Those who have been to my talks on security would know that I talk allot about Social Engineering. No matter what security you have in place, the weakest point is always the human operator.
This horrific tale was recently published detailing how “in the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.”
In summary, a hacker, used his skills to get 4 pieces of information. Using the information blocks, the hacker managed to ruin Mat Honan digital life. The hacker did not use clever software, nor did he install hidden key loggers, nor did he use brute force to guess passwords. All the hacker did was exploit the weakest link – the human call centre operator.
What was the motive ? Political ? Power ? Money ? nope – it was done to simply take over Mat’s three-character Twitter handle. Nothing more.
I have taken information from the report that was posted at this link and broken it down as a lesson for us all. Please read the entire article for your own leanings.
How was this hack was committed:
The hacker started by looking at the Twitter account. The Twitter account was linked to Mat’s website. There they found his Gmail address. Information point 1.
They went to Google’s account recovery page. The hacker entered the Gmail address, which showed him the alternate e-mail that was set up for account recovery. Whilst Google partially obscures that information, he saw: “m••••email@example.com”. Information point 2. “the .Me e-mail account as a backup meant told the hacker I had an AppleID account”
Why is the AppleID account critical ?
AppleID tech call center staff need just 3 pieces of information in order to identify a legitimate client: The e-mail address (hacker has that already), Billing address (easily looked up on the net with tool like Whois, Spokeo, WhitePages, and PeopleSmart), the last four digits of credit card.
This is where most people would be stumped. How do you get someone’s credit card number ? Turns out to be pretty simple.
Getting credit card number:
Hacker calls Amazon and tell them that he is the account holder and wants to add another credit card number to the account. Amazon call centre staff verifies clients by asking for the name (got that), an associated e-mail address (got that), and the billing address (got that). All three pieced of information are available already. Amazon then allows for the addition of a new credit card.
Hacker then calls Amazon back later and tell Amazon that he has lost access to his account. Provides a name, billing address, and the new credit card number you just gave the company on the previous call. This authenticates him and the Amazon call centre staff grants him access.
Now hacks just logs onto the Amazon site and send a password reset to the new e-mail account. This allows him to see, amongst other things, all the credit cards on file — not the complete numbers, just the last four digits.
Tada. Hacker now has the last piece of information that is required for Apple call centre staff to let him in.
[side note: What if you don’t have an Amazon account ? Not a problem. Remember that whenever you hand over your credit card to anyone, they can take note of your last four digits. For a couple of bux you can get that info.]
Just call Apple, give them the info they need which you now have and you have full access to the AppleID account. Which means you can wipe everything, find the phone, tablet, MAC book etc.
You also have access to all contacts, documents and every other content stored in the Cloud.
Full access to the Amazon account and to Gmail too.
The learning points:
Lots of learning points. Its amazing how simple getting access is. With some research and social engineering skills people are vulnerable – especially those who are not armed with the information on what to look out for. I suggest reading the entire article and see what you need to change in the way you operate so that you are not a victim full Article here
My Other Related Social Engineering articles: