When their computer or social media account is hijacked by an unknown entity, most people probably picture something like this: a faceless man hunched over a sleek laptop in an abandoned building, eyes darting to and fro, hands dancing across a mechanical keyboard. Green ciphers wash down his screen faster than the eye can track until ⌠ping! your face pops up on the screen. He just cracked your Facebook account, and now this digital mastermind is going to message all your friends asking for money. Jackpot.
This only happens in movies, of course, and while a minority of âhackersâ do write Trojan horses, viruses and other malicious code, most just hide in plain sight and exploit human psychology to gain entrance. Social engineering can take many forms, including âtailgatingâ â following someone through a turnstile or into an elevator to access restricted floors; showing up at a restricted site disguised as an IT contractor; or the infamous SIM-swapping hack in which the hacker simply calls T-Mobileâs customer service, pretends to be you, perhaps gives your home address or SSN, and asks to port your number to a new SIM card, bypassing any two-factor authentication you have. This isnât particularly difficult; the data needed to pretend to be you can be easily gleaned from the hundreds of data breaches that occur every year. Most often, hackers enter through the front door.
A young woman recently contacted me for help: a hacker gained access to her Instagram and Snapchat and started sending her friends ânudesâ she had taken. She tried many times to regain access to her account â often arduous efforts requiring she send social media companies selfies with dates and codes â but every time she regained access, the intruder locked her out again and forced her to start from scratch.
When I heard her story I was surprised; in these cases a password reset is usually sufficient. After digging a bit deeper I was astounded by the brutal effectiveness of the hackerâs strategy â so complete it left his victim with no recourse to regain her accounts.
Iâll refer to the young woman as Anna and the hacker as John. It started like this: John accessed the Instagram account of one of Annaâs friends (how, weâre not sure), then messaged Anna from that account, asking for her email and number so he could add her to âCirclesâ, an app on which Anna could vote for her friendâs makeup albums.
After Anna gave her details, John then said he was going to send a âreset codeâ so he could add her to the service. Anna received a text with the code, and gave it straight to John. The story gets needlessly convoluted here, but essentially John exploited Annaâs technological confusion, using innocuous language so that Anna had no reason to believe anything nefarious was under way.
John then systematically reset the passwords on all of Annaâs accounts, including her email. Anna was busy and distracted and gave the codes without thinking much of it. John convinced Anna to add his email (which used the hacked friendâs name as the address) to Annaâs Snapchat, totally removing her access to the account. Within two hours, John had set everything up so that his access trumped hers.
If Anna retained access to her email address the situation would have been a pain, but temporary and fixable. However, Anna had given John her two-factor authentication code, enabling him to switch the phone number and alternate email on the account and leaving her no way to recover her account. When she contacted Microsoft, they essentially said they believed that the account was hers, but she had voluntarily handed over access and there was no way for her to prove it was hers any more.
To most people this scenario is a nightmare prospect: you know that some man in a faraway country is crawling through your personal photos, conversations, thoughts, searches, friends â and youâre helpless to stop it. Unfortunately, this late in the process, I couldnât help Anna. She cursed herself for her naivety, but sheâs hardly alone: most people donât realize that this is how most actual âhackingâ occurs. Anna had no reason to believe her friend was anyone other than her friend, and no one had educated Anna on how these things happen. I write technology articles and work for tech companies, yet Iâve had two accounts hacked beyond recovery.
John didnât write a complicated program, or infiltrate any servers, or plug a USB into a computer on the top floor of a security company; he essentially just asked Anna for her credentials, and got them. This is a harsh lesson for anyone online: You must be vigilant about your accounts at all times. Do not write down your passwords or two-factor codes for any reason, no matter who asks. The importance of adding phone numbers and alternate emails to your accounts cannot be overstated.
And always remember the golden rule of the internet: common sense stops more hacks than the most sophisticated security algorithms. If you have an inkling that something is wrong, something probably is.
Gloss