A Social Engineering Case from Mitnick's "The Art of Deception" (Ch.2)
Private Investigator at Work
Three calls were made by the same person: a private investigator we'll call Oscar Grace. Grace had a new client, one of his first. A lady planning on asking for a divorce from her husband but had a problem with their money and savings being moved to an unknown account. Mr Grace had to find out whereto.
The First Call: Kim Andrews
"National Bank, this is Kim. Did you want to open an account today?"
"Hi, Kim. I have a question for you. Do you guys use CreditChex?"
"Yes."
"When you phone in to CreditChex, what do you call the number you give them--is it a 'Merchant ID'?"
A pause; she was weighing the question, wondering what this was about and
whether she should answer. The caller quickly continued without missing a beat:
"Because, Kim, I'm working on a book. It deals with private investigations."
"Yes," she said, answering the question with new confidence, pleased to be helping a writer.
"So it's called a Merchant ID, right?"
"Uh huh."
"Okay, great. Because I wanted to make sure I had the lingo right. For the book. Thanks for your help. Good-bye, Kim."
The Second Call: Chris Talbert
"National Bank, New Accounts, this is Chris."
"Hi, Chris. This is Alex," the caller said. "I'm a customer service rep with CreditChex. We're doing a survey to improve our services. Can you spare me a couple of minutes?"
She was glad to, and the caller went on:
"Okay - what are the hours your branch is open for business?" She answered, and continued answering his string of questions.
"How many employees at your branch use our service?"
"How often do you call us with an inquiry?"
"Which of our 800-numbers have we assigned you for calling us?"
"Have our representatives always been courteous?"
"How's our response time?"
"How long have you been with the bank?"
"What Merchant ID are you currently using?"
"Have you ever found any inaccuracies with the information we've provided you?"
"If you had any suggestions for improving our service, what would they be?"
And:
"Would you be willing to fill out periodic questionnaires if we send them to your branch?"
She agreed, they chatted a bit, the caller rang off, and Chris went back to work.
The Third Call: Henry McKinsey
"CreditChex, this is Henry McKinsey, how can I help you?"
The caller said he was from National Bank. He gave the proper Merchant ID and then gave the name and social security number of the person he was looking for information on. Henry asked for the birth date, and the caller gave that, too. After a few moments, Henry read the listing from his computer screen.
"Wells Fargo reported NSF in 1998, one time, amount of $2,066." NSF – non sufficient funds - is the familiar banking lingo for checks that have been written when there isn't enough money in the account to cover them.
"Any activities since then?"
"No activities."
"Have there been any other inquiries?"
"Let's see. Okay, two of them, both last month. Third United Credit Union of Chicago." He stumbled over the next name, Schenectady Mutual Investments, and had to spell it. "That's in New York State," he added.
Countermeasures against Social Engineering
Kevin Mitnick, in his book
'The Art of Intrusion', gives a list of countermeasures against social engineering attacks inside the company. It is important to motivate the employees to adhere to the protocols. A series of coordinated efforts include:
- Developing clear, concise security protocols that are enforced consistently throughout the organization
- Developing security awareness training
- Developing simple rules defining what information is sensitive
- Developing a simple rule that says that whenever a requestor is asking for a restricted action (that is, an action that involves interaction with computer-related equipment where the consequences are not known), the requestor’s identity must be verified according to company policy
- Developing a data classification policy
- Training employees on ways to resist social engineering attacks
- Testing your employee’s susceptibility to social engineering attacks by conducting a security assessment
The list gives suggestions to the company - what can they do to reduce the chance of an employee (and therefore the company) becoming a victim of social engineer. What measures could there be just of the human, not technical, aspect. Also in the same book Mitnick gives guidelines to Training. From there I would bring out the following that should be indicated to any person and computer user:
- Aim to establish a sense in the trainees that they will feel foolish if manipulated by a social engineering attack after the training.
It seems strange but at the same time.. it could give an impact, a little fear of becoming the fool one to fall into the trap.
- Modify organization politeness norms — It’s okay to say “no”!
I find this an important one as I think one should really give out minimum of information concerning any kind of personal data or any passwords or codes and feel free to say "no".