> She explains to me how she got an email from Apple about her account and there was a phone number in it. I tug my collar several meters into the next room, knocking over several carefully-potted indoor plants.
"I reach under my desk, unwrap a parcel addressed to “DIRECTOR OF CYBER, NSA”, slide out a yellow and black canister labelled “CHINA”, break open the safety seal, and use safety tongs to extract the following red-hot phish."
I have personally experienced a CS rep accepting “it’s just a bunch of random characters” as an answer. Combined with the fact that you just went on the record as using that scheme, your opsec just took a dramatic hit.
The first time I had a CS rep require me to recite my 64-character alphanumeric answer was what prompted me to switch my strategy. Now I generate a list of four arbitrary words for every answer to security questions... so much easier to answer.
I think I would refine that like this: among companies that train workers against social engineering, ones that pay workers peanuts are going to still be more susceptible than the others simply because of the don't-care factor.
Other than that, anyone is susceptible to social engineering, regardless of pay. Social engineering is crafted to suit demographics.
What's the absolute worst that could happen if you crack my free account on some cooking website?
Maybe you favorite a bunch of recipes with lima beans (which I hate). Instead, you discover that I was really into lentil dishes for a while, but have been more interested in dumplings this fall. Maybe this could be used in some sort of elaborate social engineering scheme that nets you more valuable information, but I'm not seeing how....
Okay, I set myself up for this by saying "absolute worst", but this strikes me as so unlikely that it's not really worth worrying about. After all, someone could make a new account using your name (+ some numbers) /right now/!
I disagree. I do the same for certain sites. I have a gmail that I use for weird sites that I most likely won't visit again or any time soon and answer the security questions much the same. If this account gets compromised I literally lose nothing other then make a new gmail and do it again. This shows nothing about my bank or Facebook or actual gmail account security as those I do take steps to protect.
(Un)fortunately, normal people don't think like programmers. That's why security questions exist, in the first place. Do you think they won't accept "It's to be repeated exactly, and then gschgschgsch. Ahh, youth. Those were the days."
If you think that's bad: I always enter a fake phone nr. Once, a company turned out to use them as verification for phone support. I didn't know, and had forgotten, so gave my actual number. "Oh, it says something else here. Shall I just go ahead and remove that, then?". I wanted to cry.
Well yeah, in this case that's the weakness. But before parent announced their strategy on this forum, what was the threat model? Hell, let's assume OP obfuscated the introductory part in their comment to avoid that leak.
I just reset my password for American Airlines. They ask me 3 (what I would consider public questions) about myself, then let me reset the pw in browser. No emails or any other authentication. Im still blown away.
Got bitten by this when I had to give a 32-character alphanumeric answer over the phone. I groaned and asked, "Can I just give you the beginning and the end?" The rep laughed and accepted my compromise. Since then, I use a collection of random words (in the style of correct-horse-battery-staple) for security questions.
I got pretty good at memorising alpha bravo charlie so I just jump straight into that, and for characters like #, * and ! I try and use the word I know is most common, e.g. in english "pound", "star" and "exclamation mark". "hash" and "bang" get me what I suppose are the equivalent of blank looks..
So I have nicely complex passwords generated by Keepass and the staff usually don't think anything of it once I mention I work in "computers".
I used to do a slightly different system where I'd have ridiculous answers, sort of a word game play on the question itself, and forgetting your secret answers with a company like Verizon can take days to figure out.
HDFC appears to have truly terrible security, someone managed to sign up with my email address and a really weird mailing address - like an airport warehouse or something, then proceeded to fill up the card and never paid it back. I emailed HDFC about it but they never responded.
Apparently they don't even do e-mail verification.
I treat them as less secure passwords -- passwords that often a representative at the company has access to. (I've experienced instances of people on the phone (upon my calling the organization at a known number) soliciting their answers and checking them against what they have on their screen. Usually these days, with actual passwords, they undergo a computerized check and members of the organization have no access to their values -- or at least to their unencrypted values. (Although, don't blindly depend upon that assumption.)
Security questions introduce insecurity. I remember being mightily puzzled when they were considered a "best practice" and the organization I was at was all "het up" to implement them.
The real reason? They save head count / expense -- at least, in the short run. One less "I can't remember my password" interaction -- one that, from an optimistic perspective, at least doesn't just blindly depend upon emailing the email address of record... Only, many sites seem to implement that alongside their security questions flow, so...
> At this point Diana has been completely gaslighted as to what her hotmail password is, because my phishing site said the wrong password was right, and then said the right password was wrong, and she thinks it’s the real Hotmail.
Going off on quirky tangents can be an effective tool for keeping a reader interested. It reminds me a little of Douglas Adams. He punctuates the hard science fiction with goofy anecdotes to get the reader thinking about the subject from another perspective and to keep them entertained.
It is not a tutorial on how to phish or a vulnerability report, but rather a story about how motivation is potentially more important to phishing than technical skill. Without the casual writing style, the main character (and author) might have seemed more sophisticated, which would have diminished the point of the story.
Eh, I liked it. Many writers in the tech space are trying to be as concise and clear as possible. If this article had been more 'academic' in that sense I think I would have lost interest after a few paragraphs because, well, nothing in this article is really new. It's just a fun anecdote about the reality of cyber security.
I use prefer to read concise writing, because it imparts the information I want without all of the distracting fluff. This is also why I don't like a lot of academic writing, as over the years academics have become much more verbose and fluffy.
That's pretty funny. I didn't like the writing style at first either, but it got funnier as I carried on (or maybe the writing got better too). By the end I was questioning why I was so resistant to light-heartedness in the first place.
Overall, a really great breakdown of a textbook phishing attack.