Schneier on Security
A blog covering security and security technology.
« Fingerprint Library Cards |
| Massive Data Theft »
May 23, 2005
Paris Hilton Cellphone Hack
The inside story behind the hacking of Paris Hilton's T-Mobile cell phone.
"This was all done not by skilled 'hackers' but by kids who managed to 'social' their way into a company's system and gain access to it within one or two phone calls," said Hallissey, who asked that her current place of residence not be disclosed. "Major corporations have made social engineering way too easy for these kids. In their call centers they hire low-pay employees to man the phones, give them a minimum of training, most of which usually dwells on call times, canned scripts and sales. This isn't unique to T-Mobile or AOL. This has become common practice for almost every company.
How right she is.
EDITED TO ADD (11/11): Everyone, please stop asking me for Paris Hilton's -- or anyone else's, for that matter -- cellphone number or e-mail adress. I don't have them.
Posted on May 23, 2005 at 12:41 PM
• 10 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
... In other words there is nothing stopping an intelligent entity with good kung-fu in getting anything on anyone any given day. That is just the nature of the beast.
my understanding was not that they hacked her phone using some flaw in the "programming" of the website, but that they used her well known dog's name: "tinkerbell" and reset her password...then gained access to the account and her files. not sure how accurate this article is even though it follows various sources and such.
Neither of these is correct. The fact that paris hilton's phone was hacked was a minor minor aspect of a FAR larger security breach at t-mobile.
Sorry I can't say more.
I think it's wrong to say that they aren't skilled hackers... In my opinion, social engineering is the hallmark of a true hacker.
Not that I know crap about hacking... I suppose I just have this romanticized image of it in my head.
"T-Mobile has invested millions of dollars to protect our customers' information, and we continue to reinforce our systems to address the security needs of our subscribers," company spokesman Peter Dobrow wrote in an e-mail. "For our customers' protection, we do not publicly disclose the specific actions taken to reinforce our systems."
That just about sums it up for me.
I wonder, given their stance above and their track record on protecting customer data: If I were interested in becoming their customer, would running a penetration test on their web sites and/or attempting social engineering be defensible as simply exercising due diligence?
In my opinion, all good hackers should be able to use SE, but all who can SE well are not necessarily hackers. For example, one of my friends got virtually all the info there is to know about a system by a crude form of SE against the sysadmin, but he couldn't get into the system on his own.
The account maintenance site for Sprint PCS email accounts is publically accessible, but "protected" with credentials that everyone who's worked for Sprint PCS or one of its outsourced support organizations (DecisionOne, IBM, etc) knows. All that's required to deny a Sprint PCS customer access to his email is his cell phone number and a widely-known password. The "set password to random string" feature is particularly interesting.
Retrieving the password for the entire account is almost as easy; just call customer service, claim that you can't remember your account password and respond with the last four digits of the Social Security number when asked.
Hmmm, since it was a SE attack then I guess to quote Choicepoint's CSO, "Fraud is not an information security problem" this really wasn't a security problem at all.
Actually in my experience AOL is pretty good with social engineering. AOL was my first ISP, which I canceled many years ago. However, I was curious to find out when exactly I started using the internet. So I called up AOL and told them I was interested in reopening my old account, and asked them what date the account had been created and closed. Just this simple question freaked them out and they threatened to call the cops.
How true it is about "minimum wage" call center operators. Our company has a call center which occupies one end of a big room, with the other end taken by another (business partner) company's call center. The operators who actually have a normal IQ usually quit in less than two years (I think the average is just under 18 months) because the work is so soul-destroying and stressful, so most of the "experienced" ones are dumber than mules. Nice people, mind, salt of the earth folk, but people who need help to order pizza.
Plus, we recently had two call center operators fired for stealing, they were immediately rehired by our business partner! They went to work in the same room about ten yards from their old workstations, and were promoted to supervisor because they were "experienced"! Experienced alright, now they know better how to cover up their crimes!
I think I better go anonymous on this one...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.