February 6, 2003
Kevin Mitnick - combat social engineering
Just read Pete's blog about Kevin Mitnick. The event's of Kevin's life leading up to his jail time were prior to my path in technology, so it's interesting to go back and read up on it now having some history.
I'm particularly fascinated with his comments on social engineering. I find myself going through a checklist of each person or physical barrier which would be a path into our machines and trying to determine how much work it would take for a person to get through. This story from Kevin's Slashdot answers provoked the thought:
On one occasion, I was challenged by a friend of mine to get his Sprint Foncard number. He said he would buy me dinner if I could get it. I couldn't pass up a good meal so I phoned customer service and pretended to be from the IT department. I asked the rep if she was having any difficulties with her computer. She wasn't. I asked her the name of the system she uses to access customer accounts, to verify I was working with the right service center. She gave it to me. Immediately thereafter, I called back and got a new service rep. I told her my computer was down and I was trying to bring up a customer account. She brought it up on her terminal. I asked her for the customer's Foncard number? She started asking me a million questions? What was your name again? Who do you work for? What address are you at? You get the idea. Since I did not exercise any due diligence in my research, I just made up names and locations. It didn't work. She told me she was going to report my call to security!
Since I had her name, I briefed a friend of mine on the situation and asked him to pose as the "security investigator" so he could take a report. He called back customer service and was transferred to the woman. The "security investigator" said he received a report that unauthorized people were calling to obtain proprietary customer information. After getting the details of the "suspicious" call, the investigator asked what information the caller was after. She said the customer's Foncard number. The "investigator" asked for the number. She gave it to him. Whoops! Case closed!
And wouldn't you know it, immediately after reading this I had a user support person approach me complaining that it was inconvenient to deliver a recently reset password in person and that it would be better if when the person called they just did it over the phone. My response was noticeably sharper than normal.
Posted by mike at February 6, 2003 9:17 AM