency.”
“Listen,” Danny said. “Can you do me a big favor? When I need to dial into the network, can you let me borrow your Secure ID? Just until it’s safe to drive in.”
“Who are you again?” Kowalski asked.
“Bob Billings.”
“Who do you work for?”
“For Ed Trenton.”
“Oh, yeah, I know him.”
When he’s liable to be faced with tough sledding, a good social engineer does more than the usual amount of research. “I’m on the second floor,” Danny went on. “Next to Roy Tucker.”
He knew that name, as well. Danny went back to work on him. “It’d be much easier just to go to my desk and fetch my Secure ID for me.”
Danny was pretty certain the guy would not buy into this. First of all, he would not want to leave in the middle of his shift to go traipsing down corridors and up staircases to some distant part of the building. He would also not want to have to paw through someone else’s desk, violating somebody’s personal space. No, it was a safe bet he wouldn’t want to do that.
Kowalski didn’t want to say no to a guy who needed some help, but he didn’t want to say yes and get in trouble, either. So he sidestepped the decision: “I’ll have to ask my boss. Hang on.” He put the phone down, and Danny could hear him pick up another phone, put in the call, and explain the request. Kowalski then did something unexplainable: He actually vouched for the man using the name Bob Billings. “I know him,” he told his manager. “He works for Ed Trenton. Can we let him use the Secure ID in the Computer Center?” Danny, holding on to the