Telemarketing system: 7th Telemarketing Lead

« Home | 6th Telemarketing Lead - Making phone calls »

7th Telemarketing Lead - Social Engineering

Have you heard about Kevin Mitnick? He is the best example of what i call "Phone Guru"

Kevin David Mitnick (born August 6, 1963) is one of the most famous crackers to be jailed. He was arrested by the FBI on February 15, 1995. Mitnick was convicted of wire fraud and of breaking into the computer systems of Fujitsu, Motorola, Nokia, and Sun Microsystems. He served five years in prison (four years of it pre-trial), 8 months of that in solitary confinement, and was released on January 21, 2000. During his supervised release, which ended on January 21, 2003, he was restricted from using any communications technology other than a landline telephone, although occasional exceptions were granted.

Following text is from his book "Art of Deception"

A company may have purchased the best security technologies that money can buy, trained their people so well that they lock up all their secrets before going home at night, and hired building guards from the best security firm in the business.

That company is still totally Vulnerable.

Individuals may follow every best-security practice recommended by the experts, slavishly install every recommended security product, and be thoroughly vigilant about proper system configuration and applying security
patches.

Those individuals are still completely vulnerable.

It's natural to yearn for a feeling of absolute safety, leading many people to
settle for a false sense of security. Consider the responsible and loving
homeowner who has a Medico, a tumbler lock known as being pickproof,
installed in his front door to protect his wife, his children, and his home. He's
now comfortable that he has made his family much safer against intruders.
But what about the intruder who breaks a window, or cracks the code to the
garage door opener? How about installing a robust security system? Better,
but still no guarantee. Expensive locks or no, the homeowner remains
vulnerable.

Why? Because the human factor is truly security's weakest link.

Security is too often merely an illusion, an illusion sometimes made even
worse when gullibility, naiveté, or ignorance come into play. The world's
most respected scientist of the twentieth century, Albert Einstein, is quoted
as saying, “Only two things are infinite, the universe and human stupidity,
and I'm not sure about the former.” In the end, social engineering attacks can
succeed when people are stupid or, more commonly, simply ignorant about
good security practices.

As developers invent continually better security technologies, making it
increasingly difficult to exploit technical vulnerabilities, attackers will turn
more and more to exploiting the human element. Cracking the human
firewall is often easy, requires no investment beyond the cost of a phone call,
and involves minimal risk.

A CLASSIC CASE OF DECEPTION

What's the greatest threat to the security of your business assets? That's easy:
the social engineer—an unscrupulous magician who has you watching his
left hand while with his right he steals your secrets. This character is often so
friendly, glib, and obliging that you're grateful for having encountered him.

Take a look at an example of social engineering. Not many people today still
remember the young man named Stanley Mark Rifkin and his little
adventure with the now defunct Security Pacific National Bank in Los
Angeles. Accounts of his escapade vary, and Rifkin (like me) has never told
his own story, so the following is based on published reports.

Code Breaking
One day in 1978, Rifkin moseyed over to Security Pacific's authorized-personnel-
only wire-transfer room, where the staff sent and received
transfers totalling several billion dollars every day.

He was working for a company under contract to develop a backup system
for the wire room's data in case their main computer ever went down. That
role gave him access to the transfer procedures, including how bank officials
arranged for a transfer to be sent. He had learned that bank officers who
were authorized to order wire transfers would be given a closely guarded
daily code each morning to use when calling the wire room.

In the wire room the clerks saved themselves the trouble of trying to
memorize each day's code: They wrote down the code on a slip of paper and
posted it where they could see it easily. This particular November day Rifkin
had a specific reason for his visit. He wanted to get a glance at that paper.

Arriving in the wire room, he took some notes on operating procedures,
supposedly to make sure the backup system would mesh properly with the
regular systems. Meanwhile, he surreptitiously read the security code from
the posted slip of paper, and memorized it. A few minutes later he walked
out. As he said afterward, he felt as if he had just won the lottery.

There's This Swiss Bank Account...
Leaving the room at about 3 o'clock in the afternoon, he headed straight for
the pay phone in the building's marble lobby, where he deposited a coin and
dialled into the wire-transfer room. He then changed hats, transforming
himself from Stanley Rifkin, bank consultant, into Mike Hansen, a member
of the bank's International Department.

According to one source, the conversation went something like this:
“Hi, this is Mike Hansen in International,” he said to the young woman who
answered the phone.

She asked for the office number. That was standard procedure, and he was
prepared: “286” he said.
The girl then asked, “Okay, what's the code?”

Rifkin has said that his adrenaline-powered heartbeat “picked up its pace” at
this point. He responded smoothly, “4789.” Then he went on to give
instructions for wiring “Ten million, two-hundred thousand dollars exactly”
to the Irving Trust Company in New York, for credit of the Wozchod
Handels Bank of Zurich, Switzerland, where he had already established an
account.

The girl then said, “Okay, I got that. And now I need the interoffice
settlement number.”

Rifkin broke out in a sweat; this was a question he hadn't anticipated,
something that had slipped through the cracks in his research. But he managed to stay in character, acted as if everything was fine, and on the spot
answered without missing a beat, “Let me check; I'll call you right back.” He
changed hats once again to call another department at the bank, this time
claiming to be an employee in the wire-transfer room. He obtained the
settlement number and called the girl back.

She took the number and said, “Thanks.” (Under the circumstances, her
thanking him has to be considered highly ironic.)

Achieving Closure
A few days later Rifkin flew to Switzerland, picked up his cash, and handed
over $8 million to a Russian agency for a pile of diamonds. He flew back,
passing through U.S. Customs with the stones hidden in a money belt. He
had pulled off the biggest bank heist in history—and done it without using a
gun, even without a computer. Oddly, his caper eventually made it into the
pages of the Guinness Book of World Records in the category of “biggest
computer fraud.”