Recently wired.com has been buzzing about a deceptively simple attack on Mat Hanon’s Amazon , Apple , Twitter and Gmail accounts on August 6. The article very lucidly explains how the hacker ‘Phobia’ used a few steps of connecting-the-dots and came up with this simple and elegant (Yes ! you read it right 🙂 ) social engineering hack, without even making a call to Mr Hanon. The only reason Hanon was the victim was : Phobia liked his twitter handle ! It sounded ‘catchy’ enough for Phobia to attack. And THAT is enough to make any of us squirm in our chairs, because after all, our twitter handles are chosen after a lot of thinking – to make it ‘catchy’ . Isn’t it ?
On one hand where recent reports confirm US and Israel’s hand in the stealthy and complicated Stuxnet attacks bringing down nuclear policies of Iran, on an individual level, all of us can be victims of attacks that wipe our personal items and play with our online identity. Which , by the way, is equal ( if not of greater importance) to us. The only way to keep ourselves safe is to analyze how these attacks are done and then work out ways we can avoid the mistakes the victims did.
So for those of you still reading it, here goes my analysis of the attack. Roughly speaking, Phobia used a series of observations, calculated guesswork and conclusions as the main weapons. Â The steps Phobia followed can be split into 3 phases :
Phase 1: Background research and collection of personal data available online courtesy various online profiles.
Note : The steps in blue boxes depict the logical steps, while steps in yellow boxes identify the system accessed to gain information. I badgered my friend Hitesh to make these flowcharts .. So cheers to him 🙂
Phase 2: Retrieving enough information to log into and hack an account – Here the last 4 digits of credit card were used.
Phase 3: Hacking into the account and tampering with personal data.
And once Matt’s AppleID was accessible, it was easy to tamper with his digital data – including photographs of his child’s birthday party !!
It is easier said that done , that the enterprises involved should wake up and do something to stop these kind of hacks. (Since then Amazon and Apple have changed their policies and plugged this loophole) There are simple steps that can be taken on an individual level, which would have thwarted Phobia’s attacks on Matt’s account. The lesser the amount of information available online , the lesser the chances of an attack.
1. Do not store credit card number on any online shopping accounts. Due to sheer laziness and convenience , we store the 16 digit number in our account. Re entering it for every purchase will not take more than a minute. Some might argue that then we need to carry our cards with us always, which most of us anyhow do. Swiping credit cards is a daily occurence. In the worst case, a stolen credit card can always be blocked. So, the question is  – Is storing the card details really needed? In short, stay away from the alluring ‘One-click’ payment options.
2. Keep mobile notifications switched ON. In cases like change/addition of information , where possible, keep mobile notifications on. This will allow you to keep track of the activities forcing any unusual activities to be recorded. The fake credit card update and change of recovery email id in Hanon’s case could have been notified to Hanon , if he had his mobile notifications on . However, once the attacker modifies your phone number, this step stands void. Phobia’s hack has encouraged more hacks and will continue to do so.
3. Keep regular backups – This is the ‘duh’ option and its easier said than done. Agreed that backups are boring, but you’ll love them if you are Mr Hanon !
How Amazon and Apple could plug this loophole is another matter altogether. That is the technical aspect of vulnerability assessment. Our online identities are our responsibility as we are the most vulnerable stakeholder in this. And like always, we need to follow the famous quote, better to be safe than sorry !