Tags:
General,
Computers,
Business & Economics,
Electronic Books,
security,
Computer Hackers,
Computer Security,
Computer Networks,
Information Management,
Data Protection,
Social Aspects,
Information Technology,
Internal Security,
Computer Science
assets his soon-to-be ex-wife was looking for? Where else but at the banking institutions the guy at CreditChex listed?
Analyzing the Con This entire ruse was based on one of the fundamental tactics of social engineering: gaining access to information that a company employee treats as innocuous, when it isn't.
The first bank clerk confirmed the terminology to describe the identifying number used when calling CreditChex: the Merchant ID. The second provided the phone number for calling CreditChex, and the most vital piece of information, the bank's Merchant ID number. All this information appeared to the clerk to be innocuous. After all, the bank clerk thought she was talking to someone from CreditChex -so what could be the harm in disclosing the number?
All of this laid the groundwork for the third call. Grace had everything he needed to phone CreditChex, pass himself off as a rep from one of their customer banks, National, and simply ask for the information he was after.
With as much skill at stealing information as a good swindler has at stealing your money, Grace had well-honed talents for reading people. He knew the common tactic of burying the key questions among innocent ones. He knew a personal question would test the second clerk's willingness to cooperate, before innocently asking for the Merchant ID number.
The first clerk's error in confirming the terminology for the CreditChex ID number would be almost impossible to protect against. The information is so widely known within the banking industry that it appears to be unimportant - the very model of the innocuous. But the second clerk, Chris, should not have been so willing to answer questions without positively verifying that the caller was really who he claimed to be. She should, at the very least, have taken his name and number and called back; that way, if any questions arose later, she may have kept a record of what phone number the person had used. In this case, making a call like that would have made it much more difficult for the attacker to masquerade as a representative from CreditChex.
MITNICK MESSAGE A Merchant ID in this situation is analogous to a password. If bank personnel treated it like an ATM PIN, they might appreciate the sensitive nature of the information. Is there an internal code or number in your organization that people aren't treating with enough care?
Better still would have been a call to CreditChex using a nun bank already had on record - not a number provided by the caller � to verify that the person really worked there, and that the company was really doing a customer survey. Given the practicalities of the real world and the time pressures that most people work under today, though, this kind of verification phone call is a lot to expect, except when an employee is suspicious that some kind of attack is being made.
THE ENGINEER TRAP It is widely known that head-hunter firms use social engineering to recruit corporate talent. Here's an example of how it can happen.
In the late 1990s, a not very ethical employment agency signed a new client, a company looking for electrical engineers with experience in the telephone industry. The honcho on the project was a lady endowed with a throaty voice and sexy manner that she had learned to use to develop initial trust and rapport over the phone.
The lady decided to stage a raid on a cellular phone service provider to see if she could locate some engineers who might be tempted to walk across the street to a competitor. She couldn't exactly call the switch board and say, "Let me talk to anybody with five years of engineering experience." Instead, for reasons that will become clear in a moment, she began the talent assault by seeking a piece of information that appeared to have no sensitivity at all, information that company people give out to almost anybody who asks.
The First Call: The receptionist The attacker, using the name Didi Sands, placed a call to the corporate