logo

10 August 2017

Even the best passwords are no match for this simple hack

"Um, yes, that is toooootally my password and email account. Totally."
“Um, yes, that is toooootally my password and email account. Totally.”

Image: Ambar Del Moral/Mashable

Why go to all the trouble of breaking into an online account when you can just ask for the keys?

While security experts released new password recommendations this summer, legions of hackers long ago realized that getting into a victim’s email or iCloud doesn’t require keyloggers, zero days, or USBs pre-loaded with malware. Nope, it’s much easier than that.

All it takes is a little charm.

Welcome to the world of social engineering, where those looking gain access to protected places (be they physical or digital) talk, bluff, confuse, or trick their way past the gatekeepers. Social-Engineer, Inc., a security company that specializes in helping corporations prepare for this sort of attack, defines the technique as “any act that influences a person to take an action that may or may not be in their best interest.” 

Say, just for example, a stranger calls up your cell provider — pretending to be you — and convinces the call center worker to reset your SIM card. That’s not in the employee’s interest, nor yours. And, as Black Lives Matter activist DeRay Mckesson found out in 2016, the consequences can be rough. 

This wasn’t the first time someone talked their way past a public figure’s digital security. In 2012, a hacker tricked Apple into giving up access to tech reporter Mat Honan’s iCloud account. Through that, the attacker was able to get into both Honan’s Gmail and Twitter accounts — remotely wiping his iPhone, iPad, and MacBook Air for good measure. 

“I know how it was done now,” Honan explained on his blog at the time. “Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”

Basically, all the maliciously inclined need to socially engineer their way in is the right talking points and a little luck. AND for those in need of some help, there are even web forums dedicated to sharing tricks of the trade.

It’s almost too easy, and no five-word passphrase can do anything to prevent it. 

That being the case, shouldn’t the companies that protect our data be on the lookout for this sort of thing? Thankfully, many now are. However, they are essentially forever fighting a losing battle. Social engineering relies on exploiting human nature, and last time we checked human nature is something that doesn’t change all that easily. 

So what can you do? Well, besides making sure you don’t give out any information that could later be used to impersonate you, a simple bit of protection is to enable two-factor authentication on everything and use authenticator apps wherever possible. Also, definitely go ahead and get a PIN/customer care password for your cellphone account.  

Oh, and be paranoid. Very, very paranoid. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

Please follow and like us:

Share
#

Write a comment

5+8 = ?