Hackers' Low-Tech Tool: A Phone Call : Planet Money Hackers call up corporations and try to get them to reveal sensitive information. Hello, Wal-Mart?
NPR logo

Hackers' Low-Tech Tool: A Phone Call

  • Download
  • <iframe src="https://www.npr.org/player/embed/139680012/139680142" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Hackers' Low-Tech Tool: A Phone Call

Hackers' Low-Tech Tool: A Phone Call

  • Download
  • <iframe src="https://www.npr.org/player/embed/139680012/139680142" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

MELISSA BLOCK, host: For a company, security can mean a lot of things. Computers are part of it - firewalls to protect data or personal information. But just as dangerous as a computer hacker can be someone on a phone. Here's Zoe Chace of NPR's Planet Money.

ZOE CHACE: To learn how to hack a corporation, I figured I had to go to DefCon. DefCon is a conference for computer hackers. It's $150 in cash to get in. Don't use the Wi-Fi and don't use the ATMs because you might get hacked or your card number will be stolen.

It's where the weirdos come to be as weird as possible and be rewarded for it, like this guy's beard is as purple as the day is long.

UNIDENTIFIED MAN #1: I competed in a beard contest and I took second place next to some guy with some really gnarly wolverine chops and my hats are off to him.

CHACE: This other dude rolls up a short while later, wheelchair, leg in a cast.

UNIDENTIFIED MAN #2: That's why those signs say no diving.

UNIDENTIFIED MAN #3: What do you mean?

UNIDENTIFIED MAN #2: No diving. They also mean no cannonballs.

CHACE: The broken leg is new. It's from cannonballing into the pool last night.

This conference for the best computer hackers in the free world is held every year in Las Vegas and there are many computer hacking competitions held at this conference, most of which would be way over your head, but not this one.

MARK: We can use his phone number to call someone else and impersonate him to get information.

CHACE: One of the most popular competitions at DefCon is called social engineering. Social engineering means, essentially, you seduce an actual person into giving you sensitive information over the phone.

Mark is preparing to call Wal-Mart. He didn't want me to use his last name in this story because what he's doing is possibly illegal.

MARK: Earlier, we were actually looking at a Wal-Mart intern and we were just looking at, you know, everything he's done, what college he went to. His parents' blog, actually, was able to give us a good amount of information.

CHACE: Mark is getting psyched up to sit in a glass phone booth in front of dozens of people and call Wal-Mart. Their conversation is broadcast over a PA system. Here is Mark's side of the conversation. He's using a fake name.

MARK: Hello. This is Matthew Hughes from Corporate IT.

CHACE: As soon as Wal-Mart picks up, I have to shut off my recorder since they don't know they're being recorded. I check in with the contest host, Chris Hadnagy, about how Mark's doing.

CHRIS HADNAGY: Not getting nervous about things. When he wasn't messing up and getting nervous when he's on hold.

CHACE: Each contestant has 25 minutes in the glass phone booth. They have a checklist of stuff they have to get out of the company. What time their packages are delivered, what's their antivirus software, do they have the latest version of their operating system.

And Mark actually gets a few, even though it's his very first time. He's baby-faced already, being that he's only 18 and, right now, he's actually flushed with pride.


CHACE: And then he's not out of the booth for more than two seconds when he gets a job offer.

UNIDENTIFIED MAN #4: What do you normally do when you're not (unintelligible) ?

CHACE: They asked me not to record this conversation, but I can tell you a security company offers him a job on the spot.

The unsuspecting companies that got hacked get rated on a scale of how vulnerable they are in a report that will come out in a few months.

I called Wal-Mart to see what they thought. They declined to comment.

It's funny. Even if companies try to upgrade their security systems, they're also spending money making their customer service better, more friendly and helpful. It's precisely that helpfulness that might get them hacked later.

In many of the high profile hacks of late, Sony, the security company HBGary, had a social engineering component. Hackers got what they needed to steal a bunch of data through a phone call. Zoe Chace, NPR News.



Copyright © 2011 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.