If you're a dedicated reader of this blog, you'd realize that It predominantly relates to one type of SEing, namely "company manipulation and exploitation". This Is due to the fact that Its popularity has well and truly surpassed the boring old-school social engineering consisting of (but not limited to) "pretexting", "tailgating", "spear phishing", "quid pro quo", "phishing" and the rest of the names that someone happened to somehow manifest with their fanciful Imagination. You see, each of the (quoted) names above, are simply a gateway to access the target and Irrespective of their meaning, they all pertain to one thing- "manipulating the victim to perform an action that they're not supposed to do". That's the true definition of social engineering, no matter what the SE'er Is aiming to achieve.
In terms of "the new breed of human hacking" (which Is what this article relates to), It takes an exceptional set of skills to push reps/agents to their absolute limit by manipulating every request to the SE'ers advantage, all the way through to finalizing the claim In a successful outcome- a refund or replacement Item. Of course, that's on the grounds that the representative Is not half-asleep on the job and approves the claim with no questions asked. Company manipulation and exploitation Is done via two gateways- "Online" and "IRL, In Real Life". Here's what I'm referring to with the latter, that's known as "In-Store" social engineering.
This Is just a general example, and not based on any specific retailer. The SE Is done In person by physically attending the store and dealing with their employees face-to-face at the customer service counter and due to Its environment, It only supports a few methods like the "wrong Item received", the "missing Item/partial" and the "sealed box method". The reason for this, Is that It obviously does not use a carrier to service their deliveries- because the goods are not shipped to begin with, but rather purchased & returned by entering and exiting the store In person. On the other hand, the "online gateway" Involves hitting companies to the likes of Amazon and ASOS- who always forward goods to their customers by using their carrier partner(s).
As a result, some form of verification Is required when accepting packages on delivery. The most common Is to sign the driver's hand-held device, which Is not a problem whatsoever- a fake signature will deem the authentication Inconclusive. However, there are times when the driver will ask for an "OTP" that stands for "One-Time Password"- that must be given to him before he hands over your package. Sure, drivers have a tendency to leave goods at the doorstep of the respective home, particularly when they're running late for their scheduled delivery run but for the most part, they do comply with protocol and verify their consignments at the drop off point.
Whilst an OTP does not present an Issue If you're using 99% of the traditional methods, such as the ones mentioned a couple of paragraphs above, It will have a significant negative Impact on the "DNA" (Did Not Arrive) method- which you'll see why It's the case In the next topic. Now many SE'ers, Inclusive of those who operate on an advanced level, have a lot of difficulties finding ways to work around an OTP and that's what prompted me to write this article. I will show you a few very clever and well-crafted manipulative tactics to bypass the need for a one-time password and If you follow my guides every step of the way, the likelihood of success Is almost a certainty. So what exactly Is an "OTP" and how does It affect the "DNA method?". I'll first discuss the latter and then move onto the former, so without further delay, let's rip Into It.
What Is The DNA Method?
As you're aware, the "DNA" Is an abbreviation of "Did Not Arrive" which (as Its name Implies), Is used to say that the package you're waiting to be delivered to your house or a drop address, did not arrive. That Is, you've purchased something from an online store and the carrier driver failed to drop It off at your premises. Evidently, you did In fact receive It, but you're stating otherwise for social engineering purposes. The best thing about the DNA, Is because It's purely used "to accept packages and nothing more", It's considered a "universal method", that can be used with just about any Item of reasonable size & weight. In other words, as long as you're not SEing a family home (so to speak), you can opt for almost any Item that comes to mind- as you'll "only be receiving It" and saying that you didn't, hence the product Is not relevant.
That being said, use some common sense when selecting your Item. For Instance, If you're looking to social engineer a 700 litre fridge that's 180 cm In height and weighs around 200 Kg, logic has It that the carrier will not leave It at your doorstep and walk off without requesting a signature or another form of delivery confirmation- Its size and cost definitely warrants proof of delivery. The same can be said for a QLED 8K HD Smart TV valued at over $4,000- It's simply too expensive, thus the need to make sure It's accepted by the account holder or a household member, Is paramount from the carrier's standpoint. And one very effective way to do It, Is to Implement an "OTP" as part of the delivery process for such Items and the like, which brings me to the next topic as per below.
What Is An OTP?
What you're about to read, Is not tied to any particular company & carrier service and may vary depending on locality and other factors not mentioned In this article, so be sure to use Its contents as a general guide. Okay, If (for example) you happen to be SEing a high value Item such as a TAG Heuer Men's watch from "Amazon" that retails at $1,785 by using the DNA method, an "OTP" (One-Time Password) will (most likely) be required to verify that the package not only made Its way to the correct address, but was also "personally received by yourself (the SE'er) or an authorized recipient". What this means, Is that the OTP will be sent by the company to your cell phone number or the registered email address on your account and when the carrier arrives, "you must tell him your password to accept your package".
Without giving the driver the OTP, he has every right to refuse handing over your package, hence will mark It as an undelivered consignment, but by no means does It prevent you from bypassing It. I've covered a few ways on how to do this from the next topic onwards. At the time of writing, not too many companies have an OTP In place, but I can confidently say that "Amazon" uses It from time to time- to a greater extent In India for Items that exceed a certain cost. That Is, "high value Items". Other countries use It as well, however It's way beyond the scope of this article to elaborate on each and every one.
A lot of SE'ers continue to ask me how to stop a one-time password from being generated, but apart from the fact that you can't, It's not about that at all. You should already know that "social engineering Involves manipulating any entity and every obstacle that comes your way", thus the objective of circumventing an OTP, Is to SE the carrier driver Into giving you the package without the need to read out your password. As said, It will be sent to either your email address or cell phone, so I've documented a guide on both, beginning with the latter. Make sure to familiarize yourself with each one- you will Inevitably put one or the other Into action when repeatedly hitting the DNA method.
Circumvent An OTP Generated To Your Cell Phone:
The only drawback with this, Is that you must have a small amount of cash In your savings account but the cost of the Item you'll be SEing, will certainly pay off the Initial outlay. Here's what I'm referring to. The very first thing you need to do, Is to purchase a very cheap second-hand cell phone that costs next to nothing, and smash It by "breaking the glass" before the driver arrives. Though, do not overdo It- only enough to show that It's damaged to the point of giving the appearance of being "nonfunctional". Just In case the phone displays some type of functionality that can potentially ruin the SE, take the battery out or fully discharge It. It's very Important to do either of the two- you'll see why In a minute or so.
When the carrier comes and the driver Is walking towards you, make as though you're looking through your phone and ready to read out the password, but Instead, "purposely drop It with a very distressed look on your face" and be sure the driver has seen the event. Next, attempt to show him the OTP by putting your cell phone In his full view. "This gives the Impression that you're not trying to hide anything" and to seem like you're doing your utmost best to grab the password, press the power button a few times, then get on his good side by deeply apologizing for the Inconvenience caused. Also, throughout the entire ordeal, "refer to him by his first name" taken from his uniform- believe me, people feel appreciated when you communicate with them by name.
Now this Is where you'll solidify your SE, by using a very calculated and manipulative approach, so pay attention to every word you read. The driver has no Idea what's enclosed In the package and even If he does, your order details could've changed without updating Its description. As a result, you'll SE him to feel sorry for you, by saying that the package contains a home blood pressure monitor that's "urgently needed to keep an eye on your mother's BP". They're manufactured In many different sizes, some of which fit comfortably on your wrist, so the dimensions of your package Is Immaterial. Taking all the above Into account and If you've executed your attack effectively, "there's a very high chance that the driver will pass the package to you". And If he asks for a signature, fake It!
Circumvent An OTP Generated To Your Email Address:
As opposed to sending the OTP to your cell phone, some companies will send It to the registered email address on your account, which serves the same purpose as the phone- It must be forwarded to the carrier driver before the package can be handed to you. The Intention of this SE, Is to manipulate the driver Into thinking that you haven't actually received the password, and to also give the Impression that you're doing everything you can to get It from the company you're SEing. Remember: This Is all an act of deception. The one-time password does not exist, nor do any of the events between yourself and the representative! Okay, as the carrier driver arrives and jumps out of his van, pretend you're on the phone with the rep asking why he hasn't sent the OTP and to resend It.
Do note that your SE Is only as good as the people you're using It against, so It's crucial that "the driver can clearly hear your end of the conversation whilst you're communicating with the rep/agent". Now given carriers have deadlines to meet prior to close of business, they generally don't like to be kept waiting, thus you will use It to your advantage as follows. I want to reiterate that "you're seemingly on the phone with the rep, therefore It's obviously not a real conversation". So, tell the rep that you're going to check your email for the OTP, and although you're speaking loud and clear, pass the same message onto the driver. As said, carriers don't like to wait around so rather than Instantly checking the email on your phone, enter your home and pretend that you're looking at your messages on your PC- and make sure to take your time.
After a few minutes or so (while still on your phone), come out and tell the driver that nothing's come through In your email, and sincerely apologize for the delay and at the same time, ask the rep to resend It. Once again, "the driver must continue to hear what you're talking about"- as It will make the entire scenario appear very realistic. Keep repeating the same process by saying that you haven't got anything In your Inbox, until the conversation ends with the OTP failing to make Its way to your email account.
It's at this stage when you'll give the driver a sense of reassurance by offering to sign for the package, and to remove all doubts and questions that he may have, show him your ID- driver's license or otherwise. Don't worry, he'll look at your Identification but will not take photos so unbeknownst to him, It's completely useless, hence It cannot be used to verify that you personally accepted the package. All In all, If you've performed your SE as described, there's every reason why you should grab your package without the one-time password.
In Conclusion:
The key element to circumvent the OTP, Is "manipulating the driver In a very strategic manner" as discussed In each topic, but In order to do that, you must be "very confident" with your ability as an SE'er, and not display any signs of nervousness, Indecisiveness and falsehood. The other thing that will significantly Increase the likelihood of a successful outcome, Is "being In control of every event", thereby you're the one who's In charge of all happenings between yourself and the driver. Don't ever think for a minute that an OTP cannot be bypassed. That's because the password Itself, has nothing to do with accepting your package, but rather exploiting the weakest link In the security chain- "the human brain".
