When our lives are intertwined with our digital accounts, losing them can be a crushing annoyance and major privacy issue. Often it takes more time and energy for a person to get accounts back, if they can at all, than the time it took to snatch them in the first place.
Despite online services knowing almost everything about us—names, birthdays, where we shop, what we like, where we work, and endless amounts of other data—they don’t really know who we are at all. Which is troubling, because if we lose access to one of these accounts that is a repository of everything that matters, our digital identity is, well, no longer our identity.
Marketing consultant Doug Haslam battled with Google and Twitter for a week after an attacker socially engineered access to his phone number through Verizon. In the two to three hours it took to get his number properly sorted with the phone company, the attacker had taken control of his Google and Twitter accounts, and was able to access the data inside them. He’s still locked out of his Google account, and Twitter finally reinstated his account after initially refusing to give back the username he’s used for 10 years.
“When a company like this has a lot of users, even if we don’t necessarily pay for these products, the fact they’re able to give hackers access but make it impossible for people to retrieve their accounts is very discouraging to users of the service,” Haslam said in an interview.
When Haslam’s number was reinstated to his proper device, he saw two new text messages, one from Twitter and one from Google verifying password changes.
Haslam says he thinks his attacker probably found his phone number and potentially other personal information in some sort of information dump. From there, it’s fairly easy to determine mobile carriers, and his hacker would have socially engineered his way to getting Haslam’s number transferred to the thief’s own iPhone 4. After the phone number was ported back, Haslam received a call from the person who took ownership of his accounts, taunting him with knowledge of Haslam’s social security number.
Social engineering is a common way people take over personal information, and it doesn’t require much technical skill, once you’ve got your hands on someone’s data. As my colleague Dell Cameron explained, exploiting your way into someone’s private life or getting your hands on products is pretty straightforward once you know what you’re doing.
Through repeated phone calls, social engineers develop strategies for navigating a company’s customer help line. They get a feel for which sob stories and which “yes” or “no” responses will work best toward achieving their objective. Intelligence, temperament, and even humor all come into play. The questions and responses are then mapped out, as if composing a flowchart, with the goal of expediting the con.
Personal data winds up in online data dumps all the time; in just the last few weeks, we’ve learned about massive data breaches at social sites LinkedIn and MySpace. In the recent past, companies like Snapchat, Ashley Madison, Sony, major department stores like Home Depot—the list goes on—have been unable to keep personal data tightly secured.
“I am of the opinion that everybody’s social security number is probably in someone else’s possession and it’s probably not the most secure thing,” Haslam said. “And I’ve had alerts placed on all the credit bureaus on my accounts anyway.”
You can check to see if your personal information has been compromised in major leaks through HaveIBeenPwnd.com, a site that collects and aggregates information about data breaches.
Security researcher Jessy Irwin said social engineering is common, and hard for companies to protect against.
“In terms of hacking and stealing information, social engineering attacks are still, to this day, the most simple and effective way to get up to no good,” Irwin said in an interview via Twitter direct message. “There’s no need to plan a massive assault against a company’s technical architecture when you can trick someone in the customer service department into giving it to you. This is a major issue for businesses of almost any kind, but that this is so easy to do for services that are a huge part of someone’s life is unbelievable.”
For Haslam, his identity was tied to something as simple as a phone number, and once that was compromised, his other accounts fell like dominoes. He didn’t have two-factor authentication turned on—the security measure that texts you a separate login code when someone tries to access your account, and something you should have on all available accounts—but in this case, it likely wouldn’t even have mattered, as the attacker already owned his phone number.
Phone numbers are meant to be unique identifiers that are tied to our digital spaces for security and to verify you’re a person, but they’re not necessarily the best way to make sure people are who they say they are. As Irwin explains, phone numbers are not private and it’s not too difficult to capture an SMS sent to someone if you have the right equipment, rendering the tool that companies use to verify your identity practically useless.
Once someone has ahold of your account and changes the email and phone number, it’s extremely hard to prove you’re the person who belongs to the accounts that have been compromised. And in Haslam’s case, Twitter flat-out rejected his attempts to get the account back multiple times because the hacker changed the email and phone associated with the account. Essentially, Twitter told him, there’s nothing they can do. This all-or-nothing mentality is designed to protect sites like Twitter against the kind of social engineering that got Haslam’s account stolen in the first place, but in this case it was working in favor of the attacker.
Once a username is freed up (for example, through a username change) that name becomes available for new or existing accounts to claim.
We reviewed the account currently at the username @DougH, and this account appears to be a legitimate account that claimed the username in the normal process of creating their Twitter account.
We don’t reclaim usernames from active accounts that aren’t in violation of our rules or Terms of Service. We’re really sorry, but that username is not currently available to return to your account. Please let us know if we can answer any other questions.
Twitter finally reinstated his account, but Haslam isn’t sure how or why, though he did have people who knew Twitter employees making inquiries and tweets on his behalf.
In a way, this struggle makes sense. Twitter itself doesn’t want to be engineered to turn over data to someone it doesn’t belong to; but with 10 years of history to back up his claims, along with followers tweeting their support, it seems odd and unfair to a user that the company can’t do anything about it. Especially when accounts like Katy Perry are hacked and immediately rectified before too much rogue tweeting takes over.
But that’s the problem with our so-called digital identities. They’re thin and futile, and although we give companies hoards of authentic data, it’s impossible for them to determine our own authenticity when we need it the most.
Haslam did not have the opportunity to speak to a human throughout the process of trying to get his Google and Twitter accounts back, and software or screening can’t comprehend the full story. Twitter and Google did not respond to a request to comment on their verification process.
Google, at least, proved to be more sympathetic to hearing Haslam’s plea for reinstating the account. After filling out recovery forms that asked him to identify old, defunct backup emails and going back and forth with support via email, the company is now trying to verify the legitimacy of his claims. Meanwhile, his Google account with personal emails, documents like pay stubs and tax forms, and other information (that would verify his identity) remain in limbo.
So what can people do to protect themselves from becoming victims of social engineering and fighting tooth and nail (and losing) for access to their accounts?
“There are very, very few things that someone can do to prevent account takeovers like this,” Irwin said. “Perhaps the best and most effective one is setting up a sort of ‘verbal’ multi-factor authentication. This can be done by requesting that a company add a very specific password or code number to accounts that you hold with them. If anyone calls to make account changes, including you, no changes can be made without the password or code number being provided.
“Companies do hold a ton of data about customers, but for the most part the data they store can’t be combined to help out in places where accounts are stolen.”
In a world where we pour our data into troughs controlled by algorithms, and customer service continues to become more bot and less human, anyone with the right tools, some personal information, and the exact same data points about us could wear our identities around the web. And because companies don’t really know who you are, convincing them you’re the human belonging to the account might just make you want to abandon the services all together. If only they didn’t already know so much.