Monday, August 06, 2012

How social engineering combined with poorly trained TS can make your passwords worthless

Strong passwords are the first line of protection users need to secure their online accounts, but when it comes right down to it, human beings are always the weakest link in the chain.

On Friday, Wired writer Mat Honan wrote that his iCloud account was hacked, which resulted in his iPhone, iPad and MacBook Air being wiped remotely.  The wipe feature is a security measure of iCloud, but if a hacker has control of your account, it's just a way for them to make your life miserable.

A number of other accounts were hacked, as a result of the initial hack. Gmail (all his Google services, in essence), Twitter, and more. The hacker eventually deleted his Google account.

In addition, he uses Sprint as his carrier, and as he linked Google Voice directly to his phone (a Sprint feature, explained here), he can't make phone calls or send or receive text messages as of now.

To make matters worse (if it could be any worse), he could see the hacking in semi-real-time, as emails about password resets came in.

How did all this happen? It started with his iCloud account. Did he have a simple iCloud account password? Did he use the same password everywhere?

As a tech writer, he should know better, and the assumption would be no. The answer is also no.

Instead, the hacker - who contacted Honan to laugh over the issue - as well as Apple tech support confirmed the FUBAR: it was human error. Apple tech support gave the hacker access to the account when he convinced him he was Honan.

It's called "social engineering," and it is essentially the same way that phishing works. Through psychological manipulation, most likely involving the use of information about Honan that the hacker knew because Honan is a semi-public figure, Apple TS was convinced the hacker was Honan.

What does this teach us? It teaches us a few things.
  • The interconnected nature of our online lives, linking Gmail to iCloud to Twitter, etc. means that if a hacker gets into one account, he can probably get into more.
  • Similarly, if you use one password across all your accounts, the same thing will happen.
  • Security questions are best if they are custom-made. We hate the cookie-cutter security questions that are often given as our only options and prefer when a provider allows us to pick a custom-made one.
Finally, the one that is always true: human beings are usually the weakest link in security.

As we have had our ID stolen before, we can relate to Honan's experiences. What is somewhat horrific are the comments on his post, saying things such as he deserved it because he was an Apple user.

No, no one deserves this sort of misery. It also has nothing to do with an iPhone, an Android phone, a Mac or Windows. It has to do with a human being (Apple TS) being tricked by a hacker.

It does have to do with a lack of training at Apple. That is something that needs addressing. We'd guess that sometime in the coming week, Apple will make an official statement on the matter.

No comments: