Mitnick had so many stories that entranced the people around him. I heard one second hand of Mitnick dealing with a bank who had early voice verification software. Upon meeting the CEO he gave the executive his card and departed for the evening. Arriving back at his hotel, he called the CEO and asked him to read his phone number to him. The phone number contained all ten digits which Mitnick had neatly tape recorded so as to make the CEO’s voice reproducible. He then proceeded to use the bank’s vocal banking system to transfer $1 from the CEO’s account to his as the authentication mechanism was reading out your own account number in your voice.
When Mitnick arrived back in the board room the architect of the voice verification system was crestfallen and the bank CEO delivered a check on a silver platter.
Now how much of that tale is embellished I will never know as it was second hand, but that was the kind of whimsy Mitnick brought to our world.
Rest in Power.
Welcome to the american banking system.
The account number should be just an ID, not authentication mechanism.
Right? One of the many things (and I mean this without any hate whatsoever) I simply can't and will never understand about the US. A bank account number is your mailbox for receiving money. How does that country even operate when they build those mailboxes underground?
"Okay, so you heard me type in the PIN? So now you can know my PIN?"
"Oh no", he said, "it's just beeps, like this - ", and pressed a few digits.
"Right so you typed 1 6 3 2 4, there."
"..."
"That's what you typed, isn't it?"
"Uhm... yes, how did you guess?"
"I didn't guess, I could hear the beeps. I've got a reasonable ear for pitch, so I can tell what the numbers are from the tones. Any chance you could escalate this to your manager after the call, and tell them to give me a phone if they've any questions?"
They rang me the next day, and I explained the situation to them.
Now, at least in the UK, you get transferred away from the call handler when you put your PIN in.
(Using a check, the very infrastructure we’ve been talking about!!)
Finally I’m know that passphrase is tied to my phone number. Its not perfect but it is as good as any other consumer banks system.
I don’t recommend Schwab but my accounts are as secure as any.
The phone number contains all the digits needed to recreate the bank account number?
He somehow has the bank account number?
He meets the CEO (despite just being a security consultant) and gives his report to the board of directors?! That is not how companies usually work, especially the board part.
Check on a silver platter? architect of the voice system is brought into the room with the board to be humiliated? This reads like something a 13 year old would dream up (nothing against OP maybe someone even Mitnik really did claim this happened).
The tale is absolutely embellished if it has any truth at all.
He calls the CEO to ask a "personal question" so to skip the assistant, asks something innocent, then let's the CEO he has a new number and provides a fake number. He asks the CEO to confirm he heard the number correctly, but it's a bad line, so speak clearly please.
The "new phone number" has all the digits of the bank account he's trying to hack. The account is likely the account number that he's being paid for the consultancy work with. He could have got this simply by asking to confirm from which account he'd be paid from to confirm the transaction.
He is asked to report his review of the new security system to the board (given it was a large investment by the Bank, or just the wrong word used) and the architect would of course be invited to his own project's review?
The board then asked Mitnick to design a new system and said that cost wouldn't be an issue.
That all seems pretty easy to put together?
Being able to login if you have the bank account number is still a pretty big flaw.
If you are a bank, your security threat model should assume that a hacker has access to somebody's account number and basic personal details.
Particularly for a high profile/value account, you can see how it might be possible to get soundclips of them saying the numbers 1 to 9 (see: https://www.youtube.com/watch?v=xWcldHxHFpo)
If he's a customer of the bank, then it had better be a very small bank or I'm also skeptical.
> the authentication mechanism was reading out your own account number in your voice
That's the most suspect part of it to me - even vulnerability to malicious attack like this aside, who would think that's a good idea or going to work well?
What percentage of people could successfully use a voice assistant to make a note of their bank account number the first time? Nevermind have it determine that it was indeed their voice not someone else's.
Using just ones voice is bad. Using a phrase is better. Using a phrase that is unique and describes its function may set-off alarm bells for some.
I never connected the phrase with Sneakers.
Getting a phone number with all the necessary digits is a bit of a stretch, but not impossible. And I would suspect, because this is the way phone systems generally work, that there was no bound on the number of attempts to enter the account number. Account numbers are all the same length, so you know exactly how many characters to input, it's just a matter of brute forcing the number--and for all I know, there may be some kind of structure that Mitnick found out.
Meeting with the board sounds like an embellishment for sure, especially for Mitnick's initial report, but I could definitely see--especially if someone was looking for a big chunk of money to strengthen the system--the report eventually being given to them.
The check on the silver platter is the most believable part of the story. Have you ever met a CEO? And why wouldn't the architect of the system be there to receive the report on the security of the system? Who else should be there?
For me, the only truly unbelievable part of this story is that he needed the CEO's voice at all. And for all we know, he just said he recorded the CEO's voice for a laugh.
If you've already identified a security system that has this vulnerability you get a phone number with all these digits and begin shopping for any institutions that bough that system.
Mitniks social engineering really formed me. And I did all sorts of nefarious stuff in the 80s, from mapping the 411 call centers, to the tape vending machine hack and other phreaking as I had an original captain crunch whistle to (not a hack) but there was a bunch of easy fraud to be had with “calling cards” back in the day
The IT person easily figured out it was me and then tricked me into thinking I would be expelled within days. She pulled me out of class, told me such in the hallway, let me return to class where I held in tears until the end of the day.
Nothing happened and the school year ended a few weeks later. Towards the end of the summer I realized it had been a bluff and I wouldn’t be punished. Took me a few years later to realize how much of a favor that all was! The county school of conduct clearly said cybercrime was punishable by expulsion so she could have absolutely put me in some kind of hell. The fear set me straight hah.
Bank account numbers are written on the bottom of checks along with the routing code. If you have a check from them, you have their checking account number.
Phone numbers are ten digits long. So a number like (213)485-7690 contains all digits from 0 to 9. Caller ID spoofing is trivial even back then. For example, you could ANI fail to a calling card system which would drop you to an operator. Then you just tell them the number you're "calling from" and that number would show up as your Caller ID and ANI.
Using voice authentication is pretty stupid but, iirc, at least one US bank still does something similar. That said, I imagine part of the authentication was probably caller ID based. This was/is also why voicemail systems don't prompt you for a PIN when you call them from your own phone - they use caller ID for authentication.
Random number, legit area code. Unless you are looking for all 10 digits, pretty easy social hack
Ahem.
https://www.theguardian.com/money/2018/sep/22/voice-recognit...
But that's pretty easy. Sorry I didn't catch that could you do it one number at a time?
CEO interest is piqued. Gives him a business card, let's talk soon.
The on the call,
KM: what is your checking account number?
CEO: that's private
KM: it's printed on every personal check you write, so definitely not private
CEO: ok, good point, #######
KM: great, now tell me the numbers on the card I gave you
CEO: your phone number?
KM: yes
CEO: ok, ########
KM: ok I think I have what I need
CEO: really? that's it?
KM: yep, let me get to work, we'll talk soon
Kind of like when your company has a security presentation about this new "report phishing button" in your email and you suddenly see this weird phishing-like email come through a few hours later. Hopefully you connect the dots.
"Sorry, no 54, five-four."
"You said five ... four?"
"Yes, five ... four."
Doing the thing you want people to do is actually a pretty good strategy.
Recognizing when people are employing this strategy on you and intentionally not doing the thing is good fun too.
I only send and receive money with Google/Apple Pay & PayPal at this point. This flow is reasonable (every transaction is authorised in a trusted location (ie: PayPal). Further transactions are impossible without additional authorization). It boggles my mind that banks & CC companies haven't made some standard for this. Would save them so much money in fraud protection.
Oh that’s easy enough. If they need a PIN it’s actually being run as a debit card over the debit card network. Otherwise it’s being run as a “check card” over the credit card network (with higher fees and better consumer protections). It’s just backed with money instead of a line of credit.
> Why do online stores need my name and address, but IRL ones do not?
IRL stores have access to the actual card (with your name) and having this artifact present makes it much less likely that you are a fraudulent fraudster committing fraud, so the processors are willing to take it.
> How can restaurants swipe my card now and charge me later?
the good news is if the store ever defrauds you, everyone knows where to find the store! Unlike fraudsters making purchases.
Similar. I wrote a program to emulate a the logon text on a PDP-11 terminal in high-school in the mid-80s and steal a bunch of student passwords. Didn't do anything with them. They were like "trophies."
Nevertheless, the computer teacher found out and had mercy on me. He gave me a project to work on to help him compile stats on a student survey. He was a nice guy.
edit for clarity.
It's incredibly easy (still) to do certain kinds of "social engineering". Terms like "psychological sleight-of-hand" can sometimes make it a little clearer how humans just have blind spots - ways our perception works and doesn't. And, people who are used to being VERY "in control", intelligent / experienced (compared to others in room), etc., can sometimes be the easiest to manipulate in certain ways.
But, really, it boils down, sometimes, to something as simple as "how long can you keep a person talking?" Mitnick was probably in a good position to do these sorts of things - assuming the story is from after he "turned White Hat". And, in this case, the even simpler deal with the numbers is something like "oh, shoot, I had a misprint on old cards, did I give you the right one? What's the phone number on it?" Drop something abruptly like that, at some random point in a conversation, most people wouldn't think twice... Even if their current context involves a heavy dose of thinking about voices and numbers. They might easily enough realize in the morning, but, too late, by then. Further, getting bank account numbers is not necessarily hard either. Could even be as simple as "dumpster diving", back then. Did the CEO always shred every single document, with a "secure shredder" (as much as that's possible) when home? Or maybe burn everything, always?
And, in any case, you're even mixing up aspects of the story. The phone number isn't the bank account digits, it's just all the numbers from 0 through 9 (you can even get one twice, for a 10-digit [w/ area code] number).
I propose that your sureness in dismissing this story, misapprehensions about it, etc., make you an unwittingly "good mark."
Yeah, I remember watching "Freedom Downtime" as a teenager and thinking how ludicrous it was that he was sentenced to prison for computer hacking, but now that I think about it as an adult of course he should have been. Sure solitary confinment, the specifics of his sentence, etc. may have been extreme and I'd like to think that the court system has progressed in their knowledge of computer security since then, but what he did was still a breach of corporate security. He knew at the time it was illegal, and he just thought he was too smart to get caught.
That idea that we had at the time that it was a "victimless crime" or something was very immature.
I imagine that the mission parameters were that he take a check and remove money from the account.
It would also make sense that this is the CEO's account, or one he also controls, because he's in on the test and can give informed consent. Also, probably the CEO doesn't have any special access so breaking into his identity wouldn't impact the bank the way breaking into the IT manager's account might.
If this was a fake account (one with no real user) then they wouldn't have discovered this flaw because Mitnick couldn't have called the user. Having a real person be exploitable is essential to proper discovery of the full scope of the problems.
I don't disagree it's likely all bullshit, but if you're going to post snarky, nitpicking comments at least make sure you're understanding what was communicated. It makes it all too easy to dismiss any valid points you may have when there are such fundamental flaws.
I came to a similar conclusion regarding the implementation of the attack. The scenario in my head was slightly different, but very similar (still includes a new number):
Kevin provides his business card and sets up a meeting with the CEO to report on his progress (or whatever). When the CEO calls at the scheduled time - Kevin doesn't answer. Sometime later Kevin calls the CEO and apologizes for missing the call, and explains that he didn't see any missed calls.
At that point the CEO explains that he tried to call, and even left a message. Kevin has a sudden flash of insight and realizes that he may have given the CEO one of his old business cards.
"What's the phone number on the business card I gave you? I'm wondering if I've been handing out my old business cards to people... that would actually explain a lot." (presumably the phone number on the business card in question would include digits 0-9 in a not-super-obvious way)
The CEO reads back the phone number on the card and Kevin slaps his forehead because that is in fact the wrong business card. Kevin gives the CEO his new number, and they finish the scheduled meeting. On future calls the CEO is able to contact Kevin using the new number, which lends credence to the attack.
Often you need one type for basic access (see balance), two for an actual transfer, three for say, transferring a million dollars. This may be something that people like Mitnick proved were necessary.
It was just a simple QBASIC program (that's all that was available on the Computer Room machines) running under my own login, which would write usernames and passwords to a text file in my user directory. I figured that I'd harvest a few passwords until someone got frustrated enough to call for the IT admin, at which point he would try to log in and reboot the PC when it failed, apparently "fixing" the problem and erasing any evidence of my dastardly crime.
I was right, and for a few glorious days I got away with it... until one particular arsehole picked on my best friend during recess, and I used his stolen credentials to log into his account and trash his files.
Long story short, I ended up getting expelled, which by a curious confluence of events put me on an unorthodox path that completely changed my life. Funny how things turn out.
Ergo my "welcome to the american banking system".
This was precisely my logic as well.
> put me on an unorthodox path that completely changed my life.
Hopefully it was a happy path!