A Computer Fraud Without A Computer – In the Guinness World Records book, there is a certain record known as the “biggest computer fraud.” Most peculiarly, even though the record holder did steal a substantial sum of money, it actually didn’t involve any computer hacking at all. The fraud was made possible with just some impersonation tricks.
Stanley Mark Rifkin was a computer contractor who worked for the Security Pacific National Bank in Los Angeles. His job was to develop a backup system for the wire room’s data, which gave him access to the transfer procedures inside the bank. Soon, he was familiar with the way it operated, and he found himself a chance to make a fortune.
(Click here for a voice-over for the article)
He had learned that bank officers who were authorized to order wire transfers would be given a daily code each morning for their orders. However, to save the trouble of trying to memorize each day’s code, the clerks wrote down the code on a slip of paper and posted it where they could see it easily. This particular November day Rifkin had a specific reason for his visit. This gave Rifkin the chance to steal the code, and he later recalled that he felt as if he had just won the lottery.
Soon after he stole the code, he then headed to the public phone in the lobby, called the wire room, and assumed the role of Mike Hansen, a member of the bank’s International Department. According to one source, the conversation went approximately like this:
“Hi, this is Mike Hansen in International,” he said to the woman who answered the phone.
“May I have your office number?” asked she.
“It’s 286.” He did his homework and knew that it was standard procedure.
The woman then asked, “Okay, what’s the code?”
“4789,” Rifkin answered smoothly. Then he went on to order:
“Please wire ‘Ten million, two-hundred thousand dollars exactly’ to the Irving Trust Company in New York. It’s for credit of the Wozchod Handels Bank of Zurich, Switzerland.”
It seemed that it all went smoothly, and his Switzerland bank account would soon be 10 million dollars worthier. However, then the woman asked him an unexpected question:
“Okay, I got that. And now I need the interoffice settlement number.”
Rifkin then felt that he broke out in a sweat. What’s the interoffice settlement code? This was a question he hadn’t anticipated. It was something he missed in his research.
But he managed to stay calm and acted as if everything was fine. He said:
“Let me check; I’ll call you right back.”
He changed his identity once again to call another department. This time he claimed to be someone in the wire-transfer room, and asked for the settlement number in question. He obtained it easily and called the woman back, and she took the number to complete the transaction.
A few days later Rifkin flew to Switzerland to pick up his cash, and exchanged it for a pile of expensive diamonds through an agency. He smuggled the diamonds back with a money belt, and pulled off the biggest bank heist in history without the use of any weapon or even a computer.
This story shows that the weakest link in any security system is the users themselves. Operators of a system can be tricked into helping criminals by clever tricks, which are nowadays more commonly known as social engineering. You may possibly wonder, “These people working in big corporations are supposed to be very clever. How could they be made so stupid?” Well, a social engineer usually pulls this off with the three following tactics:
1. Pretending to be someone else
Social engineers like to pretend to be someone else, especially those who have power over the target. In the above example, Rifkin pretended to be from the International Department when he called the wire-transfer room, because the wire-transfer people were supposed to take order from them.
In order to play the role well, social engineers often research how your department or company operates before he strikes, so that he could act with great confidence to order you around. Even when they are caught off-guard, they would not panic. In the above story, Rifkin was asked for the interoffice settlement number that he hadn’t prepared for, but he kept a calm manner to buy himself time to find out the answer. And he succeeded.
2. Eliciting information covertly
No one would volunteer information to suspicious callers, so social engineers often sugar-coat their intention. They may pretend to be writing a novel or doing a survey in order to ask for details that are useful for them. In addition, they are also good at mixing up questions. They would insert the key question among some other trivial ones so that their intention would be not so obvious.
3. Applying pressure
Sometimes, social engineers may run into people who are more alert and refuse to give out the information they want. In that case, they will try to manipulate their listeners with mind games, like guilt (e.g. “If it fails, it’ll be your fault for refusing to help.”), sympathy (e.g. “I will be blamed if you don’t help me! Please!”), or time pressure (e.g. “Come on! I have to do it by 1 p.m!”). From time to time, their listeners give in to them, as the former just want to do their job and avoid trouble.
To defend yourself against such attempts, you should always be alert about anyone who tries to probe inside information from you, no matter how innocent or urgent it looks. You should also stick to the rules under pressure, because in case any trouble happens, you’ll be held accountable for your violation of guidelines. If you keep this in mind, you’ll be able to keep your information safe and protect yourself from any possible harm of social engineering attacks.
To learn more about how people can be manipulated by simple tricks, please get a copy of my book, The Art of Influencing Anyone.