Chapter 2
When Innocuous Information Isn't
What do most people think is the real threat from social engineers? What
should you do to be on your guard?
If the goal is to capture some highly valuable prize--say, a vital
component of the company's intellectual capital - then perhaps what's
needed is, figuratively, just a stronger vault and more heavily armed
guards. Right?
But in reality penetrating a company's security often starts with the bad
guy obtaining some piece of information or some document that seems so
innocent, so everyday and unimportant, that most people in the
organization wouldn't see any reason why the item should be protected
and restricted
HIDDEN VALUE OF INFORMATION
Much of the seemingly innocuous information in a company's possession
is prized
by a social engineering attacker because it can play a vital role in his effort to dress himself in a cloak of believability.
Throughout these pages, I'm going to show you how social engineers do
what they do by letting you "witness" the attacks for yourself--sometimes
presenting the action from the viewpoint of the people being victimized,
allowing you to put yourself in their shoes and gauge how you yourself
(or maybe one of your employees or co-workers) might have responded.
In many cases you'll also experience the same events from the perspective
of the social engineer.
The first story looks at a vulnerability in the financial industry.
CREDITCHEX
For a long time, the British put up with a very stuffy banking system. As
an ordinary, upstanding citizen, you couldn't walk in off the street and
open a bank account. No, the bank wouldn't consider accepting you as a
customer unless some person already well established as a customer
provided you with a letter of recommendation.
Quite a difference, of course, in the seemingly egalitarian banking
world of today. And our modern ease of doing business is nowhere more
in evidence than in friendly, democratic America, where almost anyone
can walk into a bank and easily open a checking account, right? Well, not
exactly. The truth is that banks understandably have a natural reluctance
to open. an account for somebody who just might have a history of
writing bad checks--that would be about as welcome as a rap sheet of
bank robbery or embezzlement charges. So it's standard practice at many
banks to get a quick thumbs-up or thumbs-down on a prospective new
customer.
One of the major companies that banks contract with for this information
is an outfit we'll call CreditChex. They provide a valuable service to their
clients, but like many companies, can also unknowingly provide a handy
service to knowing social engineers.
The First Call: Kim Andrews
"National Bank, this is Kim. Did you want to open an account today?"
"Hi, Kim. I have a question for you. Do you guys use CreditChex?"
"Yes."
"When you phone in to CreditChex, what do you call the number you give
them--is it a 'Merchant ID'?"
A pause; she was weighing the question, wondering what this was about
and whether she should answer.
The caller quickly continued without missing a beat:
"Because, Kim, I'm working on a book. It deals with private
investigations."
"Yes," she said, answering the question with new confidence, pleased to
be helping a writer.
"So it's called a Merchant ID, right?"
"Uh huh."
"Okay, great. Because I wanted to male sure I had the lingo right. For the
book. Thanks for your help. Good-bye, Kim."
The Second Call: Chris Talbert
"National Bank, New Accounts, this is Chris."
"Hi, Chris. This is Alex," the caller said. "I'm a customer service rep
with CreditChex. We're doing a survey to improve our services. Can you
spare me a couple of minutes?"
She was glad to, and the caller went on:
"Okay - what are the hours your branch is open for business?" She
answered, and continued answering his string of questions.
"How many employees at your branch use our service?"
"How often do you call us with an inquiry?"
"Which of our 800-numbers have we assigned you for calling us?"
"Have our representatives always been courteous?"
"How's our response time?"
"How long have you been with the bank?"
"What Merchant ID are you currently using?"
"Have you ever found any inaccuraccies with the information we've
provided you?"
"If you had any suggestions for improving our service, what would they
be?"
And:
"Would you be willing to fill out periodic questionnaires if we send them
to your branch?"
She agreed, they chatted a bit, the caller rang off, and Chris went back to
work.
The Third Call: Henry McKinsey
"CreditChex, this is Henry McKinsey, how can I help you?"
The caller said he was from National Bank. He gave the proper Merchant
ID and then gave the name and social security number of the person he was looking for information on. Henry asked for the birth date, and the
caller gave that, too.
After a few moments, Henry read the listing from his computer screen.
"Wells Fargo reported NSF in 1998, one time, amount of $2,066." NSF –
non sufficient funds - is the familiar banking lingo for checks that have
been written when there isn't enough money in the account to cover them.
"Any activities since then?"
"No activities."
"Have there been any other inquiries?"
"Let's see. Okay, two of them, both last month. Third United Credit Union
of Chicago." He stumbled over the next name, Schenectady Mutual
Investments, and had to spell it. "That's in New York State," he added.
Private Investigator at Work
All three of those calls were made by the same person: a private
investigator we'll call Oscar Grace. Grace had a new client, one of his
first. A cop until a few months before, he found that some of this new
work came naturally, but some offered a challenge to his resources and
inventiveness. This one came down firmly in the challenge category. The hardboiled private eyes of fiction - the Sam Spades and the Philip
Marlowes - spend long night time hours sitting in cars waiting to catch a
cheating spouse. Real-life PIs do the same. They also do a less written
about, but no less important kind of snooping for warring spouses, a
method that leans more heavily on social engineering skills than on
fighting off the boredom of night time vigils.
Grace's new client was a lady who looked as if she had a pretty
comfortable budget for clothes and jewelry. She walked into his office
one day and took a seat in the leather chair, the only one that didn't have
papers piled on it. She settled her large Gucci handbag on his desk with
the logo turned to face him and announced she was planning to tell her
husband that she wanted a divorce, but admitted to "just a very little
problem."
It seemed her hubby was one step ahead. He had already pulled the cash
out of their savings account and an even larger sum from their brokerage
account. She wanted to know where their assets had been squirreled away,
and her divorce lawyer wasn't any help at all. Grace surmised the lawyer
was one of those uptown, high-rise counselors who wouldn't get his hands
dirty on something messy like where did the money go. Could Grace help? He assured her it would be a breeze, quoted a fee, expenses billed at cost,
and collected a check for the first payment.
Then he faced his problem. What do you do if you've never handled a
piece of work like this before and don't quite know how to go about
tracking down a money trail? You move forward by baby steps. Here,
accord- mg to our source, is Grace's story.
I knew about CreditChex and how banks used the outfit - my ex-wife used
to work at a bank. But I didn't know the lingo and procedures, and trying
to ask my ex- would be a waste of time.
Step one: Get the terminology straight and figure out how to make the
request so it sounds like I know what I'm talking about. At the bank I
called, the first young lady, Kim, was suspicious when I asked about how
they identify themselves when they phone CreditChex. She hesitated; she
didn't know whether to tell me. Was I put off by that? Not a bit. In fact,
the hesitation gave me an important clue, a sign that I had to supply a
reason she'd find believable. When I worked the con on her about doing
research for a book, it relieved her suspicions. You say you're an author or
a movie writer, and everybody opens up. She had other knowledge that would have helped - things like what
reformation CreditChex requires to identify the person you're calling
about, what information you can ask for, and the big one, what was Kim's
bank Merchant ID number. I was ready to ask those questions, but her
hesitation sent up the red flag. She bought the book research story, but she
already had a few niggling suspicions. If she'd been more willing right
way, I would have asked her to reveal more details about their procedures.
LINGO
MARK: The victim of a con.
BURN THE SOURCE: An attacker is said to have burned the source
when he allows a victim to recognize that an attack has taken place. Once
the victim becomes aware and notifies other employees or management of
the attempt, it becomes extremely difficult to exploit the same source in
future attacks.You have to go on gut instinct, listen closely to what the mark is saying
and how she's saying it. This lady sounded smart enough for alarm bells
to start going off if I asked too many unusual questions. And even though
she didn't know who I was or what number I was calling from, still in this
business you never want anybody putting out the word to be on the look
out for someone calling to get information about the business. That’s
because you don't want to burn the source - you may want to call same
office back another time.
I'm always on the watch for little signs that give me a read on how
cooperative a person is, on a scale that runs from "You sound like a nice
person and I believe everything you're saying" to "Call the cops, alert the
National Guard, this guy's up to no good."
I read Kim as a little bit on edge, so I just called somebody at a different
branch. On my second call with Chris, the survey trick played like a
charm. The tactic here is to slip the important questions in among
inconsequential ones that are used to create a sense of believability.
Before I dropped the question about the Merchant ID number with
CreditChex, I ran a little last-minute test by asking her a personal question
about how long she'd been with the bank.
A personal question is like a land mine - some people step right over it
and never notice; for other people, it blows up and sends them scurrying
for safety. So if I ask a personal question and she answers the question
and the tone of her voice doesn't change, that means she probably isn't skeptical about the nature of the request. I can safely ask the sought after
question without arousing her suspicions, and she'll probably give me the
answer I'm looking for.
One more thing a good PI knows: Never end the conversation after getting
the key information. Another two or three questions, a little chat, and then
it's okay to say good-bye. Later, if the victim remembers anything about
what you asked, it will probably be the last couple of questions. The rest
will usually be forgotten.
So Chris gave me their Merchant ID number, and the phone number they
call to make requests. I would have been happier if I had gotten to ask
some questions about how much information you can get from
CreditChex. But it was better not to push my luck.
It was like having a blank check on CreditChex. I could now call and get
information whenever I wanted. I didn't even have to pay for the service.
As it turned out, the CreditChex rep was happy to share exactly the information I wanted: two places my client's husband had recently applied
to open an account. So where were the assets his soon-to-be ex-wife was
looking for? Where else but at the banking institutions the guy at
CreditChex listed?
Tidak ada komentar:
Posting Komentar