How I, unintentionally, social engineered information out of a bank employee

I had a wonderful banking experience this week.
I was trying to move some money from a savings account to a current account, the savings account having plenty of money on it and the current account being on zero.

On my first attempt, in the weekend, there was no direct feedback from the system, so I guessed it would take till Monday for the transaction to be processed cause banks are closed over the weekend (yes that is how things work in Holland more often than you’d expect).
Monday I checked the account and no money there, on checking the transaction I found out the transaction was refused by the system without any indication why.
So I decided to try it again, without waiting for the feedback from the system cause it was now after office hours (yes I make really odd assumptions when banking, unfortunately experience has taught me that more often than not these assumptions are correct).

Next morning I check the account, no money in it. I think, that’s odd… So I check the transaction and yet again it is refused without a reason, just some inexplicable error code, which meant nothing to the helpdesk either as it turned out later on.

Being a persistent person I decided to try it once more, this time during office hours so that I could see the immediate feedback from the bank and of course could call them.

No surprise the transaction was once again refused.

On this I called the bank’s helpdesk.

I explained what was going on, e.g. that i tried transferring money from a savings account to my current account, both within this bank. To my big surprise the only identification I needed to give to the helpdesk person was the bankaccount I was transferring from, no extra verification who I am and whether I can proof that I indeed should have access to these details. Instead she asked me which of the current accounts I was trying to transfer to, naming the account numbers for me and telling me on what name they are, so that she could lookup the transaction and see what was going on.

Ever since reading Kevin Mitnick’s first book, “The art of deception” I have thought that social engineering could not be as easy as he makes it seem. Turns out it truly is. I social engineered, unintentionally, the account numbers and attached names out of a helpdesk employee of a bank. With this I could quite easily start playing around on the internet and clean out the accounts with purchases based on direct debit transactions.

The other odd thing came to me when I was told what was going on, why were the transactions being refused: we apparently never returned the original, signed contract for this savings account. I of course requested a new version of the contract to be sent to me.

On receiving it I decided to read the contract and the small print on it for a change. The smallprint contains a short section about possible wrong information on the contract, such as counter-account numbers or names and how you can adjust these. All you have to do is write the correct details on the contract, sign it and send it back.

So it turns out you can open a savings account, attach it to an account, put money on the savings account from one of the attached accounts all without ever signing the contract. On signing the contract you can change the details about the attached accounts to something else just by writing the new information on the contract and send the contract back to the bank. All by snail-mail.

On receiving the new details the bank will make the appropriate adjustments and send a confirmation (snail)mail about this to the account holder.

This sounds like a very slipperly slope for a bank to me. I was first of all shocked to notice that my details were given away so easily without verification and secondly that if someone wants, they can hijack an account relatively easily…

I did tell the bank that their verification of the caller should be changed, curious to see if they actually do…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.