The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [70]
Vince Capelli was a social engineer from an early age, even though he I had never heard the term.
His friends stopped laughing once they all had high school diplomas in hand. While the others slogged around town looking for jobs where you didn’t have to say “Do you want fries with that?” Vince’s dad sent him off to talk to an old cop pal who had left the force to start his own private investigation business in San Francisco. He quickly spotted Vince’s talent for the work, and took him on.
That was six years ago. He hated the part about getting the goods on unfaithful spouses, which involved achingly dull hours of sitting and watching, but felt continually challenged by assignments to dig up asset information for attorneys trying to figure out if some miserable stiff was rich enough to be worth suing. These assignments gave him plenty of chances to use his wits.
Like the time he had to look into the bank accounts of a guy named Joe Markowitz. Joe had maybe worked a shady deal on a one-time friend of his, which friend now wanted to know, if he sued, was Markowitz flush enough that the friend might get some of his money back?
Vince’s first step would be to find out at least one, but preferably two, of the bank’s security codes for the day. That sounds like a nearly impossible challenge: What on earth would induce a bank employee to knock a chink in his own security system? Ask yourself—if you wanted to do this, would you have any idea of how to go about it?
For people like Vince, it’s too easy.
People trust you if you know the inside lingo of their job and their company. It’s like showing you belong to their inner circle. It’s like a secret handshake.
I didn’t need much of that for a job like this. Definitely not brain surgery. All’s I needed to get started was a branch number. When I dialed the Beacon Street office in Boston, the guy that answered sounded like a teller.
“This is Tim Ackerman,” I said. Any name would do, he wasn’t going to write it down. “What’s the branch number there?”
“The phone number or the branch number?” he wanted to know, which was pretty stupid because I had just dialed the phone number, hadn’t I?
“Branch number.”
“3182,” he said. Just like that. No, “Whad‘ya wanna know for?” or anything. ’Cause it’s not sensitive information, it’s written on just about every piece of paper they use.
Step Two, call the branch where my target did his banking, get the name of one of their people, and find out when the person would be out for lunch. Angela. Leaves at 12:30. So far, so good.
Step Three, call back to the same branch during Angela’s lunch break, say I’m calling from branch number such-and-such in Boston, Angela needs this information faxed, gimme a code for the day. This is the tricky part; it’s where the rubber meets the road. If I was making up a test to be a social engineer, I’d put something like this on it, where your victim gets suspicious—for good reason—and you still stick in there until you break him down and get the information you need. You can’t do that by reciting lines from a script or learning a routine, you got to be able to read your victim, catch his mood, play him like landing a fish where you let out a little line and reel in, let out and reel in. Until you get him in the net and flop him into the boat, splat!
So I landed him and had one of the codes for the day. A big step. With most banks, one is all they use, so I would’ve been home free. Industrial Federal Bank uses five, so having just one out of five is long odds. With two out of five, I’d have a much better chance of getting through the next act of this little drama. I love that part about “I didn’t say B, I said E.” When it works, it’s beautiful. And it works most of the time.
Getting a third one would have been even better. I’ve actually managed to get three on a single call—“B,” “D,” and