Social Engineering and Phishing to Hijack a Cell Phone Account in Under a Minute

Schooled on Hacking – Social Engineering and Phishing

stopwatch photoThe term “hacking” did not always have negative implications. Originally, it was slang for some user hacking away at a keyboard to make it do what she or he wanted. Now we have white hats, black hats, and hacking conventions. It has turned into a perpetual white vs black game of chess. One side trying to make technology for us, the other trying to take advantage of use by using it against us. However, the most commonly used tactics fall under the category of “Social Engineering”.

Social Engineering is a method which takes advantage of one’s trust or naivety. The hacker will trick someone, in this case, a phone company, into bypassing normal security procedures. “Phishing” is a more specific method where the hacker tries to get the account user or company to give up information used to comprise their account. “Spoofing” is when the hacker is impersonating either the account holder or the company the account is with.

I found this link at a Boing! Boing! post. Watch how quickly all three of the above were used to take control of a cell phone account at Defcon. (One last thing “P4wn3d” is l33t sp34k for owned.

Cell Phone Account P4wn3d in 30 Seconds Using Social Engineering and Phishing

English: A candidate icon for Portal:Computer ...
English: A candidate icon for Portal:Computer security (Photo credit: Wikipedia)

In this situation, since the hacker phished and spoofed the cell phone company, there is little he could have done. However, strong passwords, smart security questions and common sense with your inbox can all go a long way to protect yourself.

If you get an email from PayPal telling you to click a link and update your account information, do not click that link. PayPal does not send such emails. If you get a similar email regarding your email, bank or any other account, do not click the link. Instead, type the companies URL in your browser manually or pick up the phone and call them directly. Do not use any of the contact information in the email.

Regarding strong passwords, I suggest using a password manager such as KeePass or LastPass. Both offer free versions, encrypt your data and shall automatically generate strong random passwords.

Other sites mention in this post:

  1. The Real Future
  2. Def Con

Thanks for reading and feel free to comment.