In 1978, one of the most gripping stories of bank heist took place. One Stanley Mark Rifkin, whom many have probably never heard of, earned his way into history and the Guinness Book of Records when he stole over $10 million from the now defunct Security Pacific National Bank in Los Angeles.
At that time, it was the largest bank heist and wire fraud case in history. But why was he not a popular robber? Simple! The man did not need to use a gun, blow up the vault, sneak in through the sewers, or even hack the computer system.
Acting alone in his one-man gang, he simply used a payphone in the lobby of the bank during normal business hours to swindle the personnel in the wire transfer section of the bank into sending millions of dollars to a temporary account at another bank. Thereafter, Rifkin transferred the funds to Switzerland, converted the cash into undetectable diamonds, and smuggled them back into the United States.
He would have succeeded with his heist and remained unknown forever if he hadn’t bragged to his attorney, who tipped off the police. In fact, by the time the police notified the bank, Security Pacific was not even aware that any funds were missing. Rifkin’s place in the Guinness Book of Records remained intact until 1999 when the “Most Notorious Hacker” replaced him. That hacker was Kevin D. Mitnick who gained notoriety following a three-year FBI manhunt for breaking into computer networks and stealing software at Novell, Los Angeles, Motorola, Nokia, Sun Microsystems and Fujitsu Siemens.
Later, Mitnick teamed up with Steve Wozniak, after serving time in jail, to unleash the best known tricks used by social engineers to access materials or information which they consider useful. Steve Wozniak, the innovator and inventor, lent his writing skills to the book – The Art of Deception: Controlling the Human Element of Security – written by Kevin Mitnick, a reformed hacker who for some years was America’s most wanted computer criminal. Together they unravelled the ways with which social engineers get what they want from employees of target organizations, especially in the corporate sectors such as finance, legal, manufacturing and medical.
Social Engineering refers to the psychological manipulation of people into performing actions or divulging confidential information for the purposes of information gathering, fraud and so on. This is considered as a serious menace across the world and depending on the situation, the victims are hardly aware that they have been conned. This is particularly amazing in cases where the information these easy targets have given are used in solving a puzzle along the way. Even if they become aware, they baulk at making it public because of the fear of what the public might think about them.
Social Engineering is used to cart away some of the best guarded secrets of individuals, companies, governments, organizations, competing brands and so on. So when these two great men in their own rights teamed up to write a book on Social Engineering, it was received with great optimism.
The book informs that while companies are busy rolling out firewalls and other security paraphernalia, they are often unaware of the threats of social engineers. The menace of social engineering is that it does not take any deep technical skills – no protocol decoders, no kernel recompiling, no port scans – just some smooth talk and a little confidence with which to get into the minds of people who in turn willingly helps the social engineer without even having a clue of what they have done.
In Nigeria, social engineers know no boundaries as they use all means available to defraud unsuspecting targets. These acts of fraud against the citizens have been dubbed “419”, taken from the section of the Nigerian Criminal Code which deals with Advance Fee Fraud. The fraudsters have become very creative with time using the emergence of new technologies to perfect and perpetuate their crimes. For example, the GSM revolution, which has transformed the economy of Nigeria and currently contributes about 10 percent to the country’s GDP, has been used by these miscreants on a regular basis. These social engineers find ways in the system some of which would ordinarily have enabled busy customers, the elderly and illiterates to achieve their objectives using proxies while relating with their operators.
There is a story of a certain customer of an old generation bank who could not make and receive calls for some days and decided to visit the operator’s customer care center. What she discovered was startling as she was told that her number had been swapped some days ago. As if that was not enough, when she visited her bank she discovered that a huge amount of money running into millions had been withdrawn from her account through cheques purportedly signed by her. The bank officials swore that before granting payment they had called her and she gave her consent.
Now, what really happened was that the social engineers got hold of her cheque book knowing full well that the bank would have to confirm payment from the account holder. They went ahead to the telco’s customer service to swap the lady’s number into another line. They forged the lady’s signature and went to different branches of the bank to make withdrawals. Each time the bank’s staff called for payment confirmation, the social engineers posing as the lady would give the go-ahead. The bank ended up paying the total sum or risk losing an important customer coupled with a lawsuit. But thankfully the GSM operators have since stopped SIM swap by proxy and such stories are no longer in vogue.
Yet, stories relating to social engineering are countless from impersonating customer service officers, in GSM companies, banks and other financial institutions via online emails asking potential targets for vital details with which to defraud them. Others manipulate security men into divulging their bosses’ daily routines with which they use in the kidnapping of these people for ransom. For businesses, government agencies etc both authors agree that the human element is the weakest link in the security chain.
According to them, social engineers prey on their naiveté and their trust to extract the information they need. People want to be helpful and they generally have to deal with strangers of some sort or another in day-to-day business. It goes against their nature, and is contrary to doing efficient business for them to distrust every person they meet.The challenge then is to train the users not to divulge information to anyone, even seemingly useless information unless they can verify that person’s identity and reason for needing the information while at the same time remaining productive and doing business efficiently.
Corporations have to find a middle ground that tries to balance the technical and human elements of security and find what works best. The Art of Deception: Controlling the Human Element of Security educates and places everyone on a proactive pedestal on the activities of social engineers using real life scenarios embellished in fiction and how innocuous information given to these fraudsters can be used or become the final piece of a puzzle to defraud or access confidential information on individuals, companies, organization, government agencies and so on.
Additionally, the book provides security tips that could help in deciphering actions that could lead to negative implications. The Art of Deception is among the first set of books to deal with the human aspect of security; a topic that has long been neglected. Though a book has not been written here in Nigeria on social engineering, as the world through the internet has become a global village for all and sundry, making it possible to replicate crimes committed in other climes here in Nigeria, it is important that individuals, organizations, government agencies etc become aware of these devices used by con men and prepare themselves and their employees to the many forms of deceit out there.
Harry okoruwa is a public relations consultant with xlr8.
Join BusinessDay whatsapp Channel, to stay up to date
Open In Whatsapp
