How A Teenager Hacked The CIA With A Few Phone Calls

Earlier this week, news broke that hackers had accessed the personal email accounts of CIA director John Brennan and Homeland Security Secretary Jeh Johnson. These attacks on some of America’s most security-focused leaders sound like they must have been incredibly sophisticated – maybe the result of organized crime leaders or international espionage. But as it turns out, the attacker was simply a teenager with access to a phone.
How did a self-described “pot smoking teenager” manage such a high-profile attack? He used a technique known as “social engineering,” which is a fancy way of saying he tricked a few call center agents. Wired reporter Kim Zetter described the process in an article posted Monday night:

• The hacker started with Brennan’s mobile phone number. After looking it up online, they found that he was a Verizon customer.

• The hacker called Verizon, pretending to be another Verizon employee having technical issues. Verizon call center agents helped the hacker access Brennan’s account number, PIN, backup mobile number, AOL email address and the last four digits on his bank card.

• Working down the daisy chain, the hacker next called AOL, impersonating Brennan himself. He claimed he was locked out of his email account and needed the password reset. AOL customer service reps asked security questions, but the hacker was able to answer correctly using information collected from the earlier Verizon call.

• The hacker reset the password to Brennan’s AOL email and downloaded several years worth of information, including Agency related documents, a log of Brennan’s phone calls, and his contact lists.

The hacker used a similar method to break into Jeh Johnson’s Comcast email account. And we’ve seen this kind of high profile call-center based attack before. In 2012 hackers called Apple to reset reporter Mat Honan’s accounts and take over his Twitter. Earlier this year, novelist Andy Weir was the target, with the hackers calling Comcast to get access to his social media accounts.
Hackers today use the phone channel as a way to quickly and easily gain access to online accounts. They work across industries, gathering information on their targets from different organizations to build a profile before their final attack.
The message is clear: Call centers are the weakest link. All organizations are vulnerable when it comes to the phone channel, because the main line of defense for most call centers is little more than a friendly customer service agent asking a caller for their mother’s maiden name.
Call centers must find better ways to authenticate callers, before agents are able to give away valuable personal information. Organizations that rely on a call center should follow the lead of some of the largest US financial institutions, which are now implementing solutions based on Phoneprinting^TM and voice biometrics to authenticate callers based on risk.
Phoneprinting analyzes 147 characteristics of the background audio of a call to determine the caller’s location, device type, and other characteristics, creating a unique identifier for each caller. Within the first 30 seconds of a call, Phoneprinting can tell a call center agent whether the call is suspicious, if the phone number is being spoofed, or the caller is a known fraudster.
Gartner vice president and distinguished analyst Avivah Litan addressed the issue in an article for Forbes last year writing, “The best security is always layered security, and this principle holds true when securing the telephony channel… Phoneprinting combined with voice biometrics provides the strongest method for detecting fraudsters who call into enterprises.”