TMCnet News

Low-tech hacking
[January 09, 2006]

Low-tech hacking


(Tampa Tribune (FL) (KRT) Via Thomson Dialog NewsEdge) Jan. 8--TAMPA -- Becoming a good con artist wasn't in Todd Snapp's career plan. But picking up the phone in his Temple Terrace office above a karate studio, Snapp dials a traveling salesman for a software company and attempts this caper:



"Hi, this is Tony Price with the computer help desk in Dallas," Snapp says. "Don't worry, you're not in trouble, we just noticed some anomalies in how you log in. Are you logged in now? Good. Just go to your computer and -- let's see -- what log-in are you using?"

After a few minutes of friendly banter, Snapp has the salesman's user name and password, and he can access the company's private network. The hapless salesman even started asking Snapp about other PC problems he was having.


Luckily, Snapp isn't a crook. He does this for a legitimate living.

The salesman's company contracted Snapp's consulting firm, Rocket Ready, to seek out security flaws such as this one. This was a "trophy call," Snapp said, and unfortunately, the trophies are alarmingly easy to steal.

In the past two years, Rocket Ready has found that about 30 percent of employees they target will unwittingly give up their company passwords to someone they think is "official."

Criminals or nosy corporate competitors who do this kind of low-tech con artistry, using just a phone, may well be one of the biggest security vulnerabilities companies face today.

Companies large and small spend millions of dollars each year on the hardware side of computer security: better firewalls, encryption and antivirus software. All worthwhile investments, security experts say. However, they too often neglect the human side of security, and old-fashioned cons pose a massive and hard-to-solve problem.

"This is a very large problem, and it's just not going away," said Brad Gross, a Miami attorney and former prosecutor who helped found a computer fraud investigation unit for the state. "High-tech hacking goes up and down, and some of the technical means have come and gone. One of the things that just remains constant is this low-tech hacking."

At worst, a well-meaning employee may show hackers how to steal data on customers or show competitors how to snoop on products in development.

Low-tech hacking methods are suspected in security breaches of the consumer database company ChoicePoint and may have allowed hackers to steal embarrassing e-mail messages from the socialite-celebrity Paris Hilton.

Although no one tracks how much money companies are losing, such low-tech hacking attacks may be a key source of the raw information used for identity theft, a crime that affects 10 million Americans, according to the Federal Trade Commission.

The Electronic Privacy Information Center in Washington suspects such methods are behind more than 40 Web sites that sell call-by-call cell phone records -- data that should only be available to the customer.

"It's just a lot easier to fool someone into giving you this information than to actually crack into a computer system," said Chris Hoofnagle, an attorney with the center.

The scope of the problem is difficult to measure, Hoofnagle said. The best cons go undetected. But this year, some indications arose that big companies may be receiving thousands of fraudulent calls a month.

Verizon Wireless in November filed a lawsuit against a Tampa company, Global Information Group, claiming the company made more than 5,000 calls in a four-week period to Verizon's customer service centers and impersonated Verizon employees trying to help a customer with a speech impediment. The scam was aimed at stealing account numbers and other customer data, Verizon claimed. Verizon filed a similar suit against a Tennessee company in September.

"We know the bad guys are out there," said Chuck Hamby, a spokesman for Verizon Wireless.

Officials with Global deny Verizon's claims.

Sometimes called "social engineering" or "pretext calling," the practice involves a variety of approaches. Once a client hires Rocket Ready, Snapp's team mimics tactics they think most crooks would use. Most calls seek seemingly innocuous information. But gathered together, they help make a final con appear highly realistic.

First they research a company online, gathering locations, manager names and product names. Then they seek an employee roster. (Sometimes, Rocket Ready found, receptionists are happy to e-mail them to anyone.)

With employee and location names, Rocket Ready can string together scripts to impersonate real company help-desk workers from legitimate locations and call targeted employees to "update" their information -- thereby learning how to log into secure networks.

In some cases, Snapp has duped human resource workers into registering him as a real employee, thus giving him a company voice mail and computer network account.

"I've been on company conference calls where engineers are discussing products they plan for the next year," Snapp said.

Perhaps the scariest thing Snapp has found is that targeted employees almost never report suspicious calls to upper management.

Unfortunately for security experts, crooks have more how-to guides to learn these tactics.

Kevin Mitnick, one of the country's most notorious computer hackers, wrote two books recently, "The Art of Deception" and "The Art of Intrusion," with dozens of scenarios for low-tech hacking. Meant as a preventative wake-up call for security experts, Snapp notes they are wonderful training manuals for crooks.

Several online companies operate Web sites that spoof caller ID systems so when a low-tech hacker calls up an employee and says, "This is Mike, from finance in Denver," the hapless employee's caller ID screen shows the real number for the real Mike in Denver.

"There are whole books full of these tactics," said Beth Givens, a director at the Privacy Rights Clearinghouse in San Diego, a group that advocates for better protection of customers' personal information. "Reading them makes me ill, they are so realistic."

Companies can expect a lot of work to fix such vulnerabilities, especially if they operate large customer service centers with high turnover of relatively low-paid workers.

The Electronic Privacy Information Center advocates that companies invest in audit systems that record every time digital files are accessed. Presumably, if a customer's records are searched more than a few times a month, there may be a problem.

Any company with data on individuals should use systems that won't display personal data without several levels of authentication -- presumably only things the real customer would have.

Other companies may need to change how they pay workers. Hoofnagle at the Electronic Privacy Information Center said companies ask for trouble if they pay call center workers (or outsourced call centers) on a per-call basis. That rewards doing whatever it takes to end a call quickly -- such as giving out information.

Tom Cash, a managing director with the corporate security firm Kroll Inc. in Miami, said he doesn't think low-tech hacks represent an epidemic, and they can be solved with common sense if companies train their workers to detect potential scams.

"Some people will just give away the store because they're trying to be friendly," Cash said. "Like Nancy Reagan said, 'Just say no' if someone asks for information you should not give out to the world."

[ Back To TMCnet.com's Homepage ]