The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [71]
The day codes would be my trump to get the signature card. I call, and the guy asks for a code. C he wants, and I’ve only got B and E. But it’s not the end of the world. You gotta stay cool at a moment like this, sound confident, keep right on going. Real smooth, I played him with the one about, “Somebody’s using my computer, ask me one of these others.”
We’re all employees of the same company, we’re all in this together, make it easy on the guy—that’s what you’re hoping the victim is thinking at a moment like this. And he played it right by the script. He took one of the choices I offered, I gave him the right answer, he sent the fax of the sig card.
Almost home. One more call gave me the 800 number that customers use for the automated service where an electronic voice reads you off the information you ask for. From the sig card, I had all of my target’s account numbers and his PIN number, because that bank used the first five or last four digits of the social security number. Pen in hand, I called the 800 number and after a few minutes of pushing buttons, I had the latest balance in all four of the guy’s accounts, and just for good measure, his most recent deposits and withdrawals in each.
Everything my client had asked for and more. I always like to give a little extra for good measure. Keep the clients happy. After all, repeat business is what keeps an operation going, right?
Analyzing the Con
The key to this entire episode was obtaining the all-important day codes, and to do that the attacker, Vince, used several different techniques.
He began with a little verbal arm-twisting when Louis proved reluctant to give him a code. Louis was right to be suspicious—the codes are designed to be used in the opposite direction. He knew that in the usual flow of things, the unknown caller would be giving him a security code. This was the critical moment for Vince, the hinge on which the entire success of his effort depended.
In the face of Louis’s suspicion, Vince simply laid it on with manipulation, using an appeal to sympathy (“going to the doctor”), and pressure (“I’ve got a stack to do, it’s almost 4 o‘clock”), and manipulation (“Tell her you wouldn’t give me the code”). Cleverly, Vince didn’t actually make a threat, he just implied one: If you don’t give me the security code, I won’t send the customer information that your coworker needs, and I’ll tell her I would have sent it but you wouldn’t cooperate.
Still, let’s not be too hasty in blaming Louis. After all, the person on the phone knew (or at least appeared to know) that coworker Angela had requested a fax. The caller knew about the security codes, and knew they were identified by letter designation. The caller said his branch manager was requiring it for greater security. There didn’t really seem any reason not to give him the verification he was asking for.
Louis isn’t alone. Bank employees give up security codes to social engineers every day. Incredible but true.
There’s a line in the sand where a private investigator’s techniques stop being legal and start being illegal. Vince stayed legal when he obtained the branch number. He even stayed legal when he conned Louis into giving him two of the day’s security codes. He crossed the line when he had confidential information on a bank customer faxed to him.
But for Vince and his employer, it’s a low-risk crime. When you steal money or goods, somebody will notice it’s gone. When you steal information, most of the time no one will notice because the information is still in their possession.
mitnick message
Verbal security codes are equivalent to passwords in providing a convenient and reliable means of protecting data. But employees need to be knowledgeable about the tricks that social engineers use, and trained not to give up the keys to the kingdom.
COPS AS DUPES
For a shady private investigator or social engineer, there are