You don't really need technical skills to convince a service provider to give you access you shouldn't have, when the original signup's security answer was publicly available information.
This attack vector was exactly how Sarah Palin's Yahoo mail account was "hacked" in the 2008 presidential campaign. So you'd think people would be more careful nowadays...
I'm curious why people still use their actual mother's maiden name for the answer for security questions: I just make something up and write it down on a piece of paper or store it in an encrypted file. It means I have to look it up to confirm my identity, but all in all I think that's worth it to eliminate the break-in risk (you do have the occasional odd conversation where you have to explain to a service rep "No, my mother's maiden name isn't really 'Winter is coming'").
Social engineering has traditionally always been a key part of the black hat hackers toolbox. If you for example read issues of Phreak magazine from back in the day you'll find many articles about social engineering next to the articles about crypto and technical details of phone and computer systems.
11 comments
[ 4.2 ms ] story [ 36.3 ms ] threadOr even just post the text as a comment. Thanks.
You don't really need technical skills to convince a service provider to give you access you shouldn't have, when the original signup's security answer was publicly available information.
This attack vector was exactly how Sarah Palin's Yahoo mail account was "hacked" in the 2008 presidential campaign. So you'd think people would be more careful nowadays...
It's interesting to me, because "socialing" DNS and other providers generally isn't in-scope during pentesting.
Would be interested to know if there are any pentesters / firms who have this in their "standard" methodology, for webapp or external network testing.