TWENTY-TWO Detective Work

Detective Work
Gsig cof dsm fkqeoe vnss jo farj tbb epr Csyvd
Nnxub mzlr ut grp lne?
I
f I could help Grant with so little effort, how come I still didn’t have the
lowdown on Wernle? Fortunately, I was about to unlock that secret.
Eric kept talking about having to go to work, but he would always
change the subject whenever I asked what he did.
So who was signing his paychecks? Maybe hacking into his bank
account would give me the answer. Since Eric’s name wasn’t on his rental
application or any of his utility bills, I’d look for an account in the Wernle
name.
What bank was he using? Banks, of course, guard their customer
information carefully. But they also need to ensure that authorized
employees are able to obtain information from different branches.
In those days, most banks used a system that allowed an employee to
identify himself to a fellow employee at another branch by providing a code
that changed every day. For example, Bank of America used five daily
codes, labeled “A,” “B,” “C,” “D,” and “E,” each of which was assigned a
different four-digit number. An employee calling another branch for
information would be challenged to give the correct number for code A or
code B or whatever. This was the banking industry’s idea of foolproof
security.
With reverse social engineering, I easily got around it.
My plan had several layers. First thing in the morning, I’d call the target
branch, ask for someone in the New Accounts Department, and pretend to
be a potential customer with a substantial sum of money who had questions
about the best way to earn maximum interest. After developing a rapport,

I’d say I had to go to a meeting but could call back later. I’d ask the account
rep’s name and say, “When are you going to lunch?”
“I’m Ginette,” she might say. “I’ll be here until twelve-thirty.”
I’d wait till after 12:30, then call back again and ask for Ginette. When I
was told she was out, I’d introduce myself and say I was from another of
the bank’s branches. “Ginette called me earlier,” I’d explain, “and said she
needed this customer information faxed to her. But I’ve got to go to a
doctor’s appointment shortly. Can I just fax this over to you instead?”
The colleague would say that was no problem and give me the fax
number.
“Great,” I’d say. “I’ll send it right over. Oh, but first… can you give me
the code of the day?”
“But 
you
called 
me!
” the banker would exclaim.
“Well, yeah, I know, but Ginette called me first. And you know our
policy requiring the code for the day before sending customer
information…,” I’d bluff. If the person objected, I’d say I couldn’t send the
information. And I’d continue with something like, “In fact, please let
Ginette know I couldn’t send her what she needed because you wouldn’t
verify the code. Also, please let her know that I’ll be out of the office until
next week and we can discuss it when I get back.” That was usually enough
to push the holdout over the edge, because no one would want to undermine
a coworker’s request.
So then I’d say, “Okay, what’s code E?”
He’d give me code E, which I would file in my memory.
“Nope, that’s not it!” I’d tell him.
“What?”
“You said ‘6214’? That’s not right,” I’d insist.
“Yes, that’s code E!” the banker would say.
“No, I didn’t say ‘E,’ I said ‘B’!”
And then he’d give me code B.
I now had a 40 percent chance of getting the information I wanted
anytime I called any branch of that bank for the rest of the day, since I knew
two of the five codes. If I talked to someone who seemed to be a real
pushover, I’d go for another one and see if he or she would go along. A few
times I even managed to get three of the codes in a single call. (It helped,
too, that the letters 

Download 2,97 Mb.

Do'stlaringiz bilan baham: