02.05.03
Exploits Via Kevin
From Kevin Mitnick’s Interview on SlashDot:
“On one occasion, I was challenged by a friend of mine to get his Sprint Foncard number. He said he would buy me dinner if I could get it. I couldn’t pass up a good meal so I phoned customer service and pretended to be from the IT department. I asked the rep if she was having any difficulties with her computer. She wasn’t. I asked her the name of the system she uses to access customer accounts, to verify I was working with the right service center. She gave it to me. Immediately thereafter, I called back and got a new service rep. I told her my computer was down and I was trying to bring up a customer account. She brought it up on her terminal. I asked her for the customer’s Foncard number? She started asking me a million questions? What was your name again? Who do you work for? What address are you at? You get the idea. Since I did not exercise any due diligence in my research, I just made up names and locations. It didn’t work. She told me she was going to report my call to security!
“Since I had her name, I briefed a friend of mine on the situation and asked him to pose as the “security investigator” so he could take a report. He called back customer service and was transferred to the woman. The “security investigator” said he received a report that unauthorized people were calling to obtain proprietary customer information. After getting the details of the “suspicious” call, the investigator asked what information the caller was after. She said the customer’s Foncard number. The “investigator” asked for the number. She gave it to him. Whoops! Case closed!”