

Cosmo, the God who fell to Earth - nicholassmith
http://www.wired.com/gadgetlab/2012/09/cosmo-the-god-who-fell-to-earth/all/

======
chriszf
In 2005, I worked support for a company with a mobile offering. At the time,
app purchases were handled exclusively by the carrier and were completely
opaque. A little while prior, we had partnered with a shady marketing company,
netting us a bunch of unintentional signups that I had the displeasure of
fixing.

Since we didn't handle billing, I had to call AT&T with the customer on the
line and talk them both through the process of removing the charges(AT&T was
feeding customers a line about not handling billing either, for some reason).
After doing it a few times, I realized I could do it without the customer, all
I needed was a name and a phone number.

It never came down to impersonating the customer, instead, I would just say I
was calling on behalf of a customer. Once, a call got escalated to a higher
support tier, with the miscommunication that I was a VP of a partner company,
which made the agents more responsive, making the process easier, so I just
kept reusing that line.

Eventually, I just asked, "what do I tell the next agent I have to deal with
so we can just bypass all the lies?" (regarding their inability to modify
billing charges). This was happily given to me, and I could now call AT&T
support and say, "I'm calling for user X with number Y. I need you to go into
the tool and click on Z and then remove the charge from such and such
service." Again, when delivered with authority, the rep would do it, no
questions asked.

It's hard to fault them, I probably would have done the same in their
position. Still, it's scary knowing how little it takes to get customer
service to reveal/modify things without hard verification.

~~~
firefoxman1
I bought a Palm Pre2 last year on ebay and had to go into an AT&T store to
activate it. The person helping me had a little trouble activating it, so he
called AT&T support and got help so quickly without being asked stupid
questions, I've been using his technique ever since.

Whenever I call tech support of a company that has physical locations, I
always start with:

 _"Hello, my name is Kevin, I'm an associate with [company] at the [store]
location. I'm trying to help a customer with [my problem] issue..."_

And very quickly I'm having a conversation with someone who knows their stuff
and doesn't insult my intelligence.

~~~
mahyarm
What do you do when they ask you access the intranet at the terminal that is
obviously right infront of you?

~~~
firefoxman1
Lol that would be a bit of a dilemma. Haven't encountered that yet.

~~~
ktizo
Tell them the screen broke.

------
aristus
Oh, Wired... you write an article about a hacker and change his name to
"protect" him, but publish a photograph of his neighborhood with readable
house numbers and license plates.

~~~
aidenn0
He was doxed a long time ago, so it's not like someone who really wants to
know can't find him; they still aren't going to print the name of a minor for
everyone to see.

------
silverbax88
What's really bad about stories like this is that social engineering is not
new. I recall working on closing some of these types of loops at companies 10
years ago.

~~~
marquis
When I was reading this, I was thinking the same thing. Are the IT leads who
put these systems in place forgetting the 90s?

~~~
nicholassmith
When the Wired author was hacked and it was first posted here about half of us
jumped on 'shoulder surfed', 'is it possible to brute force' and half a dozen
decent technical explanations. I think often people are now looking for the
next over the top attack and forgetting the simplest tricks are often the most
successful.

------
marquis
It's interesting to me how easy it is for some people to circumvent their
ethics. This kid is intelligent enough to know what he's done is unethical but
I've never been a teenage boy so I consider what would come with that feeling
of discovering a sweet hack: a desire to use that knowledge to assert power
above all costs.

~~~
wpietri
I'm not sure it's so much "circumvent" as "it's not fully hooked up yet".

Ethics are intellectual, but they're grounded in a human moral sense that is
rooted in biology. (For a readable start on how, de Waal's _Good Natured_ is a
good book.) When I was his age I was much more aware of mechanism than of
morality. For me the motivation to hack wasn't power in the social sense; it
was tinkering with systems.

It took me years for my moral sense to integrate well with my intellectual
side to yield a proper system of ethics. In some ways that's still going on;
the older I get, the more I have learned how to be compassionate. For me, the
ethical framework is given force by very specific instances of compassion. For
example, I was just looking again at Project Unbreakable:

<http://projectunbreakable.tumblr.com/>

It's not like I ever thought sexual assault was ethically ok. But reading bout
each one of those people gives it more emotional power.

~~~
pavel_lishin
Without incriminating myself, let's say that maybe I've seen some files
belonging to other people that I shouldn't have when I was a teenager.

At the time, I justified it easily to myself - I don't care if someone sees
the contents of my hard drive, so why should it be unethical for me to root
through someone else's?

I'm 28, now, and a year ago my mom reminded me that I'd said that. I was
pretty embarrassed at how I'd acted, and how I justified it to myself. I hope
I remember that sequence of events when I have kids.

------
aidenn0
Reading this reminds me of a gripe I have; is it possible to use 2-factor
authentication on gmail without a phone? You can print a list of OTPs but you
can't enable it without also registering a phone number. Given how easy it is
to intercept voice and SMS, that seems like a huge security hole.

~~~
Shank
The device doesn't need to be internet connected if you use the app. An iPod
Touch does the job just as well as SMS, though you need to make sure the times
are synchronized.

~~~
aidenn0
Still doesn't answer my question. It won't let me turn on 2FA without giving
them a phone # that can be used (SMS or voice) to authenticate, which means
anyone that can redirect my phone or capture my SMS messages (both fairly
trivial in a targeted attack) can bypass 2FA.

~~~
galadriel
You have to just do that once to activate 2FA. Once activated, switch to
mobile app. No one can turn it off without having code and password later.
(apart from finding some flaw in system)

------
wmeredith
>>People Are The Key to Every Lock

Great section title. Here's my favorite bit of "social engineering". Using the
term loosely, I know, but it still makes me laugh.

<http://www.youtube.com/watch?v=94LL8J8WYT0>

------
nemo1618
This is really interesting. Makes me wonder why I bothered generating those
hard-to-crack passwords if they can easily be reset by a bit of sweet-talking.

~~~
billyb2
No joke. Cyber security's a constant game of 25 steps forward and 122 steps
back.

~~~
debacle
Is that your ROT cipher?

~~~
indiecore
damnit!

------
ktizo
The trouble is that normal operations are often indistinguishable from social
engineering.

I have worked several places where I have been told by management that
something needs fixed on a web server, but they can't remember any passwords,
so could I call up their ISP and just get it sorted.

In these situations, I have never had to prove anything I couldn't have faked
and I usually get asked to provide an email address so they can send me the
details.

As this kind of behaviour seems very common, most everything seems to be wide
open for social engineering. So given that everything isn't hacked all of the
time, people in general must be both much nicer and much lazier than I had
otherwise assumed.

~~~
jared314
"Your security is based on the kindness, and apathy, of strangers."

I repeat that warning to anyone who has become just computer-savvy enough to
use a computer as well as they drive their car.

The tinfoil-hat jokes have tapered off, over the years, with the mainstream
news coverage of stolen user information.

~~~
jurjenh
Just had a reminder of that this morning... Was doing a bit of routine
maintenance on the server at work when I noticed repeated ssh login attempts
appearing in the system logs... with usernames that clearly don't exist.
Tracing the source ip address sent me to Beijing somewhere, so someone there
was trying a port scan and random ssh login attempts.

I've never really looked for this kind of interaction before, and I wonder
just how common it is these days - but I'd say that you can now pretty much
guarantee that it will happen at some stage, and you'd better hope your
security is up to the task.

~~~
oofabz
It is so common I'd be surprised if you weren't seeing these login attempts.
Every ssh server I've run in the last 10 years has had this happen, even those
without domain names. They must just scan random IPv4 addresses for anyone
responding on port 22. It's the modern equivalent of wardialing.

------
trotsky
looks like wired got socialed themselves

