Arturo Tena

Un extracto de una entrevista de CNN a Kevin Mitnick en el año 2005. 

CNN: And how do contemporary hackers use social engineering in what they do?

MITNICK: Well, how about Paris Hilton? She was attacked on her cell phone,and she was attacked two ways. One was because of a T-Mobile’s Web site, and the other guy was able to compromise it by getting her phone number by going on T-Mobile’s Web site, doing a password reset, which SMS-ed her new password because, presumably, only the owner would have the handset.

And then what they did was, they did a technique called caller ID spoofing, which allows a person to change the number they’re calling from on their calling phone number display. So, they were posing as T-Mobile customer service, and they called her phone, and on the caller ID it showed as T-Mobile customer service, and then they told her, “There are some network difficulties. Have you been getting any SMS [messages] about a password reset, and what were the contents of the message?” and she freely gave it out, and that’s how these guys were able to get to her T-Mobile Sidekick, and her e-mail, and whatnot.

In another example, the IRS just did a security audit under the office of the inspector general and called 100 managers posing as IT people at the IRS, and 35 of those mangers freely gave out their password and user name over the telephone.

So, it’s a significant threat. A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted. It’s essentially meaningless.