The Impersonation Intrusion Scenario
At one of the Computer Security Institute's "Meet the Enemy" seminars several years ago, there was a discussionto put it mildlyabout the ease of obtaining sensitive information about a company. One of the attendees challenged a hacker's boast about using social engineering to gather sensitive information from company staff. So the hacker gave a live demonstration. He dialed up a company and got transferred around, until he reached the help desk.
Here's the word-for-word transcript of what transpired:
"Who's the supervisor on duty tonight?"
"Oh, it's Betty. Let me talk to Betty."
"Hey Betty, having a bad day? No? You should."
"Your systems are down."
"My systems aren't down, we're running fine."
"All of my monitors here are showing that you're completely offline. Something is really wrong."
"I'm not offline."
"You better sign off." She signed off.
"Now sign on again." She signed on again.
"We didn't even show a blip, we show no change. Sign off again." She did.
"Betty, I'm going to have to sign on as you here to figure out what's happening with your ID. Let me have your user ID and password." So this senior supervisor at the help desk tells him her user ID and password.
"I'm signed on as you now and I can't see the difference. Shoot. I know what it is. Let me sign off. Now sign yourself back on again." She did.
"I know what it is. You're on day-old files. You think you're online but you're not. You're on day-old files. Do me a favor, what changes all the time? The PIN code? Pull the PIN code file, just read me off the first ten PIN codes you've got there and I'll compare them."
She was reading off the first PIN code when he hung up and said, "I told you I could."