Tuesday, 15 March 2016

Phone Call Robbery

It is ironic that the greatest bank heist in history was accomplished without using a single weapon. Stanley Mark Rifkin was a computer contractor who worked for the Security Pacific National Bank in Los Angeles, which gave him access to the transfer procedures inside the bank. He learnt that bank officers who were authorised to order wire transfers would be given a daily code each morning for their orders, but to save the trouble of remembering it, they would write down the code on a slip of paper and posted it where they could see it easily. This serious loophole in security let Rifkin run away with a large sum of money, which he later recalled that he felt “as if he had just won the lottery”.
This particular November day Rifkin visited the clerk’s office, and stole the authorisation code for wire transfer. Then he headed to the public phone in the lobby, called the wire room, and assumed the role of Mike Hansen, a member of the bank's International Department. According to one source, the conversation went approximately like this:
“Hi, this is Mike Hansen in International,” he said to the woman who answered the phone.
“May I have your office number?” asked she.
“It’s 286.” He did his homework and knew that it was standard procedure.
The woman then asked, “Okay, what's the code?”
“4789,” Rifkin answered smoothly. Then he went on to order:
“Please wire ‘Ten million, two-hundred thousand dollars exactly’ to the Irving Trust Company in New York. It’s for credit of the Wozchod Handels Bank of Zurich, Switzerland.”
It seemed that it all went smoothly, and his Switzerland bank account would soon be 10 million dollars worthier. However, then the woman asked him an unexpected question:
“Okay, I got that. And now I need the interoffice settlement number.”
Rifkin then felt that he broke out in a sweat. What’s the interoffice settlement code? This was a question he hadn’t anticipated. It was something he missed in his research.
But he managed to stay calm and acted as if everything was fine. He said:
“Let me check; I'll call you right back.”
He changed his identity once again to call another department. This time he claimed to be someone in the wire-transfer room, and asked for the settlement number in question. He obtained it easily and called the woman back, and she took the number to complete the transaction.
A few days later Rifkin flew to Switzerland to pick up his cash, and exchanged it for a pile of expensive diamonds through an agency. He smuggled the diamonds back with a money belt, and pulled off the biggest bank heist in history without the use of any weapon or even a computer.
This story shows that the weakest link in any security system is the users themselves. Operators of a system can be tricked into helping criminals by clever tricks, which are nowadays more commonly known as social engineering. You may possibly wonder, “How could these people be so stupid?” Well, according to The Art of Deception: Controlling the Human Element of Security (Mitneck, 2002), a social engineer usually pulls this off with these three following tactics:
1. Pretending to be someone else
Social engineers like to pretend to be someone else, especially those who have power over the target. In the above example, Rifkin pretended to be from the International Department when he called the wire-transfer room, because the wire-transfer people were supposed to take order from them.
In order to play the role well, social engineers often research how your department or company operates before he strikes, so that he could act with great confidence to order you around. Even when they are caught off-guard, they would not panic. In the above story, Rifkin was asked for the interoffice settlement number that he hadn’t prepared for, but he kept a calm manner to buy himself time to find out the answer. And he succeeded.
2. Eliciting information covertly
No one would volunteer information to suspicious callers, so social engineers often sugar-coat their intention. They may pretend to be writing a novel or doing a survey in order to ask for details that are useful for them. In addition, they are also good at mixing up questions. They would insert the key question among some other trivial ones so that their intention would not be so obvious.
3. Applying pressure
Sometimes, social engineers may run into people who are more alert and refuse to give out the information they want. In that case, they will try to manipulate their listeners with mind games, like guilt (e.g. “If it fails, it’ll be your fault for refusing to help.”), sympathy (e.g. “I will be blamed if you don’t help me! Please!”), or time pressure (e.g. “Come on! I have to do it by 1 pm!”). From time to time, their listeners give in to them, as the former just want to do their job and avoid trouble.
To defend yourself against such attempts, you should always be alert about anyone who tries to probe inside information from you, no matter how innocent or urgent it looks. You should also stick to the rules under pressure, because in case any trouble happens, you’ll be held accountable for your violation of guidelines. If you keep this in mind, you’ll be able to keep your information safe and protect yourself from any possible harm of social engineering attacks.
Reference: Mitnick, K. D., & William L. S. (2002). The Art of Deception: Controlling the Human Element of Security. New York, NY: John Wiley & Sons, Inc.

No comments:

Post a Comment