The Security-Conscious Uncle

While working with Johnny Long on his book No Tech Hacking I recounted a a story of something i did to a relative of mine once while we were all out at a family dinner. I had converted it to a fictionalized narrative format to be a better read and make for more entertaining copy, but even with those changes the publishers weren't fully comfortable putting it down in ink. Ah well, c'est la vie. So, instead, i've saved it here for all to read. Enjoy!

"The Security-Conscious Uncle"

My whole extended family sat gathered at a long table in a fine dining establishment. So often our schedules are hectic enough that at least one or two individuals can't make it back to the east coast for any given holiday, thus it was an auspicious occasion to have every single aunt, uncle, and cousin represented at this Christmas Eve dinner out.

When the check eventually arrived, I expected my father and his four brothers to immediately begin their ritualistic swordplay with credit cards, in which each attempts to pick up the check. This appeared to be imminent, but my Uncle Bob simply placed a fold of bills on the waitress's tray while his brothers were fumbling with plastic.

"Oh, way to go getting the drop on us," Bob's older brother Sean remarked. "That was smart of you to produce cash... it gave you an unfair timing advantage. Why couldn't you just reach for your credit card like a normal person?"

Bob Reveals Nothing

Uncle Bob informed the group something that showed me just how much he had been keeping up with the current threats to privacy and personal information. He explained how he ceased carrying credit cards two years ago, not wanting to leave any digital trail of his spending habits. "Nope, it's cash only for me ever since the Patriot Act was signed into law," he said flatly. Not only does cash anonymize his spending, Bob remarked, but if his wallet were to be lost or stolen, a nefarious party couldn't go on a spending spree.

Sean expressed incredulity over this... and pointed out that there was still the matter of the Check Card seen nestled in Bob's wallet. "Don't the same risks of electronic records and criminals having a field day in Best Buy's plasma TV section still apply?" he asked.

It was at this point that my uncle revealed just how cautious he was being. "That's not a Check Card... it's an ATM card. They're not the same thing," he told the group. Bob proceeded to instruct his relatives about the distinction between these two very similar and oft-confused pieces of plastic.

The Wisdom of Bob

Years ago, when you opened a bank account, typically you would be given an ATM card. This mag-stripe token would allow you to withdraw funds (and later, would allow you to complete certain point-of-sale transactions) with the use of a four-digit PIN number. Now, however, most banks issue their customers "Check Cards" (almost always tied to the VISA Merchant Banking network) which can be used like a debit card (with a PIN) or like a credit card (requiring no PIN). "This is a major security loophole," he remarked, "And I always demand that a bank issue me an ATM card specifically. That way, without my PIN number, the card is useless."

The group was impressed. Many people looked at the bank-issued plastic in their wallets and vowed to change to a more secure card after the holidays.

The Story Doesn't End There

"I'm very impressed with your strict attention to security, Uncle Bob," I piped up, "but what happens if your wallet is stolen by someone who has the ability to discover your PIN number? Have you taken steps to prevent that from happening?"

Bob looked at me curiously for a moment. Then he laughed. "The only place I have things like access codes and passwords written down is in a text document stored on an encrypted disk that I keep in my lawyer's vault for insurance purposes. That's far beyond the reach of the common criminal, and I don't think that the FBI or the NSA is going to take an interest in stealing my money or my identity anytime soon."

The Challenge

I knew that such an assured person often makes the best target for a security challenge... if one can succeed in penetrating their defenses, their reaction tends to be priceless. "Imagine I'm a criminal who has stolen your wallet. Perhaps I'm a busboy who took your overcoat from that hook on the wall as we were all eating. What would you say if told you I could discover your PIN number almost immediately after seeing your ATM card?"

"If you can do that," my uncle stated with a laugh, "I will personally see to it that the biggest-ticket item on your Christmas list is under the tree in your home this year!"

"Very well, as long as you don't mind me revealing this in front of everyone... let me have a look at that card." I took the ATM card and turned it over a couple of times, reading both the digits on the front and the phone number on the back. "I'd like to make one call... can you hand me your phone, Bob?" My uncle passed me his moblie phone, assuring me quite plainly that an attempt to social engineer any representatives whom I might reach at the bank's customer service number would be a wholly useless endeavor. "They're trained specifically to never reveal anyone's PIN number. Even a legitimate card holder can only request a new card and PIN... and that has to be picked up in person with proper ID, it's not even sent through the mail."

Making the Call

Undaunted, i punched away at his phone's keypad and held it to my ear. The rest of the family looked on as I conducted a brief conversation...

"Hello? Yes, it's me. I'm not interrupting am I? Oh right, your family doesn't get together until tomorrow. Say hi to your sister for me, hah. So listen, can you do a quick lookup for me? Yeah, this is an ATM card issued by Commerce Bank. Last name is O'Connor and the last four digits of the card number are 8579."

My family, Bob included, now sat slack-jawed. Who in the world could I be calling? They knew I had some very interesting friends in the security world, but still. Was I speaking to a friend at an investigative business of some sort? Or a spooky individual in the greater D.C. area? What if I were on the phone with some black hat teenager in his parent's basement?"

After a moment I picked up a pen left on the table by the waitress and started scribbling on a scrap of paper. "Ok, yeah... got it. Thanks man, have a safe and happy new year if I don't talk to you before the 1st!"

I hung up and held the scrap of paper close to my chest. Everyone sat breathlessly as I looked it over. I considered things for a second, then said, "Indeed... you do take security more seriously than almost anyone I know, Uncle Bob."

He wore an expression of vindication. "Hah! You couldn't discover it, could you? I knew that was all smoke screen!"

The Revelation

I cracked a wry smile. "No, I was referring to the fact that most people simply use their birthday or the birthday of a loved one. You don't seem to have done that. It looks like you took your daughter Mary's birth date of March 6th but coupled it with what I can only imagine would be your wife's birth year of 1952. You really do look stunning, Aunt Ellen... I wouldn't have placed you anywhere near 50."

I slid the scrap of paper across the table to Uncle Bob. On it were written four simple digits: 3652

Bob looked absolutely stunned. The entire table set in with a cacophony of questions demanding to know who it was that I called and whether or not their PIN numbers or banking codes were vulnerable, too.

The Explanation

I let the group chatter about in a frenzy for a short while. Then I couldn't keep up the act anymore. I stopped trying to stifle my laughter and my deadpan expression broke down into riotous chuckling.

"Relax, everyone... your information is all very safe, and I didn't call anyone about whom you should be concerned." I explained that Bob was right, there was a bit of a smokescreen employed... but it had been for dramatic effect. I handed my uncle back his mobile phone and asked him to look at whom I had called.

"That's strange," he said after poking about in system menus for a second, "This only shows a call to my voicemail." Exactly. I explained to the group that what I had done was to simply leverage possession of Bob's phone to my favor. A criminal grabbing someone's phone along with their wallet isn't all that outlandish a prospect... particularly in the "stolen coat" scenario about which we had hypothesized.

Bob's mobile provider offers a feature that requires parties enter their personal access code when checking voicemail, but this feature is always disabled by default. If the individual is entering the voicemail system from their own personal handset device (or if they know how to spoof caller ID) no code is needed. I had simply dialed Bob's voicemail and, while pretending to have a conversation with a high-tech security expert, I had accessed the "change personal options" menu. From there, selecting the "choose a new passcode" feature resulted in the automated voice on the other end of the line telling me what my current passcode was.

The most security-conscious citizens often use a whole host of various passwords for computer systems, web sites, and email accounts. But I wagered that Bob, like so many of these persons, fails to be as unpredictable when constrained to four character places and the use of numbers as opposed to letters. When his mobile voicemail stated, "Your current passcode is three six five two" I knew that the odds were very good that these same four digits would allow me to clear out his bank account at almost any ATM.

So what's the lesson in all this? Keep your voicemail systems passcode-locked... even if you're calling in from your own handset!

Be safe out there,

- dev