The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [84]
Only six minutes gone, and the game was half over. He was in.
Another three minutes to very carefully add his new company, address, phone number, and contact name to the list of customers. And then for the crucial entry, the one that would make all the difference, the entry that said all items were to be sold to him at 1 percent over Honorable Auto Parts’ cost.
In slightly under ten minutes, he was done. He stopped long enough to tell Kaila thanks, he was through checking his emails. And he had reached Mike Talbot, change of plans, he was on the way to a meeting at a client’s office. And he wouldn’t forget about recommending her for that job in Marketing, either.
Analyzing the Con
The intruder who called himself Peter Milton used two psychological subversion techniques—one planned, the other improvised on the spur of the moment.
He dressed like a management worker earning good money. Suit and tie, hair carefully styled—these seem like small details, but they make an impression. I discovered this myself, inadvertently. In a short time as a programmer at GTE California—a major telephone company no longer in existence—I discovered that if I came in one day without a badge, neatly dressed but casual—say, sports shirt, chinos, and Dockers—I’d be stopped and questioned. Where’s your badge, who are you, where do you work? Another day I’d arrive, still without a badge but in a suit and tie, looking very corporate. I’d use a variation of the age-old piggy-backing technique, blending in with a crowd of people as they walk into a building or a secure entrance. I would latch onto some people as they approached the main entrance, and walk in chatting with the crowd as if I was one of them. I walked past, and even if the guards noticed I was badgeless, they wouldn’t bother me because I looked like management and I was with people who were wearing badges.
From this experience, I recognized how predictable the behavior of security guards is. Like the rest of us, they were making judgments based on appearances—a serious vulnerability that social engineers learn to take advantage of.
The attacker’s second psychological weapon came into play when he noticed the unusual effort that the receptionist was making. Handling several things at once, she didn’t get testy but managed to make everyone feel they had her full attention. He took this as the mark of someone interested in getting ahead, in proving herself. And then when he claimed to work in the Marketing department, he watched to see her reaction, looking for clues to indicate if he was establishing a rapport with her. He was. To the attacker, this added up to someone he could manipulate through a promise of trying to help her move into a better job. (Of course, if she had said she wanted to go into the Accounting department, he would have claimed he had contacts for getting her a job there, instead.)
Intruders are also fond of another psychological weapon used in this story: building trust with a two-stage attack. He first used that chatty conversation about the job in Marketing, and he also used “name-dropping” —giving the name of another employee—a real person, incidentally, just as the name he himself used was the name of a real employee.
He could have followed up the opening conversation right away with a request to get into a conference room. But instead he sat down for a while and pretended to work, supposedly waiting for his associate, another way of allaying any possible suspicions because an intruder wouldn’t hang around. He didn’t hang around for very long, though; social engineers know better than to stay at the scene of the crime any longer than necessary.
Just for the record: By the laws on the books at the time of this writing, Anthony had not committed a crime when he entered the lobby. He had not committed a crime when he used the name of a real employee. He had not