When an attacker hacks into your personal online accounts, it can wreak havoc. But hackers don't always use complex software flaws or incomprehensible network trickery – sometimes it's as easy as knowing your mother's maiden name.
Social engineering hacks are methods to gain access to an account that depend more on social interactions. It could involve someone phoning up saying they need your password, or using Facebook posts to work out the answer to a secret question. In the case of Mat Honan, who wrote about his experiences in Wired, it involved adding a fake card to his Amazon account and using that to "prove" their identity, eventually gaining access to Twitter, Apple and Google accounts.
The dangers of social engineering attacks were on full display on July 15. Twitter accounts belonging to celebrities and famous brands, verified by Twitter with the iconic blue checkmark, started sharing a bitcoin cryptocurrency address and promising to double users' contributions. Bill Gates, Elon Musk, Kanye West, Barack Obama, and Jeff Bezos were just some of the big names hit by the attack.
Hours later, Twitter claimed that the posts were caused by a social engineering attack on employees:
"We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it."
Further details are scarce, as Twitter continues its investigation to find out what went wrong. The bitcoin address shared has received around 12.86 bitcoins, or the equivalent of $116,435.40. The incident is a strong reminder of the importance of staying safe online.
Here's what you can do to keep your accounts secure.
6. Stop revealing facts about your life to strangers
It’s easier than ever to learn all sorts of information about someone without meeting them. Even apps like Tinder now encourage people to share information about where they went to school or what their interests are so they can find someone to sleep with. Sorry, I meant to hang out with in a totally platonic way.
That information can be used to impersonate you. Many people base their passwords on their hobbies, answer security questions about where they live, or reveal their closest friends to anyone who views their online profiles. Lock that shit down and make sure the only people who can view that info are your friends.
5. Don’t be afraid to be rude to suspected scammers
New York University warns that social engineering hacks often rely on our innate desire to be nice. That’s why it advises its employees to be a little rude:
If you suspect someone is trying to make you the victim of a social engineering attack, stop communication with the person. If you suspect a phone caller is a hacker, hang up. If you see signs that an online chat message appears to be from an impersonator, terminate the connection. Finally, if you receive an email from a sender you do not know and trust, delete it.
Cons only work on people who are willing to listen. Instead of allowing someone to prey on our built-in urge to be social — and to be polite by extension — just remember that being rude is better than being screwed.
4. Randomly generate answers to security questions
Companies are bad about security questions. Either they’re only letting people select questions from dropdown menus or they’re using the same bullshit we’ve all seen before. Where were you born, they ask, or what was your mother’s maiden name?
The problem with all of those questions is that they’re easy for anyone to figure out. Your mom might share her maiden name on Facebook to make it easier for the dude she had a thing for in high school to find her. (Sorry.) Or clever hackers might ask you to list the answers to your security questions, as seen above, to trick you into willingly posting sensitive information you should keep private.
Randomly generate the answers to these security questions. What was your mother’s maiden name? “dP(3*dUsb4.” Who’s your best friend? “law alga whelp.” Find a way to randomize answers and record the results somewhere you can keep ‘em safe. Ta-da! Instantly more secure.
3. Seriously, just stop reusing your passwords
You’ve just thought up the best password: “Pleas3robme!” Instead of trying to recreate the feat — what password could possibly be more memorable and more secure? — you decide to use it everywhere. Netflix? “Pleas3robme!” Facebook? “Pleas3robme!” Every text field that says “password” next to it? “Pleas3robme!”
Stop it. Using the same password on multiple sites is like putting all of your eggs into one basket, cutting a large hole in the basket, and swinging it over your head. Change up your passwords so hackers who steal your Netflix login can’t sign into your Facebook account, or any other account. Just. Stop. Reusing. Passwords.
2. Remember that all your data can be used against you
If something sounds too good to be true, it probably is. Nobody’s actually going to enter you in a raffle for the iPhone 12 if you give them access to your Facebook account. You won’t have the chance to win $1,000 if you enter your name and address. Those are popular social engineering tactics.
It doesn’t matter if these scams ask for seemingly harmless information. Anything that is used to verify your identity on various platforms — where you grew up, your pet’s name, your current address — can be used to gain access to your data.
1. Use prepaid cards for your online purchases
So you’ve done everything you can to make life difficult for social engineering hacks. You use unique passwords, randomly generate answers to security questions, don’t give out personal data to everyone with an internet connection, hang up on anyone who seems suspicious, and don’t fill out online surveys. Great! But is there a single credit card linking all of your online accounts to each other?
Prepaid cards offer a safer alternative. Unfortunately, they’re also the least convenient fix to make on this list. But if you want to ensure that a credit card number can’t be used to gain access to your accounts, it’s worth looking into “burner” cards that are used for a limited number of transactions. This will add another level of variability to keep you safe.