Well ok, so it wasn’t exactly social engineering. But what happened should be cause for concern for any major company.
The phone call went something like this…
Me: “Hi there, I’m Chris and I’m working with persons name on the project name and I don’t have a username and password to login. Can you help?”
Them: “Oh, ok, well what are you trying to do?”
Me: “Well, I’m just preparing a specifications document for the project name so we can accurately quote this and it would be helpful to see what the administration system looks like.”
Them: “Oh ok, I can give you the password…”
BAM! Within 2 minutes I had total administrative access to over 20,000 records and 10 – 20% of them have credit cards associated (in plain text! no encryption!). That’s scary! We’re going to recommend they create a standard operating procedure (SOP) that they use to verify information like this.
I was calling a major company I’ve worked with a lot (but under a separate company for most deals) and talking with someone I had never met and she wouldn’t have known my name. The person I spoke with was an assistant to an executive.
No wonder identity theft is such a problem. Anyone have a story like this?
For some background on this topic, read this great overview with some interesting stories.
2 responses to “My recent experience with social engineering”
I have often thought about this and how pathetically insecure 90% of the hosting companies and what not really are.
Most of the “hacking” that goes on is really just social engineering.
I think it all boils down to we all want to be helpful to other people and we try really hard at it and sometimes people don’t think. Some of the stories in the link were amazing. I liked the one about a CFO who hired people to infiltrate his company during his absense. They uncovered some huge security risks.