The would-be thieves used the most commonly reported form of hack technique to gain access to the city's account: "social engineering." Social engineering hacks involve the use of con artist tactics. Such hackers often often play on the gullibility and greed of a victim by offering something for nothing.

According to sources at city hall, utilities supervisor Bill Quigley was contacted on his city-owned cell phone earlier this month by the hackers, who reportedly posed as Nextel employees. The hackers asked Quigley to participate in a customer survey and Quigley agreed. According to one highly placed source at city hall, Quigley agreed to answer questions in exchange for an offer of free minutes on his own personal cell phone. During the survey, Quigley reportedly gave out passwords and access codes to the city's Nextel phone account.

Using the information reportedly given to them by Quigley, the hackers went into Nextel's online customer service center at Nextel's web site. After changing the city's access passwords on the web site, the hackers then ordered six Nextel NASCAR-styled cell phones from the site. The ordered phones retail for $250 each on the web site. According to the city's purchasing director Larry Miller, three phones were ordered on May 9, another three on May 10. All phones were to be delivered to an address in Chicago.

Before the order was shipped, Nextel contacted Miller to confirm the order. Miller immediately canceled the order. Nextel then asked Miller about the city's access to their Nextel account through Nextel's web site and Miller stated that the city had never ordered anything from Nextel via the web. The city's web account has since been canceled. "We never order anything through their web site, I always deal directly with a company rep," Miller stated.

Of the two, Quigley's attorney was far more diplomatic. When informed that the story had been triple-sourced and included an admission made by Quigley himself, Quigley's attorney commented that he needed to tell his client to be more careful in his statements.

Quigley apparently didn't understand the meaning of the word 'careful.' Within minutes of talking with his attorney, Venice Florida! dot com received a phone call from an obviously angered Quigley.

Quigley denied that he had given out passwords to the city's Nextel account.

Later in the day, a subsequent offer was made to Quigley by phone to meet over coffee and hear his side of the story. Quigley declined, although the offer still stands.

Amidst the invective in the two phone conversations with Quigley on May 18, the utilities supervisor gave out some choice quotes: "You are a liar;" "you are a criminal;" "you had better print a retraction or else...;" "you work for the Taxpayer's League, they better watch themselves, too."

When asked what he meant by his use of the words "or else," Quigley answered, "you don't want to know."

No phones were shipped to the Chicago address and Nextel immediately removed the charges from Venice's bill, according to Miller.

Nextel investigators reportedly told Miller that this was not an isolated incident, that the scam had been run on a number of other customers across the country.

Contacted by Venice Florida! dot com on the morning of May 17, Quigley admitted to being conned by the scammers. When asked if he had been offered free minutes on his own personal cell phone in exchange for the access codes, Quigley hung up.

According to Venice Police Deputy Chief Dan McGoogan, the matter is currently under investigation by Nextel's internal security department and the Venice Police Department. McGoogan would not say if Quigley is under investigation for reportedly agreeing to accept a gift (the reported free minutes on his own personal cell phone) in exchange for the access codes.

John Duty, a public affairs officer for Nextel, stated he was unfamiliar with the case but would look into it. Duty stated that it is Nextel's policy not to comment on ongoing investigations.

Quigley was the subject of a Venice Florida! dot com article last year when area residents accused him of verbally abusing and yelling at them in their front yards. Quigley was never investigated by the city for the allegations.

UPDATE, 05/19/04
How the story was sourced
Sources at city hall and within the police department both acknowledged that the hackers had contacted Quigley prior to the hack on the Nextel site.

One highly placed and trusted source stated that in an official conversation with utils director John Lane, Lane had stated that Quigley had given out the password info in exchange for minutes on his personal cell phone. According to the source, Lane stated that Quigley had admitted this to Lane.

That, in and of itself, was not entirely convincing. For one thing, Lane is not known for being entirely truthful when it comes to dealings within his department. For another, Lane is not the most technically savvy guy on the planet -- during one presentation at city council, Lane's comments made it clear that he did not understand the difference between e-mail and a web page when he referred to an article on this site as "webmail."

Of another concern was: how would Quigley have known the password, anyway? This is still a troubling question.

A decision was made to sit on the story unless an independent and closer source would provide confirmation. That source turned out to be Quigley himself. On May 17, Quigley was contacted by phone and asked about the incident. This would be the first of three phone conversations between Quigley and myself, the second and third conversations are recounted in the sidebar story (gray area on the right side of the page, above).

In this first phone conversation, Quigley was asked if he had received the bogus survey phone call from the hackers. Quigley responded, "How did you find out about that? Who told you?"

Quigley was then asked if he had given out passwords and account info to the hackers, and Quigley responded with "I only gave them that info because I thought they worked for Nextel." Quigley continued to ask "Who told you about this?"

Finally, when Quigley was asked if he had given the info out in exchange for free minutes, he hung up.

Not entirely comfortable with the source chain on the password part of the story but relieved by Quigley's own statement, the story was run with repeated references to inside sources. The word 'reportedly' was used repeatedly. I was comfortable with the fact that John Lane had made the statements accusing Quigley of coughing up the passwords, but I wasn't entirely convinced that Lane was being truthful.

Nevertheless, Lane is the director of utilities and the city has, by default, placed its trust in him. When a department head states that he has received an admission from an employee that password info was given out and then the employee himself gives a non-denial denial, that's enough for a story, albeit a carefully worded one -- hence the repeated use of the word 'reportedly.'

If Quigley has a different version of events and he's actually willing to talk about it without any more threats, he knows this web site is good for a cup of coffee and a bagel.

UPDATE 05/23/04
Quigley cleared of wrongdoing, did not give out passwords
The utilities supervisor did, however, give out enough info to allow hackers to eventually make bogus purchases in the city's name
Utils director John Lane spoke in error when he told other city officials that utils supervisor Quigley had given out passwords to Nextel hackers.

According to our sources, Quigley never gave out passwords because (1) he didn't know them, and (2) they did not yet exist. Quigley did participate in a bogus survey given by the hackers. In that survey, Quigley gave out information about the city's Nextel cell phones to hackers posing as Nextel employees, enough information for the hackers to contact Nextel and convincingly pose as city employees. The hackers, using information provided by both Quigley and Nextel, then created the web account on Nextel's web site in the city's name, including the creation of web site access passwords. This, in turn, allowed the hackers to order $1500 worth of cell phones on the city's tab.

Venice Florida! dot com had stated reservations about the password portion of the story (see footer update above, dated 05/19/04). Our reservations were based on two things: we couldn't understand how Quigley could possibly have known the passwords and the fact that the end source for the password part of the story was utils director John Lane. In spite of his position as director, we have found Lane to repeatedly be an incredibly unreliable source when it comes to getting information about the utilities department that he runs.

There's a bit more to this story that we are not allowed to talk about as the matter is still under investigation, but the bottom line is this: Quigley did not give out actual passwords, although he did unwittingly give out enough information to the hackers that they were able to proceed to the next level of their hack.