In 2005, I worked support for a company with a mobile offering. At the time, app purchases were handled exclusively by the carrier and were completely opaque. A little while prior, we had partnered with a shady marketing company, netting us a bunch of unintentional signups that I had the displeasure of fixing.
Since we didn't handle billing, I had to call AT&T with the customer on the line and talk them both through the process of removing the charges(AT&T was feeding customers a line about not handling billing either, for some reason). After doing it a few times, I realized I could do it without the customer, all I needed was a name and a phone number.
It never came down to impersonating the customer, instead, I would just say I was calling on behalf of a customer. Once, a call got escalated to a higher support tier, with the miscommunication that I was a VP of a partner company, which made the agents more responsive, making the process easier, so I just kept reusing that line.
Eventually, I just asked, "what do I tell the next agent I have to deal with so we can just bypass all the lies?" (regarding their inability to modify billing charges). This was happily given to me, and I could now call AT&T support and say, "I'm calling for user X with number Y. I need you to go into the tool and click on Z and then remove the charge from such and such service." Again, when delivered with authority, the rep would do it, no questions asked.
It's hard to fault them, I probably would have done the same in their position. Still, it's scary knowing how little it takes to get customer service to reveal/modify things without hard verification.
I bought a Palm Pre2 last year on ebay and had to go into an AT&T store to activate it. The person helping me had a little trouble activating it, so he called AT&T support and got help so quickly without being asked stupid questions, I've been using his technique ever since.
Whenever I call tech support of a company that has physical locations, I always start with:
"Hello, my name is Kevin, I'm an associate with [company] at the [store] location. I'm trying to help a customer with [my problem] issue..."
And very quickly I'm having a conversation with someone who knows their stuff and doesn't insult my intelligence.
I learned a similar lesson working for RadioShack as a teen except with Sprint phones/service. After handling charges for upset customers I learned the ins and outs of Sprint's phone support and could basically get them to do whatever I wanted.
Needless to say I too carried a Sprint handset at the time.
Oh, Wired... you write an article about a hacker and change his name to "protect" him, but publish a photograph of his neighborhood with readable house numbers and license plates.
He was doxed a long time ago, so it's not like someone who really wants to know can't find him; they still aren't going to print the name of a minor for everyone to see.
What's really bad about stories like this is that social engineering is not new. I recall working on closing some of these types of loops at companies 10 years ago.
Yea. Kevin Mitnick wrote "The Art of Deception", which is specifically about social engineering, 10 years ago from next month. And he'd been using such techniques for decades.
When the Wired author was hacked and it was first posted here about half of us jumped on 'shoulder surfed', 'is it possible to brute force' and half a dozen decent technical explanations. I think often people are now looking for the next over the top attack and forgetting the simplest tricks are often the most successful.
You're assuming that anyone in these large organizations has enough control and pays enough attention to dictate how entire systems work. Usually it's more of a patchwork that gets developed over time by many people, none of whom sees the whole picture.
It's interesting to me how easy it is for some people to circumvent their ethics. This kid is intelligent enough to know what he's done is unethical but I've never been a teenage boy so I consider what would come with that feeling of discovering a sweet hack: a desire to use that knowledge to assert power above all costs.
I'm not sure it's so much "circumvent" as "it's not fully hooked up yet".
Ethics are intellectual, but they're grounded in a human moral sense that is rooted in biology. (For a readable start on how, de Waal's Good Natured is a good book.) When I was his age I was much more aware of mechanism than of morality. For me the motivation to hack wasn't power in the social sense; it was tinkering with systems.
It took me years for my moral sense to integrate well with my intellectual side to yield a proper system of ethics. In some ways that's still going on; the older I get, the more I have learned how to be compassionate. For me, the ethical framework is given force by very specific instances of compassion. For example, I was just looking again at Project Unbreakable:
Without incriminating myself, let's say that maybe I've seen some files belonging to other people that I shouldn't have when I was a teenager.
At the time, I justified it easily to myself - I don't care if someone sees the contents of my hard drive, so why should it be unethical for me to root through someone else's?
I'm 28, now, and a year ago my mom reminded me that I'd said that. I was pretty embarrassed at how I'd acted, and how I justified it to myself. I hope I remember that sequence of events when I have kids.
The mind of a teenage boy can be a dangerous place. They are old enough to realize the possibilities and thrills associated with what they are doing, but not experienced enough to realize the consequences of their actions. I know I was a "knucklehead" from about age 15-20. I never did anything that got me into too much trouble, but I distinctly remember that the line between right and wrong seemed much hazier than it does to me now. I only wish I could figure out a way to impress upon my kids the consequences of their actions.
Agree. I can remember vividly that same state of flux in my own life.
When my parents dropped our dialup internet (too expensive) I looked for alternative ways to get online. My 'solution' was successful and was really exciting at the time but it was also illegal. After (poorly) emulating what I had done, a friend ended up with an angry sysadmin and some cops at his door.
Obviously what I did was wrong, it was stealing. But at the time it didn't feel wrong. It was exciting, fun and interesting - unlike anything in school or sports. Not only that, but the kid who got busted was our valedictorian a few years later, arguably one of the smartest kids in school.
All of the elation associated with the hack added to the fact that I knew most people couldn't do, or even understand, what I had done, masked any feelings of guilt or culpability in my still-developing conscience.
Now I have a son on the way and I'm wondering what he will have to experience before learning these lessons and what I can do to help with that. The prospect of being a father is the happiest, most exciting thing in my life to date - and also the most terrifying.
Humans still have strong instinct. When you do something physical or violent you feel more like you're doing a lot, you feel more risk. But when you're doing something intellectual, well it just doesn't feel like it's that big a deal.
That's how a lot of young smart kids get sucked into serious crimes.
I guess I'd say that teenagers don't often have a fully developed sense of ethics. I would like to make a gross assumption and make a wild guess that Cosmo is developing ethics, along with his growing up and developing a criminal record. At least that's how the Wired article reads (& suggests) to me.
It appears the guy he hacked was not chosen at random. So why was he chosen?
If you start something like Project Honeypot and then Cloudflare does that suggest you want to play "good guys, bad guys"? It's very subjective stuff. Is that sort of "business model" inviting trouble?
Not to imply there are no "bad guys" on the web - of course there are - but who would want to play with them?
"Good guys?"
The social engineering stuff is disturbing. It makes you not want to sign up for anything online, not even web mail.
But when you run websites that purport to label internet users as "good" or "bad" based on spurious evidence and numerous inferences, are you not opening yourself up to even more attention from "bad guys"?
Is it possible to run an internet business without messing around with these types of characters?
Honest question.
As for your question, marquis, I think it's simple psychology: If you go online and assert "You can't hack me" or "Our system is hack-proof" to an audience that includes people like the teenager in the story, then it's perceived as a challenge. And as we continue to see, both of those assertions continue to be false. The Wired stories always follow the same plot: In the end, the teenager is arrested, but the damage has already been done.
Reading this reminds me of a gripe I have; is it possible to use 2-factor authentication on gmail without a phone? You can print a list of OTPs but you can't enable it without also registering a phone number. Given how easy it is to intercept voice and SMS, that seems like a huge security hole.
The device doesn't need to be internet connected if you use the app. An iPod Touch does the job just as well as SMS, though you need to make sure the times are synchronized.
Still doesn't answer my question. It won't let me turn on 2FA without giving them a phone # that can be used (SMS or voice) to authenticate, which means anyone that can redirect my phone or capture my SMS messages (both fairly trivial in a targeted attack) can bypass 2FA.
You have to just do that once to activate 2FA. Once activated, switch to mobile app. No one can turn it off without having code and password later. (apart from finding some flaw in system)
This is really interesting. Makes me wonder why I bothered generating those hard-to-crack passwords if they can easily be reset by a bit of sweet-talking.
The trouble is that normal operations are often indistinguishable from social engineering.
I have worked several places where I have been told by management that something needs fixed on a web server, but they can't remember any passwords, so could I call up their ISP and just get it sorted.
In these situations, I have never had to prove anything I couldn't have faked and I usually get asked to provide an email address so they can send me the details.
As this kind of behaviour seems very common, most everything seems to be wide open for social engineering. So given that everything isn't hacked all of the time, people in general must be both much nicer and much lazier than I had otherwise assumed.
Just had a reminder of that this morning...
Was doing a bit of routine maintenance on the server at work when I noticed repeated ssh login attempts appearing in the system logs... with usernames that clearly don't exist. Tracing the source ip address sent me to Beijing somewhere, so someone there was trying a port scan and random ssh login attempts.
I've never really looked for this kind of interaction before, and I wonder just how common it is these days - but I'd say that you can now pretty much guarantee that it will happen at some stage, and you'd better hope your security is up to the task.
It is so common I'd be surprised if you weren't seeing these login attempts. Every ssh server I've run in the last 10 years has had this happen, even those without domain names. They must just scan random IPv4 addresses for anyone responding on port 22. It's the modern equivalent of wardialing.
It even happens if you just open port 22 on your home router. You can use things like fail2ban to put a short-term ban on offending addresses, and put your ssh server on a random (i.e. not 2222) high numbered port to reduce automated scans.
Since we didn't handle billing, I had to call AT&T with the customer on the line and talk them both through the process of removing the charges(AT&T was feeding customers a line about not handling billing either, for some reason). After doing it a few times, I realized I could do it without the customer, all I needed was a name and a phone number.
It never came down to impersonating the customer, instead, I would just say I was calling on behalf of a customer. Once, a call got escalated to a higher support tier, with the miscommunication that I was a VP of a partner company, which made the agents more responsive, making the process easier, so I just kept reusing that line.
Eventually, I just asked, "what do I tell the next agent I have to deal with so we can just bypass all the lies?" (regarding their inability to modify billing charges). This was happily given to me, and I could now call AT&T support and say, "I'm calling for user X with number Y. I need you to go into the tool and click on Z and then remove the charge from such and such service." Again, when delivered with authority, the rep would do it, no questions asked.
It's hard to fault them, I probably would have done the same in their position. Still, it's scary knowing how little it takes to get customer service to reveal/modify things without hard verification.