Community
Spear phishing is a powerful fraud technique. The objective is to get sensitive/confidential data which can then be used to mount at attack. A combination, for example, of my home and mobile numbers, as well as my work and personal email addresses is a valuable tool in "capable" hands.
Obtaining such data is not easy, but Siri can help.
Grab your target's LOCKED (!) iPhone, then press and hold the Home button to wake up Siri. Ask her for "My name". Then for "My email address".
Next, request data on "My wife" (Siri prefers "My spouse", actually). Then try some names - e.g. John or Peter - to get FULL details from Address Book. Try "Lloyds" ("Barclays", "HSBC" and other major banks) to see what useful data is available there.
You can send SMS to or call any of the numbers you see. Very handy if your target has some number for alternative low-cost telecom companies - dial the access number, then you can all anyone in the world, for FREE! With the phone still locked...
I'll leave the rest to your imagination. (Siri won't show your photos or launch apps - you do need to enter PIN for that - but there are some other neat tricks for exploiting that security hole, which I won't describe here...)
Enjoy!
Apple has the best security implementation in the industry, both on the s/w and h/w levels. I do hope it tells Siri off soon, especially if Apple is serious about entering the payments playground.
P.S. Apparently, that Siri exploit is an old hat: it's been known since... 2011.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Hassan Zebdeh Financial Crime Advisor at Eastnets
08 October
Jelle Van Schaick Head of Marketing at Intergiro
07 October
Kuldeep Shrimali Consulting Partner at Tata Consultancy Services
Nikunj Gundaniya Product manager at Digipay.guru
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.