Well ok, so it wasn’t exactly social engineering. But what happened should be cause for concern for any major company.
The phone call went something like this…
Me: “Hi there, I’m Chris and I’m working with persons name on the project name and I don’t have a username and password to login. Can you help?”
Them: “Oh, ok, well what are you trying to do?”
Me: “Well, I’m just preparing a specifications document for the project name so we can accurately quote this and it would be helpful to see what the administration system looks like.”
Them: “Oh ok, I can give you the password…”
BAM! Within 2 minutes I had total administrative access to over 20,000 records and 10 – 20% of them have credit cards associated (in plain text! no encryption!). That’s scary! We’re going to recommend they create a standard operating procedure (SOP) that they use to verify information like this.
I was calling a major company I’ve worked with a lot (but under a separate company for most deals) and talking with someone I had never met and she wouldn’t have known my name. The person I spoke with was an assistant to an executive.
No wonder identity theft is such a problem. Anyone have a story like this?
For some background on this topic, read this great overview with some interesting stories.