In his newly published autobiography, America’s most famous ex-hacker, Kevin Mitnick, tells his own story for the first time. In this excerpt, Mitnick describes his 1992 investigation into the mystery hacker “Eric,” who’d begun pumping him for information. Mitnick’s spy-versus-spy duel with the hacker would launch a chain of events destined to turn Mitnick into the most-wanted computer criminal in the country.

We’re told that our medical records are confidential, shared only when we give specific permission. But the truth is that any federal agent, cop, or prosecutor who can convince a judge he has legitimate reason can walk into your pharmacy and have them print out all of your prescriptions and the date of every refill. Scary.

We’re also told that the records kept on us by government agencies — Internal Revenue Service, Social Security Administration, the DMV of any particular state, and so on — are safe from prying eyes. Maybe they’re a little safer now than they used to be — though I doubt it — but in my day, getting any information I wanted was a pushover.

I compromised the Social Security Administration, for example, through an elaborate social engineering attack. It began with my usual research—the various departments of the agency, where they were located, who the supervisors and managers were for each, standard internal lingo, and so on. Claims were processed by special groups called “Mods,” which I think stood for “modules,” each one perhaps covering a series of Social Security numbers. I social engineered the phone number for a Mod and eventually reached a staff member who told me her name was Ann. I told her I was Tom Harmon, in the agency’s Office of the Inspector General.

I said, “We’re going to be needing assistance on a continuing basis,” explaining that while our office was working on a number of fraud investigations, we didn’t have access to MCS — short for “Modernized Claims System,” the amusingly clumsy name for their centralized computer system.

From the time of that initial conversation, we became telephone buddies. I was able to call Ann and have her look up whatever I wanted — Social Security numbers, dates and places of birth, mother’s maiden names, disability benefits, wages, and so on. Whenever I phoned, she would drop whatever she was doing to look up anything I asked for.

Ann seemed to love my calls. She clearly enjoyed playing deputy to a man from the Inspector General’s Office who was doing these important investigations of people committing fraud. I suppose it broke the routine of a mundane, plodding workday. She would even suggest things to search: “Would knowing the parents’ names help?” And then she’d go through a series of steps to dig up the information.

On one occasion, I slipped, asking, “What’s the weather like there today?”

But I supposedly worked in the same city she did. She said, “You don’t know what the weather is!?”

I covered quickly. “I’m in LA today on a case.” She must have figured, Oh, of course — he has to travel for his work.

We were phone buddies for about three years, both enjoying the banter and the sense of accomplishment.

If we had ever met in person, I would have given her a kiss to thank her for all the wonderful help she gave me. Ann, if you read this, your kiss is waiting.

I guess real detectives must have a lot of different leads to follow up when they’re working a case, and some of the leads it just takes time to get to. I hadn’t forgotten that Eric’s apartment rental contract was in the name of a Joseph Wernle; I just hadn’t pursued that lead yet. This was one of the several times while playing detective that I would turn to my Social Security chum, Ann.

‘Everybody needs water and electricity, so the utility company seemed like an extremely valuable source for finding out someone’s address.’

She went on the MCS and pulled up an “Alphadent” file, used to find a person’s Social Security number from his or her name and date of birth.

I then asked for a “Numident,” to get my subject’s place and date of birth, father’s name, and mother’s maiden name.

Joseph Wernle had been born in Philadelphia, to Joseph Wernle Sr. and his wife, Mary Eberle.

Ann then ran a DEQY (pronounced “DECK wee”) for me—a “detailed earnings query,” giving a person’s work history and earnings record.

Huh? . . . What the hell!?

Joseph Wernle Jr. was forty years old. According to his Social Security records, he had never earned a penny.

He had never even held a job.

What would you have thought at this point?

The man existed, because Social Security had a file on him. But he had never had a job and never earned an income.

The more I dug into his background, the more intriguing the whole thing seemed to get. It didn’t make sense, which just made me all the more determined to find out what the explanation could be.

But at least I now had his parents’ names.

This was like playing Sherlock Holmes.

Joseph Wernle Jr. — the son — had been born in Philadelphia. Maybe his parents still lived there, or at least somewhere nearby. A call to directory assistance for the 215 area code, which covered Philadelphia as well as, back then, surrounding areas of Pennsylvania, turned up three men named Joseph Wernle.

I started calling the numbers the directory assistance operator gave me. On my second try, a man answered. I asked if he was Mr. Wernle, and he said yes.

“This is Peter Browley, with the Social Security Administration,” I began. “I was wondering if I could take a few minutes of your time.”

“What’s this about?”

“Well, we’ve been paying Social Security benefits to a Joseph Wernle, and somehow the records appear to have gotten mixed up in our system. It seems we may have been paying the benefits to the wrong person.”

I paused to let that sink in and let him squirm a little, so I would have him at a bit of a disadvantage. He waited without saying anything. I went on, “Is your wife’s name Mary Eberle?”

“No,” he said. “That’s my sister.”

“Well, do you have a son named Joseph?”

“No.” After a moment, he added, “Mary has a son named Joseph Ways. But it couldn’t be him. He lives in California.”

This was coming together; now we were getting somewhere. But there was more: the man on the other end of the phone line was still talking.

“He’s an FBI agent.”

Son of a bitch!

There was no such person as Joseph Wernle Jr. An FBI agent named Joseph Ways had adopted a false identity using real family names that he could easily remember. And that agent was passing himself off as a hacker named Eric Heinz.

Or at least, that was the most likely deduction, based on what I now knew.

The next time I tried to call Eric on his landline telephone, the number was disconnected.

Earlier in my hacking career, there had been a point when I had decided it might come in handy sometime to have access to another of the Los Angeles area’s utility companies, the Department of Water and Power, or DWP. Everybody needs water and electricity, so the utility company seemed like an extremely valuable source for finding out someone’s address.

The DWP maintained a unit known as “Special Desk” to handle calls from law enforcement, staffed by people trained to verify that every caller was on the list of people authorized to receive customer information.

I called the DWP corporate offices claiming to be a cop and explained that our sergeant who had the phone number for Special Desk was on assignment, and we needed to get it again. I was given it without a problem.

Next I called LAPD’s elite SIS division. It seemed only fair to include these guys in the fun since they were the ones who had tailed Lenny and me at Pierce College several years earlier. I asked to speak to a sergeant, and I. C. Davidson came on the line. (I remember his name well, since I continued to use it for a long time, whenever I needed information from the DWP.)

Telling him, “Sergeant, I’m with DWP Special Desk,” I said, “We’re setting up a database of authorized people for law enforcement requests, and I’m calling to find out if any officers in your division still need access to Special Desk.”

He said, “Absolutely.”

I started out, as usual, by asking if he was on the list and getting his name.

“Okay, how many officers do you have who need to be on the list?”

He gave me a number.

“Okay, go ahead and give me their names, and I’ll make sure they’re all authorized for another year.” It was important for his people to have access to the information from the DWP, so he took the time to patiently read off and spell out the names for me.

Some months later, Special Desk added a password to its verification process. No problem: I called up LAPD’s Organized Crime Unit and got a lieutenant on the phone.

Introducing myself as “Jerry Spencer with Special Desk,” I chose as my opening gambit a slightly different version of the earlier one: “By the way, are you authorized for Special Desk?”

He said he was.

“Fine. What’s your name, sir?”

“Billingsley. David Billingsley.”

“Hold on while I look you up on the list.”

I paused a bit and rustled some papers. Then I said, “Oh, yes. Your password is ‘0128.’ ”

“No, no, no. My password is ‘6E2H.’ ”

“Ohhh. I’m sorry, that’s a different David Billingsley.” I could hardly keep from laughing. I then had him look up the list of officers authorized for Special Desk in the Organized Crime Unit and tell me their names and passwords. At that point I was golden forever. I wouldn’t be surprised if some of those passwords still worked today.

With this access to DWP Special Desk, it took me only about five minutes to discover Eric’s new address: he had moved to a different apartment in the same building. Lewis and I had shown up at his address, and three weeks later he’s not living in the same apartment anymore and has a new phone number — but he’s in the same building?

And the new phone line is listed in the same name as before, Joseph Wernle. If Eric had really gone into “secure mode,” as he’d told us he was going to do, why the hell would he still be using the same name? This was the guy who was supposed to be such a good hacker? He didn’t seem to have any idea of what I’d be able to find out about him. I was still a long way from unraveling all the riddles, but I knew I had to continue now that I was getting closer and closer to the truth.