I may muck things up for some people by writing about this, but a article I read today has prompted me to tell you about an legitimate social engineering approach I used to fix some of our work accounts.
Where I work we have a significant number of dial-up accounts that are divided up to people that travel a lot. Over the past few years as people have left we had not re-cycled those accounts. I did a review of the personnel assignments on those accounts and found we had been paying for a number of them that where not being used. So I re-distributed the Usernames and Passwords around the office to those needing the accounts and asked that they test the accounts out. It seems the previous workers had all changed the dial-up passwords and I had to call the service provider to get them reset.
Here is what sets the stage for the conversation I had with a customer service representative at a very large National ISP. The dial-up accounts are in a third parties name in another division in another state. To complicate things that person has moved on to a new job but the bill is actually being paid on a credit card from the new manager who took the account originators job. The new manager never changed the account name holder due to some weird rule that
the accounts have to be closed and re-opened to make a name change. Which was smart as we would have lost e-mail etc. But the ISP doesn’t seem to care whose credit card is being used.
Fearing that this would make the service provider customer support person freak out when I explained this, I called vowing not to get into a long conversation that would end with us having account issues.
Here is how it went down
Ring:
CS: Hello this is Eric may I have your home number,
Me: This account is not tied to a home telephone number but I have a series of usernames that I need the passwords reset on
CS: Can I have the usernames
Me: username1 username2 username3 etc.
CS: Ahh great I will pull up the accounts, hmmm, Is this John Doe <- Original account creators name.ME: No that is the account holder I am the account distribution managerCS: Ahh, Ok what would you like those account usernames passwords changed to.Me: How about 123abcCS: Ok hold one second,,,, Ok sir I have all of these reset is there anything else I can do for youME: Yes I need to verify that Username10 Username15, USername16 etc are still active and show activityCS: hold one,,,, Yes sir they all show activity is there anything you need done with those accounts.ME: Nope thanks that should do it for us today.CS: Thanks GoodbyeNow what was amazing beyond the above transaction was he never asked for my name and never asked for the name of the person that accounts where currently being charged to. Subsequently I had to make a few more changes a few weeks later and virtually had the same exchange.Now think about this, I was honest, I never lied to the person but on the other hand I was not very forth coming although I took care of what needed to be done to get our accounts squared away. It left me feeling a bit insecure. I had just managed to get accounts fixed that I was legally allowed to do but the circumstances where out of the ordinary.Now what if I was someone looking to Hijack those accounts? What if someone was trying to Hijack them to intercept e-mail that was on them? We would have been screwed for a short time but we would have definitely been owned by someone else.Can you guess with what company these 2 phone exchanges took place? I'll give you a hint with the companies first 2 letters "Ve"If a "Ve" representative would like to talk to me about this I would be happy to explain it all to them so long as our accounts are not screwed with. I am not the only person that has the same concerns. [The Remediator]
They’ll never call you…you’re best to call them and file a complaint.