Social Engineering at Sympatico by: wintermute Lets say that for whatever reason you wish to delete email from someone else's Sympatico account. (For those of you who don't know, Sympatico is an ISP run by Bell Canada, with about 1.2 million users.) All that is required is some simple social engineering. Technical support agents at Sympatico have the authority to delete one email message from the account of a caller. They can also tell the caller how many messages are waiting, the sizes of the messages and the subject and sender of each message. This is usually done if the message is too large to be transferred in a reasonable amount of time or if the user does not want to bother downloading it. There is supposed to be a verification of identity before this occurs. To pass this verification of identity, the only things needed are the user's User ID on the service and their complete billing address. The user id is a number in the following format: b1xxxx99 where x represents a letter and 9 represents a digit. The numbers always start with b1, unless you live in the Yukon, Northwest Territories or Nunavut, in which case it may start with a y1. Both pieces of identifying info can be easily lifted from any Sympatico user's bill, which prints the User ID on the top right corner and of course the mailing address on the envelope. Regardless, a mailing/billing address is very simple to acquire from any piece of mail. Finally, the User ID is sufficient to pull this off 80 percent of the time, as Sympatico agents are accustomed to doing this for users and do not often bother to check. Scenario: You are mad at your boss. You know that he or she is going to receive an important email the next day, and on your way out the door, you see that he/she has left her Sympatico bill lying on her desk, or perhaps her connection open on her Windows terminal. You jot down the user ID and the address, and that night you call a friendly tech support agent and cheerfully delete whichever email you wish from her account, without her knowledge, and very difficult to trace. Close to the perfect crime, or at least the perfect act of revenge. The only real crime here is the ridiculously lax security standards at Bell Sympatico. P.S. Don't try to change anyone's password or personal options with this engineering trick: you will be asked for a credit card number for anything other than this gaping hole in their email security. It's a pretty silly oversight, but one that they have no intention of correcting. And remember - not all hacks occur at the computer terminal, and sometimes you can get someone else to do the damage for you with a smile. Or at least a fake telephone smile. 10/06/2000