Impressive demonstration of social engineering

Jess shows the host of Real Future what a vishing call is by taking over his mobile phone account in 30 seconds. It involves a recording of a crying baby.

Notable Replies

  1. Ericb says:

    holy crap, please tell me they contacted that phone company and gave them the name of the customer rep that fell for this. That's the equivalent of fraudulent people pretending to be a credit card company and calling old people to get them to tell them their account numbers, except I would expect a customer rep to be way more effective at realizing this is going on.

  2. The problem is cell phone companies (and other places) can't know if this is "for real" or not, and they have an interest in retaining customers, as well as reducing fraud (as they eat a lot of the fraud costs). Those two things compete. You might want fraud at 0% and not care about making password recovery easy because you remember your passwords. Many customers lose passwords, or have real crying baby while attempting to gather information issues. So fraud at 0% will result in frustrated customers leaving carrier X to go to carrier Y, while allowing the fraud rate to go up will lose fewer customers. The carrier wants to be able to help customers and keep fraud low, but zero isn't really a goal, the goal is "lower fraud rates until lowering them more would result in customer loss that costs more then the next step of fraud reduction would save"

    It sucks (if you have stuff you don't want hacked), or is cool (if you love doing a bit of social engineering).

  3. My state flagged my return a few years ago for suspected identity theft. I could understand that, I had changed jobs and e-filed and I am an extremely suspicious person. So I called up the department and took their prove it's you test... and failed.

    The first three questions were straightforward, but the forth question was the model year of the van my ex-wife had ten years ago. Seriously. I guess 3-for-4 wasn't good enough and I flunked. The nice government agent reassured me and said he could dial up a new set of questions.

    The first three were easy. Guess what the fourth question was. I flunked twice, and missing the same question twice is apparently no excuse. I'm probably on the no-fly list now.

  4. The really stupid thing about that kind of identity authentication service (which is usually provided by a company like equifax) is that its based on public records. So, duh, even if you can't remember the details it is totally hackable by someone dedicated to impersonating you. All they gotta do is pull the same public records that equifax does.

  5. I always snicker when people use terms like "social engineering, aka hacking without code" as if it's something new... "Social engineers " used to be simply called "con artists" :wink:

Continue the discussion bbs.boingboing.net

14 more replies

Participants