Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (30 page)

So who was signing his paychecks? Maybe hacking into his bank account would give me the answer. Since Eric’s name wasn’t on his rental application or any of his utility bills, I’d look for an account in the Wernle name.

What bank was he using? Banks, of course, guard their customer information carefully. But they also need to ensure that authorized employees are able to obtain information from different branches.

In those days, most banks used a system that allowed an employee to identify himself to a fellow employee at another branch by providing a code that changed every day. For example, Bank of America used five daily codes, labeled “A,” “B,” “C,” “D,” and “E,” each of which was assigned a different four-digit number. An employee calling another branch for information would be challenged to give the correct number for code A or code B or whatever. This was the banking industry’s idea of foolproof security.

With reverse social engineering, I easily got around it.

My plan had several layers. First thing in the morning, I’d call the
target branch, ask for someone in the New Accounts Department, and pretend to be a potential customer with a substantial sum of money who had questions about the best way to earn maximum interest. After developing a rapport, I’d say I had to go to a meeting but could call back later. I’d ask the account rep’s name and say, “When are you going to lunch?”

“I’m Ginette,” she might say. “I’ll be here until twelve-thirty.”

I’d wait till after 12:30, then call back again and ask for Ginette. When I was told she was out, I’d introduce myself and say I was from another of the bank’s branches. “Ginette called me earlier,” I’d explain, “and said she needed this customer information faxed to her. But I’ve got to go to a doctor’s appointment shortly. Can I just fax this over to you instead?”

The colleague would say that was no problem and give me the fax number.

“Great,” I’d say. “I’ll send it right over. Oh, but first… can you give me the code of the day?”

“But
you
called
me!
” the banker would exclaim.

“Well, yeah, I know, but Ginette called me first. And you know our policy requiring the code for the day before sending customer information…,” I’d bluff. If the person objected, I’d say I couldn’t send the information. And I’d continue with something like, “In fact, please let Ginette know I couldn’t send her what she needed because you wouldn’t verify the code. Also, please let her know that I’ll be out of the office until next week and we can discuss it when I get back.” That was usually enough to push the holdout over the edge, because no one would want to undermine a coworker’s request.

So then I’d say, “Okay, what’s code E?”

He’d give me code E, which I would file in my memory.

“Nope, that’s not it!” I’d tell him.

“What?”

“You said ‘6214’? That’s not right,” I’d insist.

“Yes, that’s code E!” the banker would say.

“No, I didn’t say ‘E,’ I said ‘B’!”

And then he’d give me code B.

I now had a 40 percent chance of getting the information I wanted anytime I called any branch of that bank for the rest of the day, since I knew two of the five codes. If I talked to someone who seemed to be a real pushover, I’d go for another one and see if he or she would go along. A few
times I even managed to get three of the codes in a single call. (It helped, too, that the letters
B, D
, and
E
all sound sort of alike.)

If I called a bank and was asked for code A when I only had B and E, I’d just say, “Oh, listen, I’m not at my desk right now. Would you settle for B or E?”

These conversations were always so friendly that the bank employees would have no reason to doubt me, and because they didn’t want to seem unreasonable, they’d usually just agree. If not, I’d simply say I was going back to my desk to get code A. I’d call back later in the day, to talk to a different employee.

For Wernle, I tried this first on Bank of America. The ruse worked, but there was no customer with Joseph Wernle’s Social Security number. So how about Wells Fargo? A little easier: I didn’t need a code since Danny Yelin, one of the investigators at Teltec, had a friend named Greg who worked there. Because the phone lines were monitored, Danny and Greg had set up their own personal code, which they now shared with me.

I’d call Greg and chat with him about going to the ball game that weekend or whatever, then say something like, “If you want to join us, just call Kat, and she’ll get a ticket for you.”

“Kat” was the flag. It meant I wanted the code of the day. He’d answer, “Great. Is she still at 310 725-1866?”

“No,” I’d say, and give him a different number, just for the confusion factor.

The last four digits of the fake phone number he had given me was the code for the day.

Once I had the code, I’d phone a branch and say I was calling from branch number so-and-so: “We’re having some computer issues, it’s so slow I can’t get anything done. Can you look something up for me?”

“What’s the code of the day?”

For my Wernle search, I gave the code and said something like, “I need you to bring up a customer account.”

“What’s the account number?”

“Search on the customer’s Social,” and I provided Wernle’s Social Security number.

After a moment, she said, “Okay, I’ve got two.”

I had her give me the numbers of both accounts, and the balances.
The first part of the account number indicated the branch where the account was located; Wernle’s were both at the Tarzana branch in the San Fernando Valley.

A call to that branch with a request to pull Wernle’s “sig card” (signature card) put me in position to ask a key question I had been longing to have answered: “Who’s the employer?”

“Alta Services, 18663 Ventura Boulevard.”

When I called Alta Services and asked for Joseph Wernle, I got a chilly: “He’s not in today.” It sounded suspiciously as if the next sentence might have been “And we’re not expecting him.”

The rest was made to order in this era of “your banking information at your fingertips.” With Wernle’s account number and the last four digits of his Social in hand, I simply placed a phone call to the bank’s automated system and had it feed me back all the details I could want about his banking transactions.

What I learned only deepened the mystery: Joseph Wernle often had funds flowing into and out of his accounts totaling thousands of dollars
every week
.

Wow—what could this mean? I couldn’t imagine.

If he was running all this money through his bank account, I figured maybe his tax return would give me some useful clues about what was really going on.

I had learned that I could get taxpayer information from the Internal Revenue Service easily enough, just by social-engineering employees who had computer access. The IRS complex in Fresno, California, had hundreds of phone lines; I’d call one at random. Armed with foreknowledge based on my usual brand of research, I’d say something like, “I’m having problems getting into IDRS—is yours working?” (“IDRS” stands for “Integrated Data Retrieval System.”)

Of course her or his terminal was working, and almost always the person was gracious about taking time out to help a fellow employee.

This time, when I gave the Social Security number for Wernle, the agent told me his tax returns for the most recent two years available on their system showed no reportable income.

Well, that figured—in one sense, at least. I already knew his Social Security records showed no earned income. Now the IRS was offering confirmation.

An FBI agent who paid no Social Security and no income taxes… yet routinely had thousands of dollars passing through his bank accounts. What was
that
about?

How does that old line go, something like, “The only things certain in life are death and taxes”? It was beginning to sound as if, for an FBI agent, the part about taxes didn’t apply.

I tried to call Eric and found that his new line wasn’t working any longer. I tried his second line; same story.

A social-engineering call to the rental office in his building produced the information that he had moved out. No, he hadn’t moved to a different apartment in the same complex, like the previous time—he had moved out completely. The rental lady looked up his information for me, but as I suspected, he had not left a forwarding address.

Back to DWP Special Desk once again. This was a long shot, but a place to begin. I asked the clerk to look up any new service for last name Wernle. It took her only a moment. “Yes,” she said. “I have a new account for Joseph Wernle,” and she gave me an address on McCadden Place, in Hollywood.

I couldn’t believe the Feds were lamebrained enough to keep using the same name on the public utilities accounts for a guy they were trying to hide.

I had Eric’s pager number. That number still worked, and it told me which pager company was providing him with service. I called and tricked an account rep into revealing the specific number that made Eric’s pager distinct from every other: its CAP (“Channel Access Protocol”) code. Then I went out and bought a pager from the same company, telling the clerk that I’d dropped my previous one in the toilet while I was peeing. He laughed sympathetically—he’d obviously heard the story before from people it had really happened to—and had no problem programming the new one with the CAP code I gave him.

From then on, whenever someone from the FBI (or anyone else) paged Eric or sent him a pager text, I would see the message on my cloned pager, exactly as it appeared on his.

What were the odds of my intercepting two telephone conversations in close succession and hearing about myself
both times?
Not long after
listening to the crew from Pacific Bell Security worrying over how to booby-trap me, I got another earful.

I hadn’t tried wiretapping Eric because he knew we had access to SAS, and I was worried that the frame techs might have been instructed to call Pacific Bell Security or the FBI if anyone tried to attach equipment to his line. Eric thought he had a safeguard against my listening to his phone calls. He had played with SAS enough to know that you hear a very distinct
click
when somebody used it to drop in on your line. But he didn’t know about making a connection with a SAS shoe, which, as I’ve explained, was a direct connection, using a cable that the frame technician placed directly on the customer’s cable-and-pair, and so produced no audible
click
on the line.

By chance I went up on Eric’s line one day using a SAS shoe, and heard him in conversation with someone he was calling “Ken.”

I didn’t have to wonder who Ken was: FBI Special Agent Ken McGuire.

They were talking about what evidence Ken needed for getting a search warrant on Mitnick.

The call threw me into an intense panic. I began to wonder if they were following me or even preparing to arrest me. Eric didn’t sound like an undercover informant; instead, his calling McGuire “Ken” sounded like one agent talking to another, with McGuire, the older, more experienced agent, leading the more junior agent to a better understanding of what they needed to get a search warrant.

Search warrant! Evidence against Mitnick!

Holy shit
, I thought.
Again
I would have to get rid of every scrap of evidence that could be used against me.

As soon as they hung up, I immediately reprogrammed my phone, cloning it to a different phone number, one I had never used before.

Then I called Lewis at work.
“Emergency!”
I told him. “You’ve got to go to the pay phone outside your office building
right now
”—just in case the Feds were monitoring cell phone transmissions near his workplace.

I got in my car and drove to a place that I knew would be covered by a different cell phone tower—again, in case agents were monitoring the one serving the Teltec area.

As soon as Lewis answered the pay phone, I told him, “The government
has been building a case against us, and Eric is part of it! It’s one-hundred-percent confirmation that we are the targets. Change your number right now.”

“Oh, shit.” That was his only response.

“We need to go into cleanup mode,” I said.

He sounded dejected and scared. “Yeah, right,” he said. “I know what to do.”

All the time I had been laboring over my research on Eric, I’d expected to find out he was an FBI snitch, if not an agent. But now that it was certain, I knew this was no game anymore. This was for real. I could almost feel the cold steel of the prison bars, I could almost taste the bland, barely edible prison food.

I was waiting at Kasden’s door when he got home from work, with boxes of disks that I asked him to store for me. That same evening I drove over to the home of another friend of my dad’s who had agreed to let me park my computer and all my notes with him.

De Payne’s cleanup wasn’t so easy. Something of a pack rat, he had swarms of mess all over his apartment. Digging through the piles to find the items that could help the government build a case against him had to be a huge challenge. And it wasn’t something anybody could help him with: he was the only one who knew which hard drives and floppy disks were safe and which could land him in prison. The task took him a couple of full days, the whole time under pressure of what would happen if federal agents showed up before he was finished.