Lessons from the World’s Most Famous Hacker

Last week, Kevin Mitnick visited Melbourne as part of a tour. He spoke to an audience of security professionals from a wide range of different industries about his start as a black-hat hacker, i.e. using his skills to break into systems to steal data, through to his present career as a white-hat hacker, i.e. conducting penetration tests for major companies all over the world.

While Mitnick did break the law in the 1990s and was prosecuted, what’s interesting is that his hacks might have used some tricky technical skills, they were far more dependent on one specific thing.

In his 16 years of working as a penetration tester, Mitnick’s company has never failed to break into a system – as long as he has been able to talk to people.


While our IT systems hold valuable data such as financial records, technical designs and personal information, the real key to getting into those systems is hacking the humans.

During the day, I had the opportunity to interview Mitnick on stage. To illustrate some of his answers, Mitnick demonstrated some hacks. For example, in one simple scenario he sent a text message to my phone that looked like it was sent by my partner. All he needed was my phone number and my partner’s number and he was able to send a text asking for an account password.

The technical sophistication of this was very low – almost anyone can repeat the hack using online text messaging services. But the effect of breaching the trust of individuals can be devastating.

Although strong passwords, encryption, firewalls and security software are important, they can all be easily bypassed if a hacker can convince a legitimate user to hand over the keys to the fortress.

The hacker’s most powerful weapon is social engineering. Mitnick used social engineering to make telephone calls to whoever he wanted while under close guard during his months in solitary confinement. He was placed there because law enforcement officials were convinced he could launch a missile by phoning mission control and whistling into a phone.


Putting robust systems in place to protect your systems is critical. But supporting people with good processes that minimise the risk of them being manipulated by a bad actor is perhaps more important.

Some easy steps to take include:

  • Always require two parties to sign off on any financial transactions.
  • Rely on face-to-face or some other direct, non-electronic, means to verify important business interactions.
  • View any request to access a system or conduct a transaction with scepticism until you have verified that the request is genuine.

Source: Data Protection Adviser

Topics: Social Engineering, steal data, tech designs, two party sign off, black hat hacker, face to face communication, human error, penetration tests, security software, encryption, cybersecurity expert, financial records, firewalls, IT systems, keynote speaker, personal info, Melbourne, strong passwords, white hat hacker, Australia, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

PCI Testing: Everything You Need To Know

Penetration testing is crucial for businesses to help ensure that their security posture will stand against threat actors. For businesses that handle ..

Read more ›

The 4 Phases of Penetration Testing

So, you’ve done your research on penetration testing and are ready for the pentest engagement. But before you choose just any pentesting vendor, it’s ..

Read more ›

What is Web Application Penetration Testing?

Is your company in the process of developing a new application? There are a lot of moving parts involved in developing and deploying cutting-edge appl..

Read more ›