opoybdpmwoqbcpqcygagpcgxbpusapdluscplchx
woisgyeasdcpopdhadfyaethis
If I could help Grant with so little effort, how come I still didn’t have the lowdown on Wernle? Fortunately, I was about to unlock that secret.
Eric kept talking about having to go to work, but he would always change the subject whenever I asked what he did.
So who was signing his paychecks? Maybe hacking into his bank account would give me the answer. Since Eric’s name wasn’t on his rental application or any of his utility bills, I’d look for an account in the Wernle name.
What bank was he using? Banks, of course, guard their customer information carefully. But they also need to ensure that authorized employees are able to obtain information from different branches.
In those days, most banks used a system that allowed an employee to identify himself to a fellow employee at another branch by providing a code that changed every day. For example, Bank of America used five daily codes, labeled “A,” “B,” “C,” “D,” and “E,” each of which was assigned a different four-digit number. An employee calling another branch for information would be challenged to give the correct number for code A or code B or whatever. This was the banking industry’s idea of foolproof security.
With reverse social engineering, I easily got around it.
My plan had several layers. First thing in the morning, I’d call the target branch, ask for someone in the New Accounts Department, and pretend to be a potential customer with a substantial sum of money who had questions about the best way to earn maximum interest. After developing a rapport, I’d say I had to go to a meeting but could call back later. I’d ask the account rep’s name and say, “When are you going to lunch?”
“I’m Ginette,” she might say. “I’ll be here until twelve-thirty.”
I’d wait till after 12:30, then call back again and ask for Ginette. When I was told she was out, I’d introduce myself and say I was from another of the bank’s branches. “Ginette called me earlier,” I’d explain, “and said she needed this customer information faxed to her. But I’ve got to go to a doctor’s appointment shortly. Can I just fax this over to you instead?”
The colleague would say that was no problem and give me the fax number.
“Great,” I’d say. “I’ll send it right over. Oh, but first… can you give me the code of the day?”
“But you called me!” the banker would exclaim.
“Well, yeah, I know, but Ginette called me first. And you know our policy requiring the code for the day before sending customer information…,” I’d bluff. If the person objected, I’d say I couldn’t send the information. And I’d continue with something like, “In fact, please let Ginette know I couldn’t send her what she needed because you wouldn’t verify the code. Also, please let her know that I’ll be out of the office until next week and we can discuss it when I get back.” That was usually enough to push the holdout over the edge, because no one would want to undermine a coworker’s request.
So then I’d say, “Okay, what’s code E?”
He’d give me code E, which I would file in my memory.
“Nope, that’s not it!” I’d tell him.
“What?”
“You said ‘6214’? That’s not right,” I’d insist.
“Yes, that’s code E!” the banker would say.
“No, I didn’t say ‘E,’ I said ‘B’!”
And then he’d give me code B.
I now had a 40 percent chance of getting the information I wanted anytime I called any branch of that bank for the rest of the day, since I knew two of the five codes. If I talked to someone who seemed to be a real pushover, I’d go for another one and see if he or she would go along. A few times I even managed to get three of the codes in a single call. (It helped, too, that the letters B, D, and E all sound sort of alike.)
If I called a bank and was asked for code A when I only had B and E, I’d just say, “Oh, listen, I’m not at my desk right now. Would you settle for B or E?”
These conversations were always so friendly that the bank employees would have no reason to doubt me, and because they didn’t want to seem unreasonable, they’d usually just agree. If not, I’d simply say I was going back to my desk to get code A. I’d call back later in the day, to talk to a different employee.
For Wernle, I tried this first on Bank of America. The ruse worked, but there was no customer with Joseph Wernle’s Social Security number. So how about Wells Fargo? A little easier: I didn’t need a code since Danny Yelin, one of the investigators at Teltec, had a friend named Greg who worked there. Because the phone lines were monitored, Danny and Greg had set up their own personal code, which they now shared with me.
I’d call Greg and chat with him about going to the ball game that weekend or whatever, then say something like, “If you want to join us, just call Kat, and she’ll get a ticket for you.”
“Kat” was the flag. It meant I wanted the code of the day. He’d answer, “Great. Is she still at 310 725-1866?”
“No,” I’d say, and give him a different number, just for the confusion factor.
The last four digits of the fake phone number he had given me was the code for the day.
Once I had the code, I’d phone a branch and say I was calling from branch number so-and-so: “We’re having some computer issues, it’s so slow I can’t get anything done. Can you look something up for me?”
“What’s the code of the day?”
For my Wernle search, I gave the code and said something like, “I need you to bring up a customer account.”
“What’s the account number?”
“Search on the customer’s Social,” and I provided Wernle’s Social Security number.
After a moment, she said, “Okay, I’ve got two.”
I had her give me the numbers of both accounts, and the balances. The first part of the account number indicated the branch where the account was located; Wernle’s were both at the Tarzana branch in the San Fernando Valley.
A call to that branch with a request to pull Wernle’s “sig card” (signature card) put me in position to ask a key question I had been longing to have answered: “Who’s the employer?”
“Alta Services, 18663 Ventura Boulevard.”
When I called Alta Services and asked for Joseph Wernle, I got a chilly: “He’s not in today.” It sounded suspiciously as if the next sentence might have been “And we’re not expecting him.”
The rest was made to order in this era of “your banking information at your fingertips.” With Wernle’s account number and the last four digits of his Social in hand, I simply placed a phone call to the bank’s automated system and had it feed me back all the details I could want about his banking transactions.
What I learned only deepened the mystery: Joseph Wernle often had funds flowing into and out of his accounts totaling thousands of dollars every week.
Wow—what could this mean? I couldn’t imagine.
If he was running all this money through his bank account, I figured maybe his tax return would give me some useful clues about what was really going on.
I had learned that I could get taxpayer information from the Internal Revenue Service easily enough, just by social-engineering employees who had computer access. The IRS complex in Fresno, California, had hundreds of phone lines; I’d call one at random. Armed with foreknowledge based on my usual brand of research, I’d say something like, “I’m having problems getting into IDRS—is yours working?” (“IDRS” stands for “Integrated Data Retrieval System.”)
Of course her or his terminal was working, and almost always the person was gracious about taking time out to help a fellow employee.
This time, when I gave the Social Security number for Wernle, the agent told me his tax returns for the most recent two years available on their system showed no reportable income.
Well, that figured—in one sense, at least. I already knew his Social Security records showed no earned income. Now the IRS was offering confirmation.
An FBI agent who paid no Social Security and no income taxes… yet routinely had thousands of dollars passing through his bank accounts. What was that about?
How does that old line go, something like, “The only things certain in life are death and taxes”? It was beginning to sound as if, for an FBI agent, the part about taxes didn’t apply.
I tried to call Eric and found that his new line wasn’t working any longer. I tried his second line; same story.
A social-engineering call to the rental office in his building produced the information that he had moved out. No, he hadn’t moved to a different apartment in the same complex, like the previous time—he had moved out completely. The rental lady looked up his information for me, but as I suspected, he had not left a forwarding address.
Back to DWP Special Desk once again. This was a long shot, but a place to begin. I asked the clerk to look up any new service for last name Wernle. It took her only a moment. “Yes,” she said. “I have a new account for Joseph Wernle,” and she gave me an address on McCadden Place, in Hollywood.
I couldn’t believe the Feds were lamebrained enough to keep using the same name on the public utilities accounts for a guy they were trying to hide.
I had Eric’s pager number. That number still worked, and it told me which pager company was providing him with service. I called and tricked an account rep into revealing the specific number that made Eric’s pager distinct from every other: its CAP (“Channel Access Protocol”) code. Then I went out and bought a pager from the same company, telling the clerk that I’d dropped my previous one in the toilet while I was peeing. He laughed sympathetically—he’d obviously heard the story before from people it had really happened to—and had no problem programming the new one with the CAP code I gave him.
From then on, whenever someone from the FBI (or anyone else) paged Eric or sent him a pager text, I would see the message on my cloned pager, exactly as it appeared on his.
What were the odds of my intercepting two telephone conversations in close succession and hearing about myself both times? Not long after listening to the crew from Pacific Bell Security worrying over how to booby-trap me, I got another earful.
I hadn’t tried wiretapping Eric because he knew we had access to SAS, and I was worried that the frame techs might have been instructed to call Pacific Bell Security or the FBI if anyone tried to attach equipment to his line. Eric thought he had a safeguard against my listening to his phone calls. He had played with SAS enough to know that you hear a very distinct click when somebody used it to drop in on your line. But he didn’t know about making a connection with an SAS shoe, which, as I’ve explained, was a direct connection, using a cable that the frame technician placed directly on the customer’s cable-and-pair, and so produced no audible click on the line.
By chance I went up on Eric’s line one day using an SAS shoe, and heard him in conversation with someone he was calling “Ken.”
I didn’t have to wonder who Ken was: FBI Special Agent Ken McGuire.
They were talking about what evidence Ken needed for getting a search warrant on Mitnick.
The call threw me into an intense panic. I began to wonder if they were following me or even preparing to arrest me. Eric didn’t sound like an undercover informant; instead, his calling McGuire “Ken” sounded like one agent talking to another, with McGuire, the older, more experienced agent, leading the more junior agent to a better understanding of what they needed to get a search warrant.
Search warrant! Evidence against Mitnick!
Holy shit, I thought. Again I would have to get rid of every scrap of evidence that could be used against me.
As soon as they hung up, I immediately reprogrammed my phone, cloning it to a different phone number, one I had never used before.
Then I called Lewis at work. “Emergency!” I told him. “You’ve got to go to the pay phone outside your office building right now”—just in case the Feds were monitoring cell phone transmissions near his workplace.
I got in my car and drove to a place that I knew would be covered by a different cell phone tower—again, in case agents were monitoring the one serving the Teltec area.
As soon as Lewis answered the pay phone, I told him, “The government has been building a case against us, and Eric is part of it! It’s one-hundred-percent confirmation that we are the targets. Change your number right now.”
“Oh, shit.” That was his only response.
“We need to go into cleanup mode,” I said.
He sounded dejected and scared. “Yeah, right,” he said. “I know what to do.”
All the time I had been laboring over my research on Eric, I’d expected to find out he was an FBI snitch, if not an agent. But now that it was certain, I knew this was no game anymore. This was for real. I could almost feel the cold steel of the prison bars, I could almost taste the bland, barely edible prison food.
I was waiting at Kasden’s door when he got home from work, with boxes of disks that I asked him to store for me. That same evening I drove over to the home of another friend of my dad’s who had agreed to let me park my computer and all my notes with him.
De Payne’s cleanup wasn’t so easy. Something of a pack rat, he had swarms of mess all over his apartment. Digging through the piles to find the items that could help the government build a case against him had to be a huge challenge. And it wasn’t something anybody could help him with: he was the only one who knew which hard drives and floppy disks were safe and which could land him in prison. The task took him a couple of full days, the whole time under pressure of what would happen if federal agents showed up before he was finished.
I should have been using every resource I had to find out about Eric before this, I knew. But better late than never. I called Ann, my contact at the SSA. She looked up Eric Heinz and gave me his Social Security number, birthplace, and date of birth. She also told me he was listed as receiving disability payments for a missing limb.
If his story about his motorcycle crash was true and he really was walking around on an artificial leg, the doctors must have done some great job, because I had never seen even the hint of a limp. Or maybe he wasn’t really missing a leg at all but had just found a doctor to make a phony report so he could collect benefits; that might explain how come he never seemed to go off to a job.
I told Ann, “This is a fraud case. Let’s see if we can find his parents’ names.” Eric’s driver’s license said that he was a junior, which made this step a whole lot easier. She looked up all of the people listed as Eric Heinz Sr. with a birth year in the range that I had calculated might be reasonable for Eric’s father. She found one with a birth date of June 20, 1935.
That evening, Teltec coworker Danny Yelin and I met for dinner at Solley’s delicatessen in Sherman Oaks. After we ordered, I went to the pay phone and called the number I had tracked down for Eric Heinz Sr.
What happened next maybe shouldn’t have surprised me, but it did. It caught me off guard.
“I’m trying to get hold of Eric,” I said. “I’m a friend of his from high school.”
“Who is this?” the man asked in a suspicious tone. “What’s your name again?”
“Maybe I have the wrong Eric Heinz. Is there an Eric Junior?”
“My son passed away,” he said.
He sounded annoyed, bordering on controlled anger. He said he wanted my phone number, that he would call me back—obviously planning to report me to the authorities and have me investigated. No problem: I gave him the number for the pay phone in the deli and hung up.
He called back immediately. We began our dance again, with me trying to pull him closer, him keeping me at arm’s length.
I asked, “When did he die?”
Then it came out: “My son died as an infant.”
I felt the heat of a big adrenaline rush. The explanation was obvious: “Eric Heinz” was a stolen identity.
Somehow I managed to pull myself together enough to babble something about being sorry for his loss.
So who was he really, this one-legged bullshit artist who was working with the FBI and using a phony name?
Meanwhile I felt the need to satisfy myself that what Eric Heinz Sr. had told me about his son’s dying in infancy was really true. Again with the help of my pal Ann at the Social Security Administration, I tracked down Eric Sr.’s brother, who confirmed the story: Eric Jr. had died in a car accident in 1962, at the age of two, on his way to the Seattle World’s Fair with his mother, who was also killed in the crash.
No wonder Eric Sr. had turned so cold when I claimed his son and I had gone to high school together.
There is a particular kind of satisfaction in following a thread all the way to its end. In this case, that meant getting a copy of Eric Heinz’s death record from the King County Bureau of Vital Statistics, in Seattle. I sent a request, enclosing the nominal fee required, and asked that it be mailed to me at Teltec.
The father and the uncle had been telling me the truth. The “Eric Heinz” I knew was playing a familiar game of infant-identity theft.
Wow! I had finally cracked open the truth about him.
The name “Eric Heinz” was a complete phony.
So then who the fuck was this guy, who was dead but trying to set me up?
Going back over my traffic analysis of FBI cell phone calls, I noticed that McGuire was making a lot of calls to 213 894-0336. I already knew that 213 894 was the area code and exchange for the phones at the U.S. Attorney’s Office in Los Angeles. I called the number and found it was the phone for one David Schindler, the Assistant U.S. Attorney who had been the prosecutor on the Poulsen case. He’d be just the guy, I thought, who would get assigned to take on the next big Los Angeles hacker case.
So the government apparently already had a prosecutor assigned to me. Not good!
From the time I first gained access to PacTel Cellular’s call detail records, showing an almost-up-to-the-minute log of calls both to and from every one of the company’s subscribers, I’d been checking them often—targeting the people on the white collar crime unit who were frequently in touch with Eric, focusing in particular on Special Agent McGuire.
That was how I happened to spot an attention-getting series of calls: over a span of a few minutes, McGuire had called Eric’s pager several times. And McGuire’s very next call after his last attempt was to a landline number I hadn’t seen before.
I called the number. Well, hello—I knew that voice well. The person who answered the phone was Eric. At a new landline number, in a different part of Los Angeles. He had moved again.
Hanging up, I had a smile on my face. Eric would know a hang-up had to be me. Probably before he had finished unpacking, I had already found out he had moved.
PacBell’s line-assignment center would be the place to get Eric’s new address.
It was 2270 Laurel Canyon Boulevard, which turned out to be in a pricey neighborhood about a mile north of Hollywood Boulevard, in the Hollywood Hills, halfway up toward Mulholland Drive.
His fourth address in the several months I had known him. The reason wasn’t hard to figure: the Bureau was trying to protect him. Each time I found his new address, the Feds would move him. I had now found his address three times, and they had moved him each time.
You would think they might have figured out by then that his location was a secret they were not going to be able to keep from me.
In front of a computer in a safe location hacking by night, in front of a computer “investigating” for Teltec by day. The Teltec work mostly involved projects like figuring out where the husband in a divorce case was hiding his assets, helping an attorney decide whether or not to file a lawsuit by finding out whether the potential defendant had enough of a bankroll to make it worthwhile, and tracking down deadbeats. A few cases were gratifying, like locating a parent who had abducted his or her own child and fled to Canada, Europe, or wherever; the satisfaction I got from succeeding in those cases was enormous and left me feeling I was doing a small bit of good in the world.
But doing good deeds for society wasn’t going to earn me any Brownie points with law enforcement. I figured out how to set up an early-warning system to sound an alarm if the Feds were hanging around waiting to follow me when I left work. I bought a RadioShack scanner that had the cellular band unblocked (the FCC had started cracking down on scanner manufacturers to prevent the interception of cell phone traffic). I also bought a device called a “digital-data interpreter,” or DDI—a special box that could decode the signaling information on the cellular network. The scanner signals fed into the DDI, which was connected to my computer.
A cell phone registers with the nearest cell tower and establishes communications with it, so that when a call comes in for you, the system knows which cell tower to relay the call to on its way to your handset. Without this arrangement, the cell phone company would have no way of getting a call routed to you. I programmed the scanner to monitor the frequency of the cell tower nearest to Teltec, so it would pick up information from the tower identifying the phone number of every cell phone in or even just passing through the area.
My scanner fed this constant flow of data to the DDI, which converted the information into separate pieces, like this:
618-1000 (213) Registration
610-2902 (714) Paging
400-8172 (818) Paging
701-1223 (310) Registration
Each line shows the status of a cell phone currently in the area served by this cell site; the first set of digits on the line is the phone number of one cell phone. “Paging” signifies that the site is receiving a call for that cell phone and is signaling the phone to establish a connection. “Registration” indicates that the phone is in the area of this cell tower and ready to make or receive calls.
I configured the DDI software package on my computer to play an alarm tone if the DDI detected any phone number that I programmed into the software: the cell phone numbers of all the FBI agents I had identified as being in communication with Eric. The software continually scanned the phone numbers being fed to it in the chain of cell site, to scanner, to DDI, to computer. If any of the agents’ cell phones showed up in the Teltec area, my setup would sound the alert.
I had created a trap for the FBI, putting me one step ahead. If the Feds came looking for me, I’d be forewarned.