Security, your responsibility – Part 2

11. April 2013 Security 0

This is an addition to the “Security, your responsibility” post where i attempt to make users aware that any information they may have on others should be properly secured. This does not just go for your address book of course. Another example is Facebook. I hope you have a strong password to secure your account and stay current on all the security features and changes. After all you have a list of friends on FaceBook, friends that know you and you know them, your Facebook profile is kind of an inner circle of friends in most cases. Friends that are not in that circle can not see what you post, your about information etc. What if one of your friends did not do their due diligence and left their profile wide open and had a weak password to make things worse? This is what can happen… 

I keep my Facebook profile pretty secure. I do not use my full name, have privacy set so noone can find me or read my FaceBoom contents and even those who are in my friends list can not see the rest of my friends. I’ve done what i can from my end. Not too long ago one of my friends had his FaceBook account hacked everyone in his friends list became the target of a phishing attack. How did that happen?

1. Weak password.
His password was simply his last name in all lower case characters. Extremely weak and extremely easy to guess. The hacker gained access to his account in a matter of minutes.

2. No two-factor authentication.
My friend was not notified that his account logged in from an unknown location and device, so he had no idea what was going on. If the two-factor authentication would have been properly set up he would have received a text message with a verification code (Login Approval) or an email alerting him a new device or location just logged in using his account (Login notification).

As these hackers targeting social media are most often someone we know (sad but true), any information that most of your friends know, like your last name or your cat’s name, should NOT be your password or part of your password.

The hacker was in and had full control of his account. He then started looking at his friends and their Facebook pages. As he was on their friends lists he could see all posts, photos and about info. With that information, previous chat history and messages back and forth, the hacker had enough to impersonate my friend. And so the attacks started. “Hi Frank, i am in a jam! Just left my guitar class and my car died. My credit card doesn’t work, can you please transfer €50 to my Paypal so i can get some gas to get home please? I’ll pay you back on sunday when we have the BBQ ok”. These types of messages, custom tailored to each individual, went to most of his friends. And because they were so personal and coming from a trusted friend, most did not question it for one second. They asked for the Paypal address and wired the money. When i got a similar message i knew something was wrong.

1. My friend would never ask for money using a Facebook message, he would call at the very least.
2. My friend is in another country so he knows not to ask me for Euro’s but for Dollars.
3. I know my friend well enough to know that his guitar class was cancelled, something he told me over the phone a few days ago.

So though this attack was very successful as most of the targeted friends paid up right away, some friends including me knew something was up. How could the hacker be so dumb to ask me for Euro’s instead of Dollars? Well i do not list my About info on Facebook. My location and private details are not visible, even to friends. So the hacker did not know i was in another country. This small slip-up, and me paying attention and not trusting everything just because it came from a usually trusted source, allowed me to realize what was going on. I called my friend immediately and as he ran to his computer naturally he found he was no longer able to log in to his account, the hacker had changed the password. I started posting on my Facebook wall and tagged mutual friends to make them aware, those friends did the same until every mutual friend from all of us was aware of the situation. Long story short, this was a huge mess, took some time to clear up and damaged my friends trust and reputation with a lot of people.

Because he did not properly secure his account a lot of people became a victim. But because i had done my part in securing my account and accessible information at least i was able to make it harder for the hacker to engineer a message for me specifically.

Make sure you properly secure your account and make use of the additionally offered security measures. Ask your friends if they are doing the same. If they are not then you have a choice to make; stay in their friends list and possibly become the target of a similar attack (or just have your information and posts monitored by a hacker that does not immediately use it for attacks) or kindly part (online) ways at least until they secure their account.

Either way always be mindful with any type of communication that comes from the internet, no matter who the source. As it is not a face to face interaction you don’t know if you are dealing with a familiar source or an impostor. More on these impostors soon as i will be describing the Man In The Middle attack.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.