just kin' of Fields in Technology >>> BACK-n-FORTH <<<

Tuesday, January 18, 2011

Social Engineering : an old real case [courtesy: Art Of Deception]


Social Engineering is the most damaging, feasible and research-oriented Hacking Technique for Reconnaissance about the target. In current scenario, most of the security practices are based on using infeasible mathematical complexity to design strong cryptographic algorithms. 

To counter such security practices, Hackers have been popularly using ‘Social Engineering’ tactics to collect all kind of information regarding the target to be used to break into their system. This sidesteps the need to carry out rigorous cryptanalysis on the cryptographic algorithm. This makes social engineering one of the most popular techniques used for hacking.

[courtesy.book: 'Art Of Deception']
ORIGINAL CASE STUDY

Its a real incident of Social Engineering, in 1978 'Stanley Mark Rifkin' was working under contract for 'Security Pacific'. He was there to develop a backup system for wire-room system's data. This role gave him authorities to access all transfer procedures. He knew bank officers were authorized to order wire transfer where they had a closely guarded 'daily code' to use while calling the wire-transfer room.

The employee in wire-transfer room used to keep a slip of that Code to be matched with the code confirmation by bank officers.
So, one day he went to "Authorized-Personnel-Only" wire-transfer room, where the staff sent and received transfers totaling several billion dollars every day. He showed that he is just there taking notes about some activities involved in his work, but his motive was to get a look of the code. 

He eyed the code, came back and made a fake call from pay-phone in the building lobby.

He told his name to be 'Mike Hansen', who was a Bank Officer in International Office. After confirming his identity with the stolen 'daily code', he asked the employee on phone to transfer 'Two Hundred Thousand Dollars' to Irving Trust Company by which he already had an account. Then employee on phone asked him for inter-office settlement number.

He just overlooked this requirement while preparing for this fraud, but he didn't give it up. He told her to wait for his another call because he don't remember it.

He then called another bank department, claiming an employee at wire-transfer room and obtained the settlement number.
He called back to Wire-Transfer room and gave the settlement number. The employee thanked him and completed the money transfer.