Bank account numbers aren't secret, they're written on the bottom of every check you write. The story lacks the details of how he got his hands on it but its not unreasonable to assume he was able to access such unprotected information.

Yeah I know, I wondered in the comment whether CEO might have written Mitnick a check

Mitnick was exceptionally gifted at social engineering information out of various company departments over the phone.

> How would he have known the CEO's bank account number?

Welcome to the american banking system.

The european bank account numbers are often posted publicly. If you are a VAT payer, you're supposed to check that the account you send money to is registered with the business in the public registry. Otherwise you may be held liable for the receiver's tax fraud. Many companies also show them at their webpage to make it easier to get paid. See e.g. https://www.pre.cz/en/contacts/bank-details/

The account number should be just an ID, not authentication mechanism.

> The account number should be just an ID, not authentication mechanism.

Right? One of the many things (and I mean this without any hate whatsoever) I simply can't and will never understand about the US. A bank account number is your mailbox for receiving money. How does that country even operate when they build those mailboxes underground?

You send the money to a literal mailbox instead. That’s how.

(Using a check, the very infrastructure we’ve been talking about!!)

But then you've given out your bank account number, so the secrecy is bunk.

The US bank security system confuses me. To accept money, I need to give out my routing number and account number. Using those numbers, someone could theoretically withdraw money... Maybe... The whole system is built upon obscurity. Why do some stores need a pin on my debit card, and some do not? Why do online stores need my name and address, but IRL ones do not? How did that one online store charge me without my CVV? How can restaurants swipe my card now and charge me later?

I only send and receive money with Google/Apple Pay & PayPal at this point. This flow is reasonable (every transaction is authorised in a trusted location (ie: PayPal). Further transactions are impossible without additional authorization). It boggles my mind that banks & CC companies haven't made some standard for this. Would save them so much money in fraud protection.

> Why do some stores need a pin on my debit card, and some do not?

Oh that’s easy enough. If they need a PIN it’s actually being run as a debit card over the debit card network. Otherwise it’s being run as a “check card” over the credit card network (with higher fees and better consumer protections). It’s just backed with money instead of a line of credit.

> Why do online stores need my name and address, but IRL ones do not?

IRL stores have access to the actual card (with your name) and having this artifact present makes it much less likely that you are a fraudulent fraudster committing fraud, so the processors are willing to take it.

> How can restaurants swipe my card now and charge me later?

the good news is if the store ever defrauds you, everyone knows where to find the store! Unlike fraudsters making purchases.

And banks are still perfectly willing to issue personal checks, a form of payment that requires you to hand someone a piece of paper with your full name, address, bank account and routing info, your signature, and a brief handwriting sample.

> The account number should be just an ID, not authentication mechanism.

Ergo my "welcome to the american banking system".

He used the CEO’s voice to access AN account, I don’t think it was the CEO’s specifically. But just an account, verified by the CEO’s voice, to his.

I doubt the bank’s authentication system is built to allow the CEO’s voice to authenticate a transfer out of any account…

I doubt it as well. Back in the day, I worked for an elected official who insisted on being a Domain Admin in our Active Directory tree. My co-worker and I used to joke, "think he wants to be a Schema Admin too?"

When you do pen testing you're given a limited list of valid targets.

I imagine that the mission parameters were that he take a check and remove money from the account.

It would also make sense that this is the CEO's account, or one he also controls, because he's in on the test and can give informed consent. Also, probably the CEO doesn't have any special access so breaking into his identity wouldn't impact the bank the way breaking into the IT manager's account might.

If this was a fake account (one with no real user) then they wouldn't have discovered this flaw because Mitnick couldn't have called the user. Having a real person be exploitable is essential to proper discovery of the full scope of the problems.

This is probably closer to the truth. That it was a test all along.

This was a long time ago. It was a small bank. I also heard it through the grape vine and not from him himself. I could definitely be wrong but this is what was told to me by someone who was there.

At Schwab my voice is my password. Is how Schwab authenticates me by voice. That demonstrates to me schwab knows they need a voice passphrase that wouldn't be used in passing or without raising suspicion.

This comment is very hard to parse, but after reading it, I feel a general sense of relief that I'll never use Schwab.

After over 30 years of perfect service. Schwab has done something so egregious that I’m leaving them. They used to be the best bank I ever used.

Finally I’m know that passphrase is tied to my phone number. Its not perfect but it is as good as any other consumer banks system.

I don’t recommend Schwab but my accounts are as secure as any.

At first I thought this was a reference to the movie Sneakers (https://www.youtube.com/watch?v=-zVgWpVXb64), but after searching it seems Wells Fargo also does this, https://www.wellsfargo.com/privacy-security/voice-verificati....

I just thought it was an interesting contrast to the bank executive story. Which demonstrated how the passphrase may have evolved and that moving money is done by voice authentication today.

Using just ones voice is bad. Using a phrase is better. Using a phrase that is unique and describes its function may set-off alarm bells for some.

I never connected the phrase with Sneakers.