I’ve started reading Future Crimes by Marc Goodman. I thought it might be a good use of time to not only consume the content but share the content and insights I have along the way. As of this writing, I’ve made it through the prologue and Chapter 1, followed the rabbit holes of the references in the text, and have developed a few insights and opinions of the content. Think of this read as part Cliff Notes and part unique content/individual perspective.
The overall thesis of the prologue is “when everything is connected, everyone is vulnerable”. This is sort of a pessimistic approach to the rapid advancements in technology, but it’s one worth considering, especially in my industry which is growing every day. The first chapter of Goodman’s book refers to an article written in Wired in 2012 by Mat Honan. It tells the story of Honan’s experience with a hacker and how his iPhone, iPad, Macbook, Gmail, and Amazon accounts were hijacked and completely wiped. It also shows how the hacker did it. The first thing to note here is that the story is quite outdated. The article was written in 2012 and the book was published in 2016. Additionally, this really wasn’t a hacking attempt so much as a phishing and social engineering success. Here’s the key takeaways:
The “hacker” was targeting Honan’s Twitter profile because it was 3 lets and unique (@Mat). In order to gain control of the Twitter handle, the hacker had to gain access to Honan’s email, change ownership, and destroy any type of connection the previous owner had to the account. Here’s how they did it:
- Mat Honan’s personal website was linked in his Twitter profile. The hacker followed the link.
- On Honan’s website, the hacker found the targets email. They then went to recover the password and discovered the alternate email was an “@me.com” email, an Apple email service.
- In order to gain access to the alternate email, the hacker would need to have the users billing address and last 4 digits of the credit card on file. They could use WHOIS on the domain, or a variety of other free databases to find the billing address and the last 4 of the credit card would have to be extracted from Amazon.
- Fortunately for the hacker, its easy to add a credit card to an Amazon account by calling in. After adding a phony credit card, the hacker could call back and provide the new information as personal identification and gain access to the account with a password reset.
- There they would find the real credit card and the last 4 digits. Next they would call Apple support, use the billing address and credit card information to gain access to the @me.com email address.
- Next the hacker would send a password reset to the recovery email address and presto, they have access to gmail.
- Then they would password reset Twitter, gain access, take over and purge the previous owner from the paper trail, including remotely wiping all Apple devices through AppleID.
If you want to read the full article, you can find it here.
This all happened in roughly 30 minutes. Granted, this was 6 years ago at the time of this writing, but not a lot has changed. We’ve introduced biometrics (fingerprint/face ID), and we’ve streamlined two-factor authentication. But we’ve also linked way more accounts together. Email, Facebook, Snapchat, Twitter, Instagram, LinkedIn, Tinder, etc. Almost everything has a ‘Log in with Facebook’ option. A lot of the information used in the above mentioned story is also easily accessible either through open source databases or through simple social engineering techniques. So what can we do to protect ourselves moving forward? Here’s a few tips:
- Enable two-factor authentication on anything that offers it.
- Use biometrics to login over email or Facebook when possible.
- Remove private information from open source databases (see Bazzell’s Privacy and Security desk reference)
- Create a separate recovery email address that isn’t linked to any high risk accounts.
- Don’t wait until your credit card’s expiration to renew it, make it a habit to change is as often as is comfortable.
- Don’t store credit card information on websites you don’t use on a frequent basis.
It’s important to not trust anyone with your data, no matter how large the company is. Digital risks have become the new normal and actors with malicious intent are only growing and becoming more capable. New technologies such like augmented reality, virtual reality, 3D printing, and more are all being targeted by criminals. As we transition to and depend more on the cloud, take inventory of where your information is stored. The average recovery time for an intrusion into a network for companies is 210 days, costing on average $188 per stolen record for the company (2016). Not only does it appear that networks aren’t being secured, it seems like their vulnerabilities are becoming a financial sinkhole. The only problem is the information isn’t theirs, it’s yours.