Steve Smith talks about some of the many social engineering tactics some people may use to gain access to your accounts online.
Episode #5-40 released on June 23, 2015
We all presume hacking is done strictly with computers, and if you thought this was true, you are not a hacker. Hacking is an art form that requires explicit skills in social engineering and programming, amongst other skills. It is not the realm of the script kiddie, and for good reason. It is for this reason that I bring you an episode that will have you never trusting any text message, phone, or email ever again.
The most important vector in the protection of your account is password strength. If your password just happens to be amongst some of the most popular choices of password published every year, then this is definitely an issue you must address.
First method of capturing your accounts is malware, for this, all the attacker needs is your email address, and then they send you an email saying your account has been deactivated because of an attempt to hack your account. You may be told to download a file to regain access to your account, this may allow the attacker to install key loggers, and other malware, which will allow them to gain access to your accounts.
Second method is to hack your email account. For this, an attacker only needs your email address, and phone number. This is what happens, you get a first text message that says your email account has been hacked, please reply with your confirmation code. You get a text message from your email provider that provides you with a code, then you send that one back to the first number. What just happened is that the attacker has used your email password recovery tool. While, the second message containing an authorization code may be real, you did not use it yourself. It should be the first indication something is wrong. Since, you, also, got a message telling you, your account has been hacked, that should, also, be a red flag. Never provide any information to anyone you did not explicitly contact yourself.
A third method people gain access to your accounts, reusing passwords, especially leaked ones. When a service gets hacked, it is important to change your password. However, many people fail to change passwords of other accounts, on other services, which use the same username and password. A lot of the databases are made public, or for sale to other groups who may use this to acquire access to your accounts.
A forth method of gaining access to your accounts is by exploiting vulnerable plug-ins and accessing your browser through an alternate process, accessing your entire system is, also, possible in this scenario. I seriously suggest that you be careful which plugins your install, and always get them from the related stores those browsers suggest.
A fifth method, session hijacking. Accessing normal web-sites over HTTP may not look like an issue, but keep in mind, to never login into a web-site without HTTP, especially over an unprotected Wi-Fi hotspot.
A sixth method, DNS spoofing, can cause unaware users to access fake sites where you may enter your personal information without knowing you are on a fake web-site. Two ways of avoiding this, easily, one never connect to networks you don't own, control or trust. Second, learn how to use your own DNS of choice by adding them to your computer's choice of DNS, bypassing anything any other device may try to use. I suggest OPEN DNS, but Google DNS is, also, a good choice.
A seventh method, man in the middle attacks. Like the previous method, avoid networks you have no control over. Attackers in this method, sit between you and the service you intend to access and can view all your traffic. They may try to downgrade the SSL security, or drop it all together in order to collect as much information as possible. It may, also, lead to session hijacking.
An eighth method, the credit card hack. This happen years ago to Matt Honan, and only required an hour to achieve. Since it is a really long, interesting story, I have added the link to my show notes, but the beginning of the hack starts with one person contacting Amazon, in this case, providing an email and billing address, and asking them to add a credit card to that account. Then you hang up. Next you call back Amazon, give your name, billing address, and the credit card information you just provided. The attacker was then able to get a password reset sent to a new email address, then gain access to the previous credit card information, the last 4 digits, required to attack other accounts such as Matt Honan's iCloud account. While, this attack vector should have been mitigated by now, the problem is, many other companies have this vector wide open. Information can be attained through your social networking account, or even 411.
A ninth method, daisy chained accounts. Related to the eighth method, daisy chained accounts, made popular by using Facebook, Twitter, or Google to login easily into other services, makes use of a single compromised account connected to many others. No service is absolutely secure, so daisy chained accounts are a means of making the entire network vulnerable, multiplying the chances of a breach by the number of sites connected.
Host : Steve Smith | Music : Jonny Lee Hart | Editor : Steve Smith | Producer : Zed Axis Productions