Fascinating story in Wired about Cosmo, a 15-year-old hacker, “who weaseled his way past security systems at Amazon, Apple, AT&T, PayPal, AOL, Netflix, Network Solutions, and Microsoft.”
Typical pranks hackers might play on each other? Oh, just getting the SWAT team at your house:
“Someone also swatted my house,” he tells me, smiling. “It happens a lot to me. Well, the SWAT team was only once at my house, but lots of time with the local police department.” Swatting is a vicious prank where a hacker uses an internet call system to report a hostage situation, which scrambles local law enforcement to the victim’s doorstep.
Every more impressive than Cosmo’s computer skills are his social engineering skills:
And that’s the secret. When Cosmo calls a company pretending to be an employee, he doesn’t wait for them to ask for details. He tells them all the person’s data he has up front. If he knows three pieces of a puzzle and just needs the fourth, he gives them those first without waiting to be asked for them. That way he demonstrates a knowledge of the system, disarming the person on the other end of the line and making them less likely to question his authenticity.
Cosmo sometimes even provides details that he knows tech support doesn’t need. For example, if a tech support requires only the zip code on file, he’ll provide the full address anyway. It makes him appear more knowledgeable and less likely to be questioned. That’s classic social engineering.
The security loopholes at large companies, combined with how easy it is to buy things like social security numbers, almost makes you not want to use the Internet anymore (sadly, this wouldn’t make much difference anyway).