It amazes me that this type of social hack still works so successfully, I can understand Kevin Mitnick's success back when he was a hacker but surely the industry should have learnt by now. Resetting a users credentials should be treated like changing all the locks on their houses. If the user cannot verify their account credentials and is crying over the phone at least implement a 7 day delay and grace period before the reset takes effect, send emails which notifies the current email etc, or even send a pin to their postal address. I know these are not ideal security either but at least there would be some grace period.
If you're in an old Ameritech area in Ohio, pick up the phone, dial '0' and when the Operator comes on, say:
"OBT-125, please read number on display."
You'll get the NPA-NXX-XXXX read out to you and she'll tell you to have a good day. As of three years ago, you could call any of the embarq/sprint area operators in Ohio/Kentucky and just say, "ID Me."
Phone phreaking is still alive, but, it's not as common as it once was.
If you're exploring the phone system and want to know what circuit you've happened to sneak your way onto. It's very useful if you can have the phone company just tell you what part of their systems you're calling from :)
If you treat security like a mathematical problem [1] with no grey areas, you are going to reject almost every security measure and say "that would only give users a false sense of security."
Just about all security measures can be worked around by a determined attacker. That doesn't mean you stop using them.
The linked page says to hide your whois information. This is surely security through obscurity. Yet it can vastly reduce the number of reset emails you get.
[1] You should treat crypto like a mathematical problem.
I think that the idea is to not help out a potential attacker rather than to use this as an absolute security method. I think that we can agree that relying on any single security method is foolish. Maybe we shouldn't jump to conclusions that this is their only security measure in place.
If they're relying on multiple weak pieces of information like this for security, they still aren't secure, and now they just created a huge pain in the ass for any user of their system, as they have to somehow know all the pieces of information which are supposed to be secret. Huge-pain-in-the-ass security doesn't tend to work very well...
"4. Some of the biggest companies in the world have security that is only as good as a minimum-wage phone support worker who has the power to reset your account. And they have valid business reasons for giving them this power."
It could be greatly mitigated by automating that power more.
E.g., "No problem, I can reset your password! The system will automatically contact your registered phone number and email address -- if you confirm both, it resets now, and if you can't, it will send the reset to your new email 3 days from now."
Now all an attacker has to do is wait for me to go on a cruise, or camping trip, or basically take any action which means I'm out of communication for a week or more.
I can't think of the last time I was completely cut off from both phone and email for more than 3 days. Can you? I travel around the world regularly enough (I was in Malaysia in November; I'll be in Rwanda in March), but never with breaks in connectivity lasting more than 3 days.
I don't go wandering into the wilderness for more than a day trip, admittedly... but I'm also pretty sure most other people don't do that regularly, either.
> He then called Amazon with what little information he had gained and cried that he had lost his password and didn’t have access to that email address anymore. The representative caved and reset the password over the phone giving him full access to my Amazon account. His plan was to then gain as much information he could with Amazon (last four of credit card numbers, current and previous addresses, etc…) and use that as ammunition to do the same thing with Apple. And it worked. He had an email in his gmail inbox with instructions on how to reset my iCloud account.
Whatever you think of the state of cybersecurity in terms of encryption, implementation, and user-interface (including 2-factor authentication)...it doesn't seem that the protections against social engineering have developed at the same pace as the increasing ease of accessing public records
>Whatever you think of the state of cybersecurity in terms of encryption, implementation, and user-interface (including 2-factor authentication)...it doesn't seem that the protections against social engineering have developed at the same pace as the increasing ease of accessing public records
Yep. Around the same time I started using a randomly generated 24 digit alphanumeric password generated with an offline computer, I noticed a twin person who looked nearly the same as me nearly started living in my apartment, and asking an awful lot of questions about our supposedly shared childhood, wanting to "catch up".
It was certainly nice suddenly having a twin, but it wasn't until he suddenly disappeared three years later that I realized I should have been just as wary about social engineering as I was about my encryption.
third (sarcasm). I don't think the bar with social engineering has moved NEARLY as much as cyber security has. It's practically impossible to keep a computer secure, but very easy not to be duped by strangers on a social level.
What if the people getting duped to give away your account are minimum wage call centre workers who'd probably like you off the phone ASAP? You're a genius who'd never get scammed like this, fine, but you're not the weakest link here.
People get duped by strangers all the time. It's much easier to find out someone's childhood pet name than to, say, break TLS. A lot faster and usually less conspicuous too.
Hell, getting the last four digits of someone's credit card number might be as simple as pulling a receipt they threw away out of the trash.
another bad habit are those "security questions".
For me, the only proper way to deal with this is to have your mother maiden or pet name be cy4nEp7UtNsz and save that (along with the question title) in your (properly backed up!) password safe.
Security questions is one of the stupidest ideas in the so-called "security" industry. This causes so much information leakage and confusion and doesn't really solve anything. They really need to be removed from every company's security protocol.
I like how Yahoo suddenly decided to make their "security questions" a secondary password. I have no idea what I answered over a decade ago, but I can no longer log into my account despite them acknowledging my password to be correct.
Or even Gmail. Since when do they require you to guess when you opened your account and all of that information? As if I have any idea what month/year I opened my gmail account. I feel like if I ever got locked out of it or were in this situation I wouldn't know the information to get back into it.
I agree that security questions are 100% a joke, in that they're completely useless and potentially represent an attack vector.
Unfortunately some services have the annoying habit of randomly providing multiple choice for these (ex. TradeKing). So my qgwpagprgqrgwasr2q really sticks out as an odd answer for my first car, making it even more guessable than the real answer.
There really needs to be a way to completely opt out of these systems for competent consumers. I'd never need a password reset, so they shouldn't allow it.
I tell folks to pick a phrase they can remember for long periods of time and use that regardless of the question. "my first pet" = "the refrigerator is walking" or some such thing.
Agreed. If I get to pick the security question itself, it'll be something like "What's the magic code?" to emphasise that the gibberish answer was set intentionally.
> and save that (along with the question title) in your (properly backed up!) password safe.
To be fair, this could render the security question useless. If you lose the password (by losing the password safe), you've also lost the answer to the security question. So a properly backed up password safe renders a security question pointless (or the answers to the security question should be stored in a separate, equally secure, location).
Security questions are already useless. What's my first pet's name? Depending on the day, I might have any of three or four answers; I'm unlikely to remember which pet was first, 30-35 years ago, even if I think I can, since if you ask me in a month, I might be just as confident the other way! Given the uncertainty, I might well decide that the best answer is a later pet I remember better, but then which one is that?
I remember the names of exactly two teachers from high school, today, but only because I was discussing something about them with someone else who remembered over Christmas. My mother's maiden name is spelled differently on her birth certificate and death certificate, so I can't tell which one future me might use after forgetting a password.
Recently, I've noticed a trend of having 6 or 8 fixed security questions to choose 2 or 3 from, none of which actually apply to me in a reliable way.
There's really no other solution but to treat them as an additional password field.
Strictly speaking, they do have one benefit. If someone steals your password, there is really no way to know. If they reset your account with a security question, you'll know as soon as you access.
I've run into security questions where there were character limits on the answer. "Between 3 and 20 characters, no numbers." The worst of all possible worlds!
"Security questions" are already worse than useless, because they provide an easier attack vector (if they are answered honestly). Things like your pet's name and the street you lived on as a child are easily obtainable online.
Companies should allow security-conscious customers the ability to opt out of this attack vector. Alternatively, just use another 20 character randomly generated string for each of the answers.
You're right, it's not the intended use of the security question - and that's exactly what I want. I feel like entering my pet's name doesn't add to my account security but rather lowers it.
My password safe is stored at many different location so that it's extremely unlikely to loose them all at once. And to secure against amnesia or being-hit-by-a-truck, you should give the passphrase to a person you trust 100%.
The security questions in its current implementation are useless anyhow. Because all those pieces of information are exploitable by your social life these days.
"What's the name of your first math teacher" — Take a look into the years schoolbook, which are online.
These security questions are made for us old farts, for days when there was no Internet like today and there were none of this information available online.
Useless for the intended purpose, but when you login to your bank's website from a different IP (or something similar) and it triggers the security question - then you have it without making it something that someone else can figure out.
I set security questions to something random and never store it. It's only a risk to store it.
The only time I needed my security question was when changing email address on PayPal. I gave them a call and was able to change it by reading the security code (a randomly generated PIN).
Any company giving access to your account by security questions is not to be trusted. I never keep more than a few euros in my PayPal account for multiple reasons, and this is one of them.
I always wondered if phone CSRs use those to authenticate a caller. I wasn't looking forward to reading out a 40-digit string of nonsense over the phone.
Good to know all they require is that you can guess a 2-digit number instead...
Alice (telco) at one point required the password I used on the website to identify me on the phone. Quite sensible as authentication/identification (though it requires the password to be stored in plain text somewhere, something I don’t really care about) in theory and reading out aPua6EG8H0nB6UIxOwsQQeVYUF71NRQ9AkBqg4rujU8vAcLMnG is not all that hard.
Security questions don't even help. Some of the support reps from various companies can see your answer and with enough prodding they will just tell you it over the phone.
The problem is that different companies have different protocols on what information they use to identify users, etc, and hackers are getting smart enough to connect various partial information to get full information on a user.
Every single customer-facing company needs to have STANDARDIZED security/information protocols. This includes taking in same information, and only giving out the same information. This should solve this problem.
Even with standardized security protocols, you will still have issues with undertrained/underpaid customer support agents working to "help" one very smooth talking hacker using social engineer tactics.
Social engineering is always a problem, and I think first-level support should NEVER have the ability to see any information or have the ability to make changes to accounts. This should get escalated to second level support.
But regardless, a single account may get compromised, but at least you can't feed partial data from one social engineering attempt into another company, which is what apparently is happening more and more because of impedance mismatches with what everyone uses.
Why are all these attacks targeting Twitter usernames? Do these really have particularly significant resale value? It seems like much greater profit could be made with access to someone's Amazon account, but these seem to be used as merely a proxy in these attacks.
The problem here is usually the people doing this are just kids in the "scene". They go after original names on all different mediums like xbox live, twitter, instagram, etc. Usually the accounts sell from $100 up to $1000+, but they don't really realize the potential of what they could do with this.
They could easily put their minor SE skills towards hijacking high quality information, but instead they use it to get known for stealing usernames.
Same sort of thing targeting low numbered ICQ accounts back years ago. I had mine stolen from under me and while it doesn't actually matter anymore, it did upset and make me angry at the time.
I guess if they can't resell it they do it for shits and giggles, and because grabbing a low numbered/low lettered anything these days is a decent trophy to have.
It seems that now you should not only use different passwords anywhere, but also different logins and emails, different credit cards and may be even different names, addresses and phone numbers. Just to be sure.
I use different emails, for everything. I manage my own domain(s), so I have anything @mydomain.tld. I'll usually give unique email addresses that identify, to me, the organization or service that gets the address. Occasionally an address becomes the target of spam, and I just kill off that address.
That wouldn't really helped you in this case, would it? The attacker got the account reset simply by phoning the customer service and making them send a password reset link to a new email.
Also how do you manage said X number of emails? Do you log onto each one of them, or do you forward all emails to one "master email"? If so, the master email is still the single point of failure.
We are going to have to learn to -- effectively -- use compartmentalization, ourselves. (Us technophiles, certainly, but also the "greater masses".)
- Separate, low-balance checking or similar bank account for "routine payments". Larger balances held in other accounts that cannot be accessed / drawn from through normal channels.
- Separate contact address(es) for distinct and more public interfaces. E.g. I and some friends already have P.O. boxes for this purpose.
- There are other instances/examples, but this is enough while keeping this comment brief.
AND HERE IS AN IMPORTANT POINT: Companies that won't let us do this, or even just make it hard, will become anathema to our own best interests.
THERE ARE LEGITIMATE REASONS I don't want all my services and access consolidated under a single user ID and password or other authentication.
Services that push towards "one true name" and "all services lumped together", are -- from this security perspective -- not in my best interest.
I learned years ago about the value of compartmentalization. It seems that many companies have yet to learn that this is a legitimate concern and feature for their customers.
In the age of electronic recordkeeping and processing, it really is a minimal burden upon a business to support more than one account per customer. Customers have legitimate reasons for doing this. Get over it, and give them what they want and need.
Here's what you do. Get a lawyer and sue them for all they're worth. Not just for you, but for every other person their pathetic security has and may cause problems for them in the future.
I don't know exactly where you are, but back home lawyers with pretty good chances of winning a case like this would be jumping at this with a no-win no fee.
Had this exact experience happen to one of my coworkers.
We started embedding a secondary “password” in some of our email addresses, by leveraging googles username+tag feature. So something like johndoe@gmail.com becomes johndoe+1bayjdh1x91nj12e@gmail.com
One thing I've found handy is just to have little or no bio information on your accounts. If you absolutely must have bio info on your account, make all the information different from account to account.
This way, if a hacker gets your LinkedIn profile, the information there is different than your Facebook info, which is different than your Twitter info, which is different from your. .
Imagine a hacker with a handful of accounts and all the information is completely inconsistent. How does he decide which one is real and which one's are fake? It's essentially a dead end and will hopefully get them to move on to an easier target.
Have you been the target of hacking attempts? This sounds the opposite of handy, so I'd be interested to know how well it actually works. Not sure how well it would pay but I'd be interested in a service that attempts to steal your identity in this way, and then tells you what you can do to plug the vulnerabilities.
I thought I'd post to let some people know how I BELIEVE this is being done.
Kevin Mitnick always talks about how social engineering is the key usually, ans it is. he used to make phone calls after dumpster diving and gaining employee names. There's no need for that now, we have all our information on the internet.
let me explain a little better. Take your facebook for example. Most people have the email they use on their for everyone to see, same with linked in. Now once a hacker finds who they want to target, just start googling the person and collect as much data as possible through comments made by and towards them. usually they'll comment on their pets name and all the other info they usually use to reset passwords. adding the person on a fake account acting like one of their friends with a new account is typical.
once they have all this info and the emails you use, time to take over what emails they can with your information. security questions are usually the route they go. once they have an email account, time to grab the others that are usually linked to each other for password resets. once those emails are taken over... it's all downhill from there.
best thing to do is make everything private and don't use the same username or handle on everything because that makes it easier to link to you.
just my thought about how this is done. pretty simple if you have some time to invest
I would love for there to be some regular program of independent security auditing of major web companies focusing on social engineering attacks. It can be government-funded or privately-funded (companies would pay to be audited in order to be included in a certified registry). I'm not 100% sure how the details would work (they'd have to maintain a huge number of dummy accounts all over the place), but the value of such an effort would be tremendous.
The idea that these companies would rather cater to individuals who are careless with their accounts than uphold the sanctity of the majority of their users' identities is deeply troubling. The thought of a dispensable, minimum wage worker being all that stands between me and total calamity is terrifying.
I've already started using 1Password but I'm now considering closed some accounts and calling some of these services to ensure they never give out my information for password resets and such... Scary stuff...
I'd like to enable two factor auth on my twitter account, but I'm put-off by their SMS-based implementation. Does anyone know if they have plans to support TOTP, like Google, GitHub, etc?
Thanks, I didn't know that! That might be good enough, as I quite often have no phone signal (and therefore no SMS) but still have net connectivity via wifi.
I'd still prefer the TOTP approach though because it doesn't require any connectivity on the phone.
And AWS! As the article said he got lucky that the attacker didn't twig that there was an AWS account associated with that amazon.com login.
You should be using two-factor authentication for all your AWS accounts, especially the 'root' account that's tied to your regular Amazon.com login (I've always though this is a bit odd).
You should also never use that root account and set up IAM accounts for yourself and any other user (which also use 2FA).
Definitely. While it's not a perfect solution, it provides an extra layer of protection for your accounts by making an extra hurdle for any attacker to clear. Needing two components to access/change your accounts is elegant and effective.
Pay-as-you-go phones are advisable to use for two factor verification, as they are affordable and could be used only for this purpose. Don't hand out the number and you've got a nice disposable tool for protecting your accounts.
Many providers shuts down the account if you don't use it for calling at least once per year. Some close it down if you don't fill up the cachpool with money every 6-12 months.
Right, pay-as-you-go phones are annoying that way, if you aren't actually using them. I've lost a few phone numbers because I didn't remember to top-up a phone I wanted for rare uses and/or only incoming calls.
I'm currently building a framework agnostic Authentication module for PHP/Composer, that has 2FA baked in. I want to give everyone who's building web apps in PHP no excuse for not having it. It's painful, but worth it IMO.
And I thought that dropbox had already lost their reputation with pretty much everyone around since those massive security flaws exposed a while back. Silly me.
Damn, my passwords are crap (some are written in OneNote because forums make me change them every half a year), but then again I don't have any precious online properties besides some websites that I use stronger passwords for. Not like it matters since it looks like social engineering is alive and kicking (as they say, humans are always the weakest link in security).
These articles really make me want to set up an automated system that would monitor any password reset events (and other suspicious activity) and automatically change those passwords itself and/or notify me by sms...
It really is worth it. It is a pain to first set up and change every password to some random string (which most vaults will generate for you), but after that it's smooth sailing more or less. I recommend LastPass, it's free (unless you want the Android app, but even then the premium account is super cheap).
That is when it was published, but the text gives no indication if the events happened yesterday or 12 months ago. It's useful to know if these abysmal practices are still current or not at Apple/Amazon/etc.
Jesus fucking christ. Stop making websites accept anything other than a username+password/token for authentication, and this kind of retarded shit would never happen. It's somehow still the status quo to make backdoors to recover your account incase you lock yourself out, which is why things like this happen all the time. You get what you deserve.
This is great in theory, but in practice your regular customers are going to lose/mix up their usernames and passwords all the time.
They need some kind of back door to recover their access (because honestly, even for the responsible and tech-savvy users, sometimes sh!t happens... e.g., my password manager generated a new password but my laptop crashed before I could save it), and they assume there will be a way to restore their account.
I'm sure you could tell your customers "you get what you deserve", but not if you want them to remain customers.
Gee, you're going to have a hard time with bitcoin, hidden tor services, etc.
A) Customers locking themselves out of accounts
B) Accounts being stolen by identity theft
Pick one.
> I'm sure you could tell your customers "you get what you deserve", but not if you want them to remain customers.
I kill people for a living. You can tell me I could stop killing people for a living but then I'd stop having customers. Thus it's impractical to stop killing people.
Ironically, HN itself so happens to do it right - it permits you to have only a user/password. Reddit is the same, so is github, stackoverflow. I've never heard of pervasive problems on either of these sites. I don't submit my email to these sites, and they work fine.
Please continue to call common fucking sense idealism. Look how shit any other site besides the 4 (and others like them) I mentioned are with their fancy policies. How can anyone not rage when such stupidity is forced upon us?
Even if customers are scatterbrained and unwilling to accept responsibility for themselves, it's still better to keep them on board and making money than trying to teach them a lesson out of principle that probably won't even stick.
How well any policies are actually thought through is another matter.
Yes, because users would hate so much to be told explicitly that all they need to remember is a password. They much rather have 20 different pieces of information, some combinations of which if they share, people can take over their accounts on various services. </sarcasm>
The problem is not so much that the systems suck, the problem is there's no way for people like me to take on the responsibility and "risk" of just having a simple way to authenticate myself.
For example, in my bank I would opt into having all "suspicious transaction" types of protections turned off, but if I went to my local branch and asked for that, they'd just get confused and think I'm trying to commit fraud.
> it's still better to keep them on board and making money
Maybe better for you, assuming there would be a net loss from turning off the bullshit policy. Definitely not better for customers, as it enables theft, which has the same consequence as forgetting a password.
It doesn't have to be a mess of ill-thought-out questions. Just a traditional password reset email is a good facility, as opposed to "forgotten password? your account is forever locked, you cretin. don't even think about contacting us".
I have a good backup system so it's not that I use such stuff personally either.
Well yes, I would much prefer that to sending in a picture of my drivers license, only logging in from one IP address, etc. This only really happens with financial sites.
For normal sites, before there were captchas, they required email to sign up, in order to deter spam. Then when they got captchas they still required both, probably because they were thinking "oh yes 2 is better than 1", even though email verification does not deter spam one bit these days. On the other hand, in more recent times you now have all these sites requiring email for recovery. You can see where the dogma came about.
I myself would absolutely never want email recovery, simply because it links the accounts together unless I make a separate email for each, wastes my time (I never lose my passwords, and they are unique for every account), and now the email provider has access to my account.
If this isn't bad enough, facebook, google, and pretty much every mainstream email provider now require a cell phone to sign up, and sends a verification code to your cell (this may be because I use tor).
It only seems to be going downhill. There's no reason not to be infuriated.
On the upside, South Korea recently abolished its law that users should use their id online:
