Mitnick was a hacker hero of mine in my youth. I think I’ve understood his role as jester prior to conviction less as I’ve grown older, but there’s something about the boyhood charm of being so divorced from the potential consequences of one’s actions that is almost unique.
Mitnick had so many stories that entranced the people around him. I heard one second hand of Mitnick dealing with a bank who had early voice verification software. Upon meeting the CEO he gave the executive his card and departed for the evening. Arriving back at his hotel, he called the CEO and asked him to read his phone number to him. The phone number contained all ten digits which Mitnick had neatly tape recorded so as to make the CEO’s voice reproducible. He then proceeded to use the bank’s vocal banking system to transfer $1 from the CEO’s account to his as the authentication mechanism was reading out your own account number in your voice.
When Mitnick arrived back in the board room the architect of the voice verification system was crestfallen and the bank CEO delivered a check on a silver platter.
Now how much of that tale is embellished I will never know as it was second hand, but that was the kind of whimsy Mitnick brought to our world.
He has the CEO’s number and successfully calls him, and through some miracle gets through directly to ask this trivial question — as opposed to getting the number from the assistant who answers his phone - sure ok but then under what pretense does he then ask him to repeat his phone number? “Please repeat the phone number I just dialed.”
The phone number contains all the digits needed to recreate the bank account number?
He somehow has the bank account number?
He meets the CEO (despite just being a security consultant) and gives his report to the board of directors?! That is not how companies usually work, especially the board part.
Check on a silver platter? architect of the voice system is brought into the room with the board to be humiliated? This reads like something a 13 year old would dream up (nothing against OP maybe someone even Mitnik really did claim this happened).
The tale is absolutely embellished if it has any truth at all.
Mitnick could have been hired as a advisor for their system, personally by the CEO.
He calls the CEO to ask a "personal question" so to skip the assistant, asks something innocent, then let's the CEO he has a new number and provides a fake number. He asks the CEO to confirm he heard the number correctly, but it's a bad line, so speak clearly please.
The "new phone number" has all the digits of the bank account he's trying to hack. The account is likely the account number that he's being paid for the consultancy work with. He could have got this simply by asking to confirm from which account he'd be paid from to confirm the transaction.
He is asked to report his review of the new security system to the board (given it was a large investment by the Bank, or just the wrong word used) and the architect would of course be invited to his own project's review?
The board then asked Mitnick to design a new system and said that cost wouldn't be an issue.
> then let's the CEO he has a new number and provides a fake number
I came to a similar conclusion regarding the implementation of the attack. The scenario in my head was slightly different, but very similar (still includes a new number):
Kevin provides his business card and sets up a meeting with the CEO to report on his progress (or whatever). When the CEO calls at the scheduled time - Kevin doesn't answer. Sometime later Kevin calls the CEO and apologizes for missing the call, and explains that he didn't see any missed calls.
At that point the CEO explains that he tried to call, and even left a message. Kevin has a sudden flash of insight and realizes that he may have given the CEO one of his old business cards.
"What's the phone number on the business card I gave you? I'm wondering if I've been handing out my old business cards to people... that would actually explain a lot." (presumably the phone number on the business card in question would include digits 0-9 in a not-super-obvious way)
The CEO reads back the phone number on the card and Kevin slaps his forehead because that is in fact the wrong business card. Kevin gives the CEO his new number, and they finish the scheduled meeting. On future calls the CEO is able to contact Kevin using the new number, which lends credence to the attack.
It's also possible that the CEO knew what Mitnick was getting at and played along to a degree.
Kind of like when your company has a security presentation about this new "report phishing button" in your email and you suddenly see this weird phishing-like email come through a few hours later. Hopefully you connect the dots.
This is the 90's and early 2000's. We didn't have the security processes and checks like we do nowadays. I worked for a bank right after the dot-com crash and was in charge of their internet banking web presence. I was witness to other employees passing around CDs and printouts containing the private information of hundreds, maybe thousands of customers. This was the era when your SSN was your userid. So these CDs contained SSNs, names, addresses, bank account numbers, passwords (not even encrypted, much less salted), etc. I moved into a new cubicle one time and saw these CDs just left over. It was a free-for-all for people like Kevin Mitnick.
Getting credit card numbers out of the trash at a local Enterprise Rent-A-Car location was a weekly thing for us here, especially corporate accounts.
I don't think some folks nowadays realize just how effortless it was to find such information laying out in the open.
LOL, I was asked by a pet shelter for my SSN in order to adopt a cat. I stupidly put it down on the paper form and then asked why they needed it. She didn't have an answer and rejected my application to adopt. But she kept the paper form in case I tried to reapply in the future. I ripped it out of her hands and left. I should have just put a phony one in there...
They asked if I was going to let the cat outside. At the time we had another cat we adopted from a vet and we let it outside so it made sense that we'd let this one out too. That was a hard no (although they didn't tell you that). It was basically a trick question and if you didn't answer to their liking, they rejected you. That was 20 years ago. Nowadays the cat I do have is kept indoors at all times.
In the mid-/late-80's, you could easily get full PII (SSN, Name, DOB, address, mother's maiden name, etc) green-bar paper reports someone tossed in the trash when finished.
He was pretty famous when he started doing security consulting so it doesn't seem like a stretch to me.
Bank account numbers are written on the bottom of checks along with the routing code. If you have a check from them, you have their checking account number.
Phone numbers are ten digits long. So a number like (213)485-7690 contains all digits from 0 to 9. Caller ID spoofing is trivial even back then. For example, you could ANI fail to a calling card system which would drop you to an operator. Then you just tell them the number you're "calling from" and that number would show up as your Caller ID and ANI.
Using voice authentication is pretty stupid but, iirc, at least one US bank still does something similar. That said, I imagine part of the authentication was probably caller ID based. This was/is also why voicemail systems don't prompt you for a PIN when you call them from your own phone - they use caller ID for authentication.
He was already meeting with the CEO in some capacity, so it's very clear he had access to the CEO, maybe as a security consultant. Then getting him to read the number is easy, "Hey, I just got a new cell, but I might have given you my old card, can you read the number back to me?"
Getting a phone number with all the necessary digits is a bit of a stretch, but not impossible. And I would suspect, because this is the way phone systems generally work, that there was no bound on the number of attempts to enter the account number. Account numbers are all the same length, so you know exactly how many characters to input, it's just a matter of brute forcing the number--and for all I know, there may be some kind of structure that Mitnick found out.
Meeting with the board sounds like an embellishment for sure, especially for Mitnick's initial report, but I could definitely see--especially if someone was looking for a big chunk of money to strengthen the system--the report eventually being given to them.
The check on the silver platter is the most believable part of the story. Have you ever met a CEO? And why wouldn't the architect of the system be there to receive the report on the security of the system? Who else should be there?
For me, the only truly unbelievable part of this story is that he needed the CEO's voice at all. And for all we know, he just said he recorded the CEO's voice for a laugh.
I understood it as him (Mitnick) asking his own phone number back. "Did I give you my card earlier? Is it the new card? I don't recall. Which number does it have?"
If you've already identified a security system that has this vulnerability you get a phone number with all these digits and begin shopping for any institutions that bough that system.
Being able to login if you have the bank account number is still a pretty big flaw.
If you are a bank, your security threat model should assume that a hacker has access to somebody's account number and basic personal details.
Particularly for a high profile/value account, you can see how it might be possible to get soundclips of them saying the numbers 1 to 9 (see: https://www.youtube.com/watch?v=xWcldHxHFpo)
Nonsense like "silver platter", almost certainly embellished (unless a "Barnum" or "Wonka" or some shiite was running the bank). The fundamentals, totally believable.
It's incredibly easy (still) to do certain kinds of "social engineering". Terms like "psychological sleight-of-hand" can sometimes make it a little clearer how humans just have blind spots - ways our perception works and doesn't. And, people who are used to being VERY "in control", intelligent / experienced (compared to others in room), etc., can sometimes be the easiest to manipulate in certain ways.
But, really, it boils down, sometimes, to something as simple as "how long can you keep a person talking?" Mitnick was probably in a good position to do these sorts of things - assuming the story is from after he "turned White Hat". And, in this case, the even simpler deal with the numbers is something like "oh, shoot, I had a misprint on old cards, did I give you the right one? What's the phone number on it?" Drop something abruptly like that, at some random point in a conversation, most people wouldn't think twice... Even if their current context involves a heavy dose of thinking about voices and numbers. They might easily enough realize in the morning, but, too late, by then. Further, getting bank account numbers is not necessarily hard either. Could even be as simple as "dumpster diving", back then. Did the CEO always shred every single document, with a "secure shredder" (as much as that's possible) when home? Or maybe burn everything, always?
And, in any case, you're even mixing up aspects of the story. The phone number isn't the bank account digits, it's just all the numbers from 0 through 9 (you can even get one twice, for a 10-digit [w/ area code] number).
I propose that your sureness in dismissing this story, misapprehensions about it, etc., make you an unwittingly "good mark."
Mitniks social engineering really formed me. And I did all sorts of nefarious stuff in the 80s, from mapping the 411 call centers, to the tape vending machine hack and other phreaking as I had an original captain crunch whistle to (not a hack) but there was a bunch of easy fraud to be had with “calling cards” back in the day
Based on my understanding of the story in the post, Mitnick asked the CEO to read back the number he gave the CEO earlier that day.
I don't disagree it's likely all bullshit, but if you're going to post snarky, nitpicking comments at least make sure you're understanding what was communicated. It makes it all too easy to dismiss any valid points you may have when there are such fundamental flaws.
All of the stories in his books are like this. An existing seemingly sensible system is used in a creative way to get access. Every time you read one the creative solution is so elegant you just go "Ah, can't believe I didn't think of that" (and then go try it yourself obviously - had lots of fun as a teenager taking down websites/stealing ppl's passwords/etc as a party trick for my friends).
> the authentication mechanism was reading out your own account number in your voice
That's the most suspect part of it to me - even vulnerability to malicious attack like this aside, who would think that's a good idea or going to work well?
What percentage of people could successfully use a voice assistant to make a note of their bank account number the first time? Nevermind have it determine that it was indeed their voice not someone else's.
I think something was lost in the retelling. It could just be an era when people didn't figure out biometrics yet. It makes sense today, but caught up in new hype, people often implement cutting edge technology where it doesn't belong.
Sure, but usually we have 2FA now. It tends to be what you have (token/documentation), what you know (password), and what you are (voice auth).
Often you need one type for basic access (see balance), two for an actual transfer, three for say, transferring a million dollars. This may be something that people like Mitnick proved were necessary.
As a kid I ate this stuff up. In the eighth grade, I defaced my middle school website.
The IT person easily figured out it was me and then tricked me into thinking I would be expelled within days. She pulled me out of class, told me such in the hallway, let me return to class where I held in tears until the end of the day.
Nothing happened and the school year ended a few weeks later. Towards the end of the summer I realized it had been a bluff and I wouldn’t be punished. Took me a few years later to realize how much of a favor that all was! The county school of conduct clearly said cybercrime was punishable by expulsion so she could have absolutely put me in some kind of hell. The fear set me straight hah.
> The IT person easily figured out it was me and then tricked me into thinking I would be expelled within days.
Similar. I wrote a program to emulate a the logon text on a PDP-11 terminal in high-school in the mid-80s and steal a bunch of student passwords. Didn't do anything with them. They were like "trophies."
Nevertheless, the computer teacher found out and had mercy on me. He gave me a project to work on to help him compile stats on a student survey. He was a nice guy.
I did the same thing, only my program pretended to be a DOS-based Novell Netware login screen.
It was just a simple QBASIC program (that's all that was available on the Computer Room machines) running under my own login, which would write usernames and passwords to a text file in my user directory. I figured that I'd harvest a few passwords until someone got frustrated enough to call for the IT admin, at which point he would try to log in and reboot the PC when it failed, apparently "fixing" the problem and erasing any evidence of my dastardly crime.
I was right, and for a few glorious days I got away with it... until one particular arsehole picked on my best friend during recess, and I used his stolen credentials to log into his account and trash his files.
Long story short, I ended up getting expelled, which by a curious confluence of events put me on an unorthodox path that completely changed my life. Funny how things turn out.
> until someone got frustrated enough to call for the IT admin, at which point he would try to log in and reboot the PC when it failed, apparently "fixing" the problem and erasing any evidence of my dastardly crime.
This was precisely my logic as well.
> put me on an unorthodox path that completely changed my life.
I had a similar thing happen. I distributed some malware I wrote on the shared drive and had some people run it (it was extremely basic, just locked people out of the computer with no recovery by taking advantage of how locked down they were; but people lost a lot of work). My programming teacher, who was already dealing with me being a distraction in class, went to bat for me so I didn’t get strongly punished but made me clean it off the drive continuously; other students kept putting it back, so I had to monitor for it.
I wonder if the same scenario happened today, where a Kid has an interaction like that with a bank CEO, showing an insane vulnerability... The kid would just be sentenced to jail time and charged as an adult.
How would he have known the CEO's bank account number? Did the CEO write him a check at some point? Or maybe a bank's CEO traditionally gets account number 1…
Bank account numbers aren't secret, they're written on the bottom of every check you write. The story lacks the details of how he got his hands on it but its not unreasonable to assume he was able to access such unprotected information.
The european bank account numbers are often posted publicly. If you are a VAT payer, you're supposed to check that the account you send money to is registered with the business in the public registry. Otherwise you may be held liable for the receiver's tax fraud. Many companies also show them at their webpage to make it easier to get paid. See e.g. https://www.pre.cz/en/contacts/bank-details/
The account number should be just an ID, not authentication mechanism.
> The account number should be just an ID, not authentication mechanism.
Right? One of the many things (and I mean this without any hate whatsoever) I simply can't and will never understand about the US. A bank account number is your mailbox for receiving money. How does that country even operate when they build those mailboxes underground?
The US bank security system confuses me. To accept money, I need to give out my routing number and account number. Using those numbers, someone could theoretically withdraw money... Maybe... The whole system is built upon obscurity. Why do some stores need a pin on my debit card, and some do not? Why do online stores need my name and address, but IRL ones do not? How did that one online store charge me without my CVV? How can restaurants swipe my card now and charge me later?
I only send and receive money with Google/Apple Pay & PayPal at this point. This flow is reasonable (every transaction is authorised in a trusted location (ie: PayPal). Further transactions are impossible without additional authorization). It boggles my mind that banks & CC companies haven't made some standard for this. Would save them so much money in fraud protection.
> Why do some stores need a pin on my debit card, and some do not?
Oh that’s easy enough. If they need a PIN it’s actually being run as a debit card over the debit card network. Otherwise it’s being run as a “check card” over the credit card network (with higher fees and better consumer protections). It’s just backed with money instead of a line of credit.
> Why do online stores need my name and address, but IRL ones do not?
IRL stores have access to the actual card (with your name) and having this artifact present makes it much less likely that you are a fraudulent fraudster committing fraud, so the processors are willing to take it.
> How can restaurants swipe my card now and charge me later?
the good news is if the store ever defrauds you, everyone knows where to find the store! Unlike fraudsters making purchases.
And banks are still perfectly willing to issue personal checks, a form of payment that requires you to hand someone a piece of paper with your full name, address, bank account and routing info, your signature, and a brief handwriting sample.
I doubt it as well. Back in the day, I worked for an elected official who insisted on being a Domain Admin in our Active Directory tree. My co-worker and I used to joke, "think he wants to be a Schema Admin too?"
When you do pen testing you're given a limited list of valid targets.
I imagine that the mission parameters were that he take a check and remove money from the account.
It would also make sense that this is the CEO's account, or one he also controls, because he's in on the test and can give informed consent. Also, probably the CEO doesn't have any special access so breaking into his identity wouldn't impact the bank the way breaking into the IT manager's account might.
If this was a fake account (one with no real user) then they wouldn't have discovered this flaw because Mitnick couldn't have called the user. Having a real person be exploitable is essential to proper discovery of the full scope of the problems.
This was a long time ago. It was a small bank. I also heard it through the grape vine and not from him himself. I could definitely be wrong but this is what was told to me by someone who was there.
At Schwab my voice is my password. Is how Schwab authenticates me by voice. That demonstrates to me schwab knows they need a voice passphrase that wouldn't be used in passing or without raising suspicion.
I just thought it was an interesting contrast to the bank executive story. Which demonstrated how the passphrase may have evolved and that moving money is done by voice authentication today.
Using just ones voice is bad. Using a phrase is better. Using a phrase that is unique and describes its function may set-off alarm bells for some.
there is a bank in Italy currently that uses this voice recognition mechanism which with current AI tech is fakeable within 20 min. Nothing much changed since back then I guess
About 15 years ago I was using telephone banking, when you had to put in a 4-digit PIN to access banking. I could still hear background call centre noise so I asked the operator if they were still on the phone when I put the PIN in, and he confirmed he was.
"Okay, so you heard me type in the PIN? So now you can know my PIN?"
"Oh no", he said, "it's just beeps, like this - ", and pressed a few digits.
"Right so you typed 1 6 3 2 4, there."
"..."
"That's what you typed, isn't it?"
"Uhm... yes, how did you guess?"
"I didn't guess, I could hear the beeps. I've got a reasonable ear for pitch, so I can tell what the numbers are from the tones. Any chance you could escalate this to your manager after the call, and tell them to give me a phone if they've any questions?"
They rang me the next day, and I explained the situation to them.
Now, at least in the UK, you get transferred away from the call handler when you put your PIN in.
> Mitnick was a hacker hero of mine in my youth. I think I’ve understood his role as jester prior to conviction less as I’ve grown older, but there’s something about the boyhood charm of being so divorced from the potential consequences of one’s actions that is almost unique.
Yeah, I remember watching "Freedom Downtime" as a teenager and thinking how ludicrous it was that he was sentenced to prison for computer hacking, but now that I think about it as an adult of course he should have been. Sure solitary confinment, the specifics of his sentence, etc. may have been extreme and I'd like to think that the court system has progressed in their knowledge of computer security since then, but what he did was still a breach of corporate security. He knew at the time it was illegal, and he just thought he was too smart to get caught.
That idea that we had at the time that it was a "victimless crime" or something was very immature.
int(phone number) "contained all ten digits" is the main embellishment. KM used different acct#. check delivery was weeks later, after negotiations. either way kevin was OG AF ..|..
Mitnick had so many stories that entranced the people around him. I heard one second hand of Mitnick dealing with a bank who had early voice verification software. Upon meeting the CEO he gave the executive his card and departed for the evening. Arriving back at his hotel, he called the CEO and asked him to read his phone number to him. The phone number contained all ten digits which Mitnick had neatly tape recorded so as to make the CEO’s voice reproducible. He then proceeded to use the bank’s vocal banking system to transfer $1 from the CEO’s account to his as the authentication mechanism was reading out your own account number in your voice.
When Mitnick arrived back in the board room the architect of the voice verification system was crestfallen and the bank CEO delivered a check on a silver platter.
Now how much of that tale is embellished I will never know as it was second hand, but that was the kind of whimsy Mitnick brought to our world.
Rest in Power.