One of the harsh realities of our now digitally interconnected lives is the constant threat of hackers trying to gain access to our systems. According to a recent study by the University of Cambridge we here in the UK spend an estimated £100 million each year on anti-virus software to protect our valuable data, yet still stories of identity theft, compromised email accounts, and social media hijacking continue. But when you look at the figures, and see how the actual types of crimes are broken down, a surprising common factor emerges. Although most of us associate hacking with malicious software that somehow breaks into our systems via brute force, the real truth is actually a lot more simplistic.
‘While software companies are learning how to strengthen programs,’ explains Christopher Hadnagy, in his book Social Engineering : The Art of Human Hacking, ‘hackers and malicious social engineers are turning to the weakest part of the infrastructure – the people.’
Writing code is complicated and time consuming, plus there’s the distinct possibility that it can be traced back to an origin source, leaving the police a trail of breadcrumbs to follow. So rather than investing their resources in these forms of attack, human hackers instead use techniques that have long existed in the physical world – an old fashion con. By now we’ve all seen examples of phishing attacks: emails that appear to have been sent from our banks, or favourite online shopping portals. They usually arrive in our inbox warning us (ironically) of security threats, are often accompanied by graphics from the real site, and a time pressure to respond quickly or the relevant account will be shut down. All the customer needs to do is click on the embedded link, confirm their account details and everything will be fine. Of course the email is a fake, the site you click through to is also bogus, but the details you enter – usually of a financial manner – are very real, and now rest on the machine of someone who will immediately embark on a shopping spree.
These scams are as old as the internet itself, in fact they have existed in one form or another since people first became people, but the threat of the modern age is that the information needed to trick us is often given away freely by ourselves on social media sites, internet forums, or even by casual conversations with seemingly well meaning strangers.
‘Many of these attacks,’ continues Hadnagy, ‘could have been avoided if people were educated, because they could act on that education. Sometimes just finding out how malicious people think and act can be an eyeopener. I was recently discussing with a close friend her financial accounts and how she was worried about being hacked or scammed. In the course of the conversation we started to discuss how easy it is to guess people’s passwords. I told her that many people use the same passwords for every account. I saw her face go white as she realised this is her. I told her that most people use simplistic passwords that combine something like their spouses name, his or her birthday or anniversary date. I saw her go an even brighter shade of pale. I continued by saying that most of the time people choose the simplest security question, such as your mother’s maiden name, and how easy finding that information is via the internet or a few fake phone calls.’
This combination of real world conversations mixed with online information gives the enterprising hacker, or social engineer as some call them, a powerful amount of knowledge about us. Knowledge they can use to accomplish frighteningly penetrative attacks. In his book Hadnagy lays out the various tactics that social engineers use to ensnare their targets. These include information gathering via the internet, direct phone calls posing as representatives from companies the target uses, raiding their rubbish bins for financial information such as bank accounts or credit card numbers, all of which they can use to build a profile of the target enabling the hacker to create a persona or fake website that will be the most alluring. It sounds at times like something out of a James Bond movie, but these techniques are used constantly in one fashion or another, usually with the intent of gaining access to the target’s office machine which of course then means they have access to the business as a whole. This form of elicitation is a skill that social engineers develop to a high degree, so the target often doesn’t even know that they surrendered the information.
‘The goal with elicitation is not to walk up and say what is the password to your servers?’ Hadnagy reveals. ‘The goal is getting small and seemingly useless bits of information that help build a clear picture of the answers you are seeking or the path to gaining those answers’.
Armed with these different fragments of knowledge, hackers can then exploit weaknesses in other parts of the human chain, sometimes with devastating consequences.
Mat Honan is a senior writer at Wired magazine and has written for many of the top tech magazines. He is someone who understands the internet, technology, and the culture that surrounds it. But during the summer of 2012 his digital world was torn apart in the space of an hour when determined hackers employed a variety of tactics to gain access to his accounts. The tech community was shocked at the apparent ease with which this happened, as it highlighted the house of cards nature of online security.
A hacker, posing as Mat, called Amazon and said he wanted to add a new credit card to his existing account, the number was of course fake, but this didn’t matter. Amazon required Honan’s billing address, email contact, and the name on the account – all of which was possible to find by a little digging online and some logical deduction. The process was complete and the hacker finished the call. Moments later he rang again saying that he was locked out of his account, the operator asked for him to confirm the details of his account – including the new credit card number – and not surprisingly the details matched. The hacker was issued a replacement password for the account, and now they could see the numbers of Honan’s actual credit cards – not the whole number, just the last four digits. As it turns out these four numbers just happened to be the exact part of the card that Apple use as part of their account verification process.
The hacker placed a call to the Applecare support line saying that he had forgotten the password to his me.com account. After supplying the operator with the billing address and credit card digits a temporary password was issued from Apple which allowed him to access the account. He was in. All it took was a quick Google search and two phone calls. In a matter of minutes the hacker had gained access to Honan’s Gmail account, Twitter, remotely wiped his iPhone, iPad and then finally his Gmail account.
‘In many ways, this was all my fault’ Mat wrote on his Wired blog detailing the events. ‘My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter.’
Since the events were made public both Apple and Amazon have made changes to their customer service practices so that these weakness can’t be used again. The fact that they were only discovered after hackers had used them to destroy most of Honan’s online life though, suggests that they never even knew it was possible in the first place. The hackers that think beyond the boundaries of code breaking and malware will always be looking for ways to draw seemingly innocent information from their targets, and until we become aware of these possibilities they will most likely succeed. With software you can build in complex levels of security, and have warning flags go up the minute a breach is attempted. Incorporating these types of failsafes into people may take a little longer.
A version of this post originally appeared as part of a new series of features called News Viewpoint that I write for the PC Advisor website and also appears in the April 2013 issue of the print magazine – yes, I know that’s in the future, but the way magazines work is a mysterious form of sorcery. To see the original click HERE or pop out to your local newsagent and purchase the rather splendid magazine itself.