Serial Number Security
by TEV
How many products in shops have their serial numbers on display at all times? These numbers are printed onto boxes, packets, and products for the manufacturer to identify the product in question. Yet, as I'll show below these numbers should be treated as securely as PIN numbers and passwords.
Do not do what is in this article. It is fraud and theft. As simple as that. This article contains nothing of a technical nature; I'm writing it to highlight a point and to get this noticed. Although I have outlined a simple scenario, don't do this. Once this gets read I'm sure compatibility will be able to spot it a mile away.
The example I will draw upon is optical mice.
Let's look first at the Microsoft IntelliMouse. This mouse costs around £25 ($30) and upwards depending on the model. Go into your nearest PC World or other High Street retailer and go find these mice. I will place a large bet that throughout the world these will be on shelves for the customers to look at before purchasing.
Some shops in the U.K. even have display models. The packaging for most of these is well designed to show the product off in all its glory, which includes a clear shot of the base of the mouse. There are some important numbers, the Part Number (PN) and the Product ID (PID), and the model number. Write these details down and then go home without buying the mouse.
When you get home browse through to the Microsoft site for their technical help. Ring the technical help desk and report that your mouse has stopped working. Say something like "The glowing red light doesn't work." Anything so that the customer services agent thinks you're the average shopper and a little clueless.
They'll ask you for the PID, PN, and the model number. Once you've given them these numbers you'll be told one of two things depending on whether you have contacted Microsoft with a similar problem or not. You will either be asked for your address and told that a new mouse is now on its way (and the old one can be thrown away at your discretion) or that you need to cut the USB plug from the old mouse and post it to them before they send the mouse out.
From what I've seen so far, ringing a week later and complaining that the cable must have gotten lost in the post because you definitely sent it works - they're just trying to test you a little.
Three things to note: Firstly don't panic about giving out your address. As you'll read later there are usually no follow up calls.
Secondly, on one discussion with a customer service rep I was told that each customer is given three "goodwill gestures." If you ring a fourth time saying the cable was lost in the post etc. you get nothing. Microsoft allows three replacements and any more will arouse investigation. But then again, why the hell would anyone need four mice?
And last but not least, when the new mouse turns up feel free to register it and when it breaks ask for your legitimate replacement!
Now, why should I outline that very simple (simple as in if you can't do that give up now!) guide to social engineering? Imagine you're the person who went into the shop ten minutes after the evil fraudster and bought that mouse legitimately.
Six months later it breaks and you want it replaced. Tough. We rang up Microsoft and tested this out by trying to claim a mouse from a serial number that a replacement had already been issued for. We were told that the product was registered and we should check our number. When we argued it we were asked to post the whole mouse back so they could change it. When we did this they changed the mouse and the original fraudster heard nothing.
This is stunning. Microsoft uses their pretty packaging to give easy access to the serial numbers of the products. These numbers are treated as if they were generic model numbers, but in reality they are the password to unlock your warranty.
Look around the same shop you found the mouse in. There are loads of small peripheral devices that do the same, and mice are the biggest culprit. And don't forget, most shops won't mind you opening a box to have a closer look, so long as it doesn't break any sealed boxes. Have a look around for other product keys and see what turns up. I'm not going to turn this into a guide to fraud but you will be able to find other items.
I wrote this article in order to highlight some real stupidity. Many large companies use a similar system, and seem to be operating on a huge amount of trust. Think about all that the serial numbers are used for in terms of support and warranty. Do you want your number published to the world? When I discussed this with a shop assistant at PC World I was told I should take it up with Microsoft. Not surprising, but when I discussed it with Microsoft I was told that it rarely happens and is not of any concern. I'm hoping that this wasn't the official company line.
Now that you've read this, go away and think hard about what I've highlighted. I honestly don't support fraud. What I have written is no different than stealing the mouse from the shop. It's just a new method that no one has addressed before.
If you work in hardware, make sure that your product's packaging isn't revealing too much. Too many products are turning up in see through plastic packets. I'm sure the product is gorgeous to look at but this makes it a bit too easy to access the important details. Why not simply cover the serial number with a small label and then package it? State on the box that the product should not be purchased if the label has been tampered with. I'm sure that it wouldn't cost that much to add a small label to cover a dozen or so characters.
And to the people buying these products, when you get the item home, ring immediately and register this product with your name and don't open the packet. At that point you'll be told if someone else has registered the item. If it has been registered, explain the situation and then take the product back to the shop and exchange it for another or ask the manufacturer for a replacement with an unregistered warranty.
A big hello to all that know me and before flaming me, take a deep breath, count to ten and think happy thoughts.
We all have different opinions and the world's a better place for them; just don't force them down someone's throat.