The phone number contains all the digits needed to recreate the bank account number?
He somehow has the bank account number?
He meets the CEO (despite just being a security consultant) and gives his report to the board of directors?! That is not how companies usually work, especially the board part.
Check on a silver platter? architect of the voice system is brought into the room with the board to be humiliated? This reads like something a 13 year old would dream up (nothing against OP maybe someone even Mitnik really did claim this happened).
The tale is absolutely embellished if it has any truth at all.
He calls the CEO to ask a "personal question" so to skip the assistant, asks something innocent, then let's the CEO he has a new number and provides a fake number. He asks the CEO to confirm he heard the number correctly, but it's a bad line, so speak clearly please.
The "new phone number" has all the digits of the bank account he's trying to hack. The account is likely the account number that he's being paid for the consultancy work with. He could have got this simply by asking to confirm from which account he'd be paid from to confirm the transaction.
He is asked to report his review of the new security system to the board (given it was a large investment by the Bank, or just the wrong word used) and the architect would of course be invited to his own project's review?
The board then asked Mitnick to design a new system and said that cost wouldn't be an issue.
That all seems pretty easy to put together?
Being able to login if you have the bank account number is still a pretty big flaw.
If you are a bank, your security threat model should assume that a hacker has access to somebody's account number and basic personal details.
Particularly for a high profile/value account, you can see how it might be possible to get soundclips of them saying the numbers 1 to 9 (see: https://www.youtube.com/watch?v=xWcldHxHFpo)
If he's a customer of the bank, then it had better be a very small bank or I'm also skeptical.
Getting a phone number with all the necessary digits is a bit of a stretch, but not impossible. And I would suspect, because this is the way phone systems generally work, that there was no bound on the number of attempts to enter the account number. Account numbers are all the same length, so you know exactly how many characters to input, it's just a matter of brute forcing the number--and for all I know, there may be some kind of structure that Mitnick found out.
Meeting with the board sounds like an embellishment for sure, especially for Mitnick's initial report, but I could definitely see--especially if someone was looking for a big chunk of money to strengthen the system--the report eventually being given to them.
The check on the silver platter is the most believable part of the story. Have you ever met a CEO? And why wouldn't the architect of the system be there to receive the report on the security of the system? Who else should be there?
For me, the only truly unbelievable part of this story is that he needed the CEO's voice at all. And for all we know, he just said he recorded the CEO's voice for a laugh.
If you've already identified a security system that has this vulnerability you get a phone number with all these digits and begin shopping for any institutions that bough that system.
Mitniks social engineering really formed me. And I did all sorts of nefarious stuff in the 80s, from mapping the 411 call centers, to the tape vending machine hack and other phreaking as I had an original captain crunch whistle to (not a hack) but there was a bunch of easy fraud to be had with “calling cards” back in the day
Bank account numbers are written on the bottom of checks along with the routing code. If you have a check from them, you have their checking account number.
Phone numbers are ten digits long. So a number like (213)485-7690 contains all digits from 0 to 9. Caller ID spoofing is trivial even back then. For example, you could ANI fail to a calling card system which would drop you to an operator. Then you just tell them the number you're "calling from" and that number would show up as your Caller ID and ANI.
Using voice authentication is pretty stupid but, iirc, at least one US bank still does something similar. That said, I imagine part of the authentication was probably caller ID based. This was/is also why voicemail systems don't prompt you for a PIN when you call them from your own phone - they use caller ID for authentication.
Random number, legit area code. Unless you are looking for all 10 digits, pretty easy social hack
But that's pretty easy. Sorry I didn't catch that could you do it one number at a time?
CEO interest is piqued. Gives him a business card, let's talk soon.
The on the call,
KM: what is your checking account number?
CEO: that's private
KM: it's printed on every personal check you write, so definitely not private
CEO: ok, good point, #######
KM: great, now tell me the numbers on the card I gave you
CEO: your phone number?
KM: yes
CEO: ok, ########
KM: ok I think I have what I need
CEO: really? that's it?
KM: yep, let me get to work, we'll talk soon
Kind of like when your company has a security presentation about this new "report phishing button" in your email and you suddenly see this weird phishing-like email come through a few hours later. Hopefully you connect the dots.
"Sorry, no 54, five-four."
"You said five ... four?"
"Yes, five ... four."
Doing the thing you want people to do is actually a pretty good strategy.
Recognizing when people are employing this strategy on you and intentionally not doing the thing is good fun too.
It's incredibly easy (still) to do certain kinds of "social engineering". Terms like "psychological sleight-of-hand" can sometimes make it a little clearer how humans just have blind spots - ways our perception works and doesn't. And, people who are used to being VERY "in control", intelligent / experienced (compared to others in room), etc., can sometimes be the easiest to manipulate in certain ways.
But, really, it boils down, sometimes, to something as simple as "how long can you keep a person talking?" Mitnick was probably in a good position to do these sorts of things - assuming the story is from after he "turned White Hat". And, in this case, the even simpler deal with the numbers is something like "oh, shoot, I had a misprint on old cards, did I give you the right one? What's the phone number on it?" Drop something abruptly like that, at some random point in a conversation, most people wouldn't think twice... Even if their current context involves a heavy dose of thinking about voices and numbers. They might easily enough realize in the morning, but, too late, by then. Further, getting bank account numbers is not necessarily hard either. Could even be as simple as "dumpster diving", back then. Did the CEO always shred every single document, with a "secure shredder" (as much as that's possible) when home? Or maybe burn everything, always?
And, in any case, you're even mixing up aspects of the story. The phone number isn't the bank account digits, it's just all the numbers from 0 through 9 (you can even get one twice, for a 10-digit [w/ area code] number).
I propose that your sureness in dismissing this story, misapprehensions about it, etc., make you an unwittingly "good mark."
I don't disagree it's likely all bullshit, but if you're going to post snarky, nitpicking comments at least make sure you're understanding what was communicated. It makes it all too easy to dismiss any valid points you may have when there are such fundamental flaws.
I came to a similar conclusion regarding the implementation of the attack. The scenario in my head was slightly different, but very similar (still includes a new number):
Kevin provides his business card and sets up a meeting with the CEO to report on his progress (or whatever). When the CEO calls at the scheduled time - Kevin doesn't answer. Sometime later Kevin calls the CEO and apologizes for missing the call, and explains that he didn't see any missed calls.
At that point the CEO explains that he tried to call, and even left a message. Kevin has a sudden flash of insight and realizes that he may have given the CEO one of his old business cards.
"What's the phone number on the business card I gave you? I'm wondering if I've been handing out my old business cards to people... that would actually explain a lot." (presumably the phone number on the business card in question would include digits 0-9 in a not-super-obvious way)
The CEO reads back the phone number on the card and Kevin slaps his forehead because that is in fact the wrong business card. Kevin gives the CEO his new number, and they finish the scheduled meeting. On future calls the CEO is able to contact Kevin using the new number, which lends credence to the attack.