Main Area and Open Discussion > Living Room

Inadvertent Social Engineering - It's that easy?!?

(1/5) > >>

Renegade:
This is sort of bizarre, and slightly disturbing.

I have a bank account that I rarely use, and the last time was a few years ago. Anyways, they have a kind of wacky login procedure, and I'd forgotten my password. Not wanting to get locked out, I phoned after 2 attempts to have the password reset.

Now, they have security questions, and one was "what kind of account" I have. Now, I had no clue and couldn't remember. But, wiggling around enough, I was able to get what type of account it was from the person on the phone, and I wasn't even trying.

People are just so darn helpful~! ;D

TaoPhoenix:
This is sort of bizarre, and slightly disturbing.

I have a bank account that I rarely use, and the last time was a few years ago. Anyways, they have a kind of wacky login procedure, and I'd forgotten my password. Not wanting to get locked out, I phoned after 2 attempts to have the password reset.

Now, they have security questions, and one was "what kind of account" I have. Now, I had no clue and couldn't remember. But, wiggling around enough, I was able to get what type of account it was from the person on the phone, and I wasn't even trying.

People are just so darn helpful~! ;D

-Renegade (November 28, 2012, 07:34 AM)
--- End quote ---

I've come across bunches of different examples where the first part of social engineering is scary-easy. "Small towners" think "properly trained security conscious" reps aren't "friendly enough". They are used to and like that Bob at the Grocery knows them and doesn't need ID. I've caught a couple of places doing the "what is your account number" "_________" "Is your name John Smith?"

That kind of thing leaves me thinking "Really?!"

TaoPhoenix:
P.S. Bonus:

Once a fair while ago some utility customer service was giving my friend a hard time. So I borrowed the phone, threw them a bad copy of a Frank Welker bad guy neo-British voice and formal language choices and went on the attack and then the rep backed down and fixed the problem (which I no longer recall.) Heh always end such things with "Thank you. Have a nice day." It seals the deal.

Stoic Joker:
I once socially Engineered my way into a domain name registrar, a hosting company, and an ISP. All in the space of about an hour. Fortunately for the company being targeted...they had hired me to make said changes...or their web presence would have gone poof by morning.

It's just one of many hats one has to wear to be a Network/Systems Admin. People need things. These same needy people also never seem to document shit...and are always in a hurry. Which leaves you sitting on the phone with some typically disinterested support drone pretending to be any number of people in various moods. It really is mortifyingly easy.

The only company that I could not SE my way past was the folks at WatchGuard. These folks just don't screw around. It took an entire week to get that issue resolved ... But that's ok. At least I know they really are doing their job.

SeraphimLabs:
I've come across bunches of different examples where the first part of social engineering is scary-easy. "Small towners" think "properly trained security conscious" reps aren't "friendly enough". They are used to and like that Bob at the Grocery knows them and doesn't need ID. I've caught a couple of places doing the "what is your account number" "_________" "Is your name John Smith?"

That kind of thing leaves me thinking "Really?!"
-TaoPhoenix (November 28, 2012, 08:11 AM)
--- End quote ---

Just did something similar. I have two bank accounts at the same place, and needed to file a change of address form.

Well, I could only find the checkbook for one of them. So I went in and gave them the number I had, and the teller was all "Oh I see there is a business account with your name on it. Should I change that too?"

People really do get relaxed about security when there hasn't been any major events. Like at the local courthouse you have to go through metal detectors and have your wallet/purse x-rayed to make sure you aren't bringing anything dangerous in.

I was sitting near the detector for a while filling out paperwork, and half the people coming into the building set off the detectors, yet they weren't re-scanned or examined. Kind of defeats the whole point of it if the sheriff deputies operating the scanners simply ignore it when it trips.

Navigation

[0] Message Index

[#] Next page