The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [6]
Take a look at an example of social engineering. Not many people today still remember the young man named Stanley Mark Rifkin and his little adventure with the now defunct Security Pacific National Bank in Los Angeles. Accounts of his escapade vary, and Rifkin (like me) has never told his own story, so the following is based on published reports.
Code Breaking
One day in 1978, Rifkin moseyed over to Security Pacific’s authorized-personnel-only wire-transfer room, where the staff sent and received transfers totaling several billion dollars every day.
He was working for a company under contract to develop a backup system for the wire room’s data in case their main computer ever went down. That role gave him access to the transfer procedures, including how bank officials arranged for a transfer to be sent. He had learned that bank officers who were authorized to order wire transfers would be given a closely guarded daily code each morning to use when calling the wire room.
In the wire room the clerks saved themselves the trouble of trying to memorize each day’s code: They wrote down the code on a slip of paper and posted it where they could see it easily. This particular November day Rifkin had a specific reason for his visit. He wanted to get a glance at that paper.
Arriving in the wire room, he took some notes on operating procedures, supposedly to make sure the backup system would mesh properly with the regular systems. Meanwhile, he surreptitiously read the security code from the posted slip of paper, and memorized it. A few minutes later he walked out. As he said afterward, he felt as if he had just won the lottery.
There’s This Swiss Bank Account ...
Leaving the room at about 3 o‘clock in the afternoon, he headed straight for the pay phone in the building’s marble lobby, where he deposited a coin and dialed into the wire-transfer room. He then changed hats, transforming himself from Stanley Rifkin, bank consultant, into Mike Hansen, a member of the bank’s International Department.
According to one source, the conversation went something like this:
“Hi, this is Mike Hansen in International,” he said to the young woman who answered the phone.
She asked for the office number. That was standard procedure, and he was prepared: “286,” he said.
The girl then asked, “Okay, what’s the code?”
Rifkin has said that his adrenaline-powered heartbeat “picked up its pace” at this point. He responded smoothly, “4789.” Then he went on to give instructions for wiring “Ten million, two-hundred thousand dollars exactly” to the Irving Trust Company in New York, for credit of the Wozchod Handels Bank of Zurich, Switzerland, where he had already established an account.
The girl then said, “Okay, I got that. And now I need the interoffice settlement number.”
Rifkin broke out in a sweat; this was a question he hadn’t anticipated, something that had slipped through the cracks in his research. But he managed to stay in character, acted as if everything was fine, and on the spot answered without missing a beat, “Let me check; I’ll call you right back.” He changed hats once again to call another department at the bank, this time claiming to be an employee in the wire-transfer room. He obtained the settlement number and called the girl back.
She took the number and said, “Thanks.” (Under the circumstances, her thanking him has to be considered highly ironic.)
Achieving Closure
A few days later Rifkin flew to Switzerland, picked up his cash, and handed over $8 million to a Russian agency for a pile of diamonds. He flew back, passing through U.S. Customs with the stones hidden in a money belt. He had pulled off the biggest bank heist in history—and done it without using a gun, even without a computer. Oddly, his caper eventually made it into the pages of the Guinness Book of World Records in the category