• rhacker 283 days ago

    > She explains to me how she got an email from Apple about her account and there was a phone number in it. I tug my collar several meters into the next room, knocking over several carefully-potted indoor plants.

    That line was fucking gold.

    • neilalexander 283 days ago

      > Shout outs to Aerobatic for the smooth smooth phishing UX. Use the referral code DIANA to be immediately reported to the NSA.

      This one definitely got me!

      • chilledheat 283 days ago

        "I reach under my desk, unwrap a parcel addressed to “DIRECTOR OF CYBER, NSA”, slide out a yellow and black canister labelled “CHINA”, break open the safety seal, and use safety tongs to extract the following red-hot phish."


    • edoo 283 days ago

      Banks and the rest hate me. I use keypass to generate random alpha numeric 'passwords' I use for the answers to personal questions.

      • nothrabannosir 283 days ago

        I have personally experienced a CS rep accepting “it’s just a bunch of random characters” as an answer. Combined with the fact that you just went on the record as using that scheme, your opsec just took a dramatic hit.

        Use plausible sounding, but random answers.

        • panopticon 283 days ago

          The first time I had a CS rep require me to recite my 64-character alphanumeric answer was what prompted me to switch my strategy. Now I generate a list of four arbitrary words for every answer to security questions... so much easier to answer.

          • samstave 283 days ago

            Whats the name of the first school you went to?


            Whats the name of your first pet?



            I use this scheme when i need to come up with these types of answers for a service that i dont deem as super critical or risky...

            • vermilingua 283 days ago

              That’s twice in this thread that someone has revealed pretty potent details of their personal security.

              • chii 283 days ago

                it just goes to show that these questions are useless as a security barrier. Any institution still using them are doomed to have social-engineering vulnerability.

                • rkho 283 days ago

                  Any company employing low cost workers is vulnerable to social engineering and bribery.

                  • kazinator 283 days ago

                    I think I would refine that like this: among companies that train workers against social engineering, ones that pay workers peanuts are going to still be more susceptible than the others simply because of the don't-care factor.

                    Other than that, anyone is susceptible to social engineering, regardless of pay. Social engineering is crafted to suit demographics.

                • mattkrause 283 days ago

                  What's the absolute worst that could happen if you crack my free account on some cooking website?

                  Maybe you favorite a bunch of recipes with lima beans (which I hate). Instead, you discover that I was really into lentil dishes for a while, but have been more interested in dumplings this fall. Maybe this could be used in some sort of elaborate social engineering scheme that nets you more valuable information, but I'm not seeing how....

                  • kazinator 283 days ago

                    > What's the absolute worst that could happen if you crack my free account on some cooking website?

                    The worst that could happen is that you used the same password there as for your online banking, or important e-mail account and such.

                    If you didn't do that, then the impact is approximately zero.

                    Of course, that cooking site still wants you to use a sufficiently long password with at least one digit, capital and lower case letter, and special character ...

                    • YouAreGreat 282 days ago

                      Wherever you can publish text or media (eg, on a cooking site) speech crimes can be committed under your account.

                      Fancy a prison term in one of the more enlightened European jurisdictions, or Canada?

                      • mattkrause 282 days ago

                        Okay, I set myself up for this by saying "absolute worst", but this strikes me as so unlikely that it's not really worth worrying about. After all, someone could make a new account using your name (+ some numbers) /right now/!

                    • 14 283 days ago

                      I disagree. I do the same for certain sites. I have a gmail that I use for weird sites that I most likely won't visit again or any time soon and answer the security questions much the same. If this account gets compromised I literally lose nothing other then make a new gmail and do it again. This shows nothing about my bank or Facebook or actual gmail account security as those I do take steps to protect.

                      • icedchai 283 days ago

                        Hopefully they're using unique usernames and not using the same username all over the Internet. Or, worse, a variation of their real name as a username.

                      • MisterTea 283 days ago

                        That's Amazing! I've got the same security answers on my luggage!

                    • jgtrosh 283 days ago

                      In this case a password like “to be repeated exactly: <random string>” has the same properties and can be divulged without affecting opsec particularly.

                      • nothrabannosir 283 days ago

                        (Un)fortunately, normal people don't think like programmers. That's why security questions exist, in the first place. Do you think they won't accept "It's to be repeated exactly, and then gschgschgsch. Ahh, youth. Those were the days."

                        If you think that's bad: I always enter a fake phone nr. Once, a company turned out to use them as verification for phone support. I didn't know, and had forgotten, so gave my actual number. "Oh, it says something else here. Shall I just go ahead and remove that, then?". I wanted to cry.

                        Don't play games.

                        • function_seven 283 days ago

                          Not that I condone this strategy, but what is the threat model where an impersonator knows to say, "It's to be repeated exactly, and then adso&#fjsou..."?

                          • nothrabannosir 283 days ago

                            I'd go with "putting your security question strategy on a public forum", for starters.

                            Security through obscurity strikes again.

                            • function_seven 283 days ago

                              Well yeah, in this case that's the weakness. But before parent announced their strategy on this forum, what was the threat model? Hell, let's assume OP obfuscated the introductory part in their comment to avoid that leak.

                              • ChristianBundy 283 days ago

                                If they're willing to brag about their passwords on the internet, I'd be willing to bet that family and friends have the same information.

                                Assuming that wasn't true, a customer service rep for the phone company could call the customer's bank and try to impersonate the customer, assuming it's used often (like the poster stated).

                        • lozaning 283 days ago

                          Im always shocked by how small the fields for some of those inputs are though. How much space for entropy do you have left after including the notice about needing an exact match?

                        • Pxtl 283 days ago

                          This is where "correct horse battery staple" password generators might be good.

                          • lstodd 283 days ago

                            Well, hell, I got off with just saying "I don't remember it" an then following up with details of _recent_transactions_ not one time. This whole "personal question" scheme is useless.

                            • wtvanhest 283 days ago

                              I just reset my password for American Airlines. They ask me 3 (what I would consider public questions) about myself, then let me reset the pw in browser. No emails or any other authentication. Im still blown away.

                          • tvanantwerp 283 days ago

                            Got bitten by this when I had to give a 32-character alphanumeric answer over the phone. I groaned and asked, "Can I just give you the beginning and the end?" The rep laughed and accepted my compromise. Since then, I use a collection of random words (in the style of correct-horse-battery-staple) for security questions.

                            • RickS 283 days ago

                              What are some of the ways this blows back? Having to answer them over the phone when they're not passwords, but more like customer service gatekeepers?

                              I do this as well and it has yet to blow up in my face, though it does seem like an inevitability.

                              • telesilla 283 days ago

                                I got pretty good at memorising alpha bravo charlie[1] so I just jump straight into that, and for characters like #, * and ! I try and use the word I know is most common, e.g. in english "pound", "star" and "exclamation mark". "hash" and "bang" get me what I suppose are the equivalent of blank looks..

                                So I have nicely complex passwords generated by Keepass and the staff usually don't think anything of it once I mention I work in "computers".

                                [1] https://en.wikipedia.org/wiki/NATO_phonetic_alphabet

                                • edoo 283 days ago

                                  I used to do a slightly different system where I'd have ridiculous answers, sort of a word game play on the question itself, and forgetting your secret answers with a company like Verizon can take days to figure out.

                                  • AckSyn 283 days ago

                                    I do this but instead of passwords like `NGIyNzgwMTEyNDczYTIyNjEwYWRhYWZh` I'd use `BatteryHorseStaple33` to the question: Where were you born.

                                    I've never had it blow up in my face with any rep, and I make sure to keep the passwords in an offline (never touches any network) laptop.

                                  • captn3m0 283 days ago

                                    My bank (HDFC India) specifically states while setting up the security question that the bank will never ask for these (over phone or elsewhere), so I'm happily using random UUIDs

                                    • greenshackle2 283 days ago

                                      HDFC appears to have truly terrible security, someone managed to sign up with my email address and a really weird mailing address - like an airport warehouse or something, then proceeded to fill up the card and never paid it back. I emailed HDFC about it but they never responded.

                                      Apparently they don't even do e-mail verification.

                                      • jandrese 283 days ago

                                        What is the point of a security question if they never use it?

                                        • enitihas 283 days ago

                                          Asking you to fill them online for password recovery etc?

                                          • captn3m0 283 days ago

                                            Yes, they use it for 2FA sometimes on netbanking transactions.

                                          • psergeant 283 days ago

                                            I get asked for single characters of mine a lot

                                      • pasbesoin 283 days ago

                                        I treat them as less secure passwords -- passwords that often a representative at the company has access to. (I've experienced instances of people on the phone (upon my calling the organization at a known number) soliciting their answers and checking them against what they have on their screen. Usually these days, with actual passwords, they undergo a computerized check and members of the organization have no access to their values -- or at least to their unencrypted values. (Although, don't blindly depend upon that assumption.)

                                        Security questions introduce insecurity. I remember being mightily puzzled when they were considered a "best practice" and the organization I was at was all "het up" to implement them.

                                        The real reason? They save head count / expense -- at least, in the short run. One less "I can't remember my password" interaction -- one that, from an optimistic perspective, at least doesn't just blindly depend upon emailing the email address of record... Only, many sites seem to implement that alongside their security questions flow, so...

                                        • adzm 283 days ago

                                          Diceware phrases work well here, too!

                                        • mdrzn 270 days ago

                                          > At this point Diana has been completely gaslighted as to what her hotmail password is, because my phishing site said the wrong password was right, and then said the right password was wrong, and she thinks it’s the real Hotmail.

                                          Most underrated footnote.

                                          • Insanity 283 days ago

                                            the content of the article is good - but the writing style does not sit well with me. It's an odd sense of humour and a writing style more suited to instant messages perhaps rather than a blog.

                                            • deckar01 283 days ago

                                              Going off on quirky tangents can be an effective tool for keeping a reader interested. It reminds me a little of Douglas Adams. He punctuates the hard science fiction with goofy anecdotes to get the reader thinking about the subject from another perspective and to keep them entertained.

                                              It is not a tutorial on how to phish or a vulnerability report, but rather a story about how motivation is potentially more important to phishing than technical skill. Without the casual writing style, the main character (and author) might have seemed more sophisticated, which would have diminished the point of the story.

                                              • y_tho 283 days ago

                                                A joke here and there is fine, but this person injects his jokes attempts pretty much every sentence. That gets annoying quickly.

                                                • GiuseppaAcciaio 283 days ago

                                                  I guess the threshold isn't the same for all of us, I didn't get irked by he jokes at all... however around halfway through I started wishing for it to be over soon(tm)

                                              • Sileni 283 days ago

                                                Eh, I liked it. Many writers in the tech space are trying to be as concise and clear as possible. If this article had been more 'academic' in that sense I think I would have lost interest after a few paragraphs because, well, nothing in this article is really new. It's just a fun anecdote about the reality of cyber security.

                                                • stevew20 283 days ago

                                                  I use prefer to read concise writing, because it imparts the information I want without all of the distracting fluff. This is also why I don't like a lot of academic writing, as over the years academics have become much more verbose and fluffy.

                                                • tom-- 283 days ago

                                                  It can be seen as a style that emphasizes just how 'casual'/easy this attempt was, so I think it adds to the content.

                                                • thunderbong 283 days ago

                                                  My goal here is to figure out what Diana’s actual password is, given that I have her password hash. This process is commonly known as “hacking”.

                                                  This is hilarious!!

                                                  • NPMaxwell 283 days ago

                                                    This is an interesting model for how to provide training/education

                                                    • godelmachine 283 days ago

                                                      This post periodically makes it way back to the top. Last I checked it was 6 months ago

                                                      • 5555624 284 days ago

                                                        Posted numerous times, a year ago, including: https://news.ycombinator.com/item?id=14919845

                                                        • baud147258 284 days ago

                                                          On the site (https://mango.pdf.zone/), the above link is called 'Salty Hacker News comments'

                                                          • bspammer 283 days ago

                                                            That's pretty funny. I didn't like the writing style at first either, but it got funnier as I carried on (or maybe the writing got better too). By the end I was questioning why I was so resistant to light-heartedness in the first place.

                                                            Overall, a really great breakdown of a textbook phishing attack.

                                                        • lgierth 284 days ago

                                                          This is certainly not how trust in human relationships is reinforced :)

                                                          Get consent before hacking your friends.~~

                                                          Edit: This is awkward - I was sure I read it one of the previous times it was posted. Chapeau!

                                                          • mnw21cam 284 days ago

                                                            Consent was obtained, as described in the article.

                                                            • hyperpower 284 days ago

                                                              Did you read the article? The author got consent.

                                                              • craftyguy 284 days ago

                                                                > Please don't insinuate that someone hasn't read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."


                                                                • smus 283 days ago

                                                                  To be fair to the above it's a pretty central factoid that is mentioned more than a few times, but yes, I agree with you.