i've always seen stories of identity theft and virtual identity theft. and i've not been a victim thankfully. but in those stories (the ones that make the "big" news) there always seems to be a technical hacking going on to get more information, etc. nothing really exposes as it should the social side of hacking.
the hp scandal really started to do this and added "pretexting" became the latest favorite word of journalists. kevin mitnick has said that this type of social hacking is the best weapon that everyone seems to forget about.
well, the other day i was looking at one of my bills that i don't pay on their web site. they had a teaser on their bill that said "you can now pay online go to our site blahblah.blah" so i did. it asked me for my account number and a pin. there was no "sign up" link or anything and i had no idea what my pin was since i hadn't done it before. so i called them.
it went something like this:
them: hello thank you for calling company blah, how can i help you
me: hi, how are you, i'm trying to use the new online billing feature but don't have a pin setup yet, and didn't see a sign up, can you send me one (thinking that is how the banks do it to ensure the pin at least gets sent to the registered address)
them: let me look that up for you, what is your account number
me: flippity-flip-flip
them: okay, your pin is skippidy-doo
me: thank you
them: your welcome, you are tim heuer right?
hmm, me thinks some verification should have happened BEFORE the essential pin was provided. now what information was available, well nothing at this point because i hadn't used the service. but what if i had and decided to store my cc information (which i never do by the way and wouldn't recommend anyone doing)? when i hung up the phone i just sat there for a second and had the realization of how easy it is to be a victim.