Impressive demonstration of social engineering

Originally published at: http://boingboing.net/2016/12/13/impressive-demonstration-of-so.html

…

I wonder how well Google Project FI stands up to this.

think of the children!

holy crap, please tell me they contacted that phone company and gave them the name of the customer rep that fell for this. That’s the equivalent of fraudulent people pretending to be a credit card company and calling old people to get them to tell them their account numbers, except I would expect a customer rep to be way more effective at realizing this is going on.

The problem is cell phone companies (and other places) can’t know if this is “for real” or not, and they have an interest in retaining customers, as well as reducing fraud (as they eat a lot of the fraud costs). Those two things compete. You might want fraud at 0% and not care about making password recovery easy because you remember your passwords. Many customers lose passwords, or have real crying baby while attempting to gather information issues. So fraud at 0% will result in frustrated customers leaving carrier X to go to carrier Y, while allowing the fraud rate to go up will lose fewer customers. The carrier wants to be able to help customers and keep fraud low, but zero isn’t really a goal, the goal is “lower fraud rates until lowering them more would result in customer loss that costs more then the next step of fraud reduction would save”

It sucks (if you have stuff you don’t want hacked), or is cool (if you love doing a bit of social engineering).

Meanwhile when you call them with a legit problem (like you have been hacked out of your account) you can’t get shit done if you don’t remember some little detail.

The video is scary but at the same time maybe I should feel better that my wife and I have never had anything but frustration trying to deal with accounts over the phone.

So much security seems to be the equivalent of things like DRM- it only hurts the honest people.

My state flagged my return a few years ago for suspected identity theft. I could understand that, I had changed jobs and e-filed and I am an extremely suspicious person. So I called up the department and took their prove it’s you test… and failed.

The first three questions were straightforward, but the forth question was the model year of the van my ex-wife had ten years ago. Seriously. I guess 3-for-4 wasn’t good enough and I flunked. The nice government agent reassured me and said he could dial up a new set of questions.

The first three were easy. Guess what the fourth question was. I flunked twice, and missing the same question twice is apparently no excuse. I’m probably on the no-fly list now.

Reminds me of a friend of mine way back when the Internet was young who would take over a mutual friend’s IM account because he knew him well enough that he could guess his “forgot my password” security questions. Drove him crazy that he was getting hacked all the time. I don’t think he ever figured it out.

Or you’re about to be tapped for Trump’s cabinet.

The really stupid thing about that kind of identity authentication service (which is usually provided by a company like equifax) is that its based on public records. So, duh, even if you can’t remember the details it is totally hackable by someone dedicated to impersonating you. All they gotta do is pull the same public records that equifax does.

Are we being hacked here? For all we know that woman isn’t talking to anyone. Did the guy making the video actually verify that his password had been changed, or was he just fooled into believing she got it changed?

FWIW, what the phone company ought to do in a situation like this is send text messages to the phone no matter what. I can see them being helpful to someone who appears to be having a hard day. But at least send confirmation messages to the actual phone so in case something fishy is going on, whoever has the actual handset at least gets an alert.

I always snicker when people use terms like “social engineering, aka hacking without code” as if it’s something new… "Social engineers " used to be simply called “con artists”

Yarn spinners, truth embroiderers, bullshit tailors, we got them all!

Yea, it started out as “cute, ironic euphemism,” but very quickly turned into “deadeyed buzzword.”

Impressive demonstration of social engineering

I would have termed it “Striking example of business incompetence”.

At the extremely large technology concern I work for that rep would be out the door without their feet touching the floor. Account security is THE thing for us and if you provide ANY information from the account without properly verifying the customer and they find out (by randomly listening to calls or the original customer calling in to complain) you’re gone.

It happened to a desk neighbour of mine a few weeks ago. They cut her access and HR escorted her, crying, from the building.

Also grifters and Trumps.

Last week I was trying to get my credit report from… Equifax, and I failed the test. I can’t recall what shirt I wore yesterday much less the random crap they asked me.

I showed this video today to two friends of mine who are IT security professionals to get their reactions to it.

They had me stop the video right at the beginning part, when it is stated that Jessica spoofed the guy’s cell phone number. They then both informed me that it is an incredibly difficult feat to spoof someone’s cell number, and basically can only be done by the service provider itself.

The video glosses over the spoofing part as if it is taken for granted that anyone could do it, but it is actually the most challenging aspect of this entire hacking attempt by far, according to my friends.

This topic was automatically closed after 5 days. New replies are no longer allowed.