Social Engineering

My husband is always saying that the weakest link in digital security is not bad code but people.  People, who can forget passwords (or make horrible ones to begin with), click on spam links, or be conned into divulging too much information.  This concept where the human element is used to “hack” and steal personal info is called social engineering, and it was making headlines today as tech writer Mat Honan has divulged how two (or possibly more) people were able to get access to his Twitter feed, delete his Gmail account, and erase literally everything from his iPhone, MacBook, and iPad.  All in less than an hour.  Here is his story in full; it is a little long, but well worth a read.

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Basically, the hackers used two calls to Amazon to get access to Honan’s Amazon account, from which they gleaned the last 4 digits of his credit card.  They also knew that he had an AppleID account (with a .me email address), so they called AppleCare and got a temporary password for his .me email, using the last four digits of his credit card (as well as his address) as authentication (even though they couldn’t answer the security questions set up for the account).

The hackers then had a password reset for his Gmail sent to the alternate email on file, which was the .me account they controlled.  They used that Gmail account to similarly access his Twitter account and send out spam tweets (which was apparently their ultimate goal).  And to prevent his regaining access, they also deleted his Gmail account and wiped his 3 Mac devices remotely, using the “Find My” feature in his AppleID account.  The greatest casualty?  The pictures of his kid stored on his laptop, which are probably gone forever.

To me, the biggest security flaw here is Apple’s authentication process.  That they would give out passwords for nothing more than what you can google (address) and find on any credit card receipt (last 4 digits of card no.) is ridiculous.  Luckily, I don’t use any Apple products, but I’m sure they are not the only ones guilty of this kind of thing.  Amazon was pretty easy for the hackers to manipulate, too, with just a name, email address, and billing address required to add a credit card to the account.  Here’s another article where social engineers targeted company data instead of personal, also with impressive results:
http://money.cnn.com/2012/08/07/technology/walmart-hack-defcon/?npt=NP1

What can you do to protect yourself from social engineering?  I am not a tech geek by any means, but here are some basic points to consider:

In addition to a good password, you can also use the two-step authentication provided by some sites like Gmail.  Every time you log in, you will be texted, or a code generator will give you, a code to input with your password, so someone would pretty much have to also physically control your phone to get access to the account.

Also, don’t daisy-chain your accounts.  You may think your online banking is secure, but it is only as secure as the email account you use to log in to it, and that email account is only as secure as the email account you have set as the alternate for password resets.  One idea is that for an alternate contact for password resets, you could use one account whose handle is not known to anyone else (i.e. not the same as your other email prefixes).

Lastly, back up your s*%t.  If you really want to be safe, have two backups: one in the cloud and one on an external hard drive.

It would be really easy to say, “Don’t store your credit cards on commercial sites,” or “Don’t use Find My Mac” but modern day life is making these kinds of ideas really unrealistic.  The cloud is here to stay, and companies need to continue to improve their security methods.  Alphanumeric passwords just don’t cut it anymore.  We will be seeing more two-step authentication, more biometrics like fingerprints and retinal scans.

And Apple users will be happy to know that Apple has suspended over-the-phone password resets temporarily, and will use stronger authentication when they resume.  Amazon has also changed its policy to disallow changing account info over the phone.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s