The Weak Link In Tech Security Is Human

Recently, hackers used social engineering techniques to convince Paypal and Go Daddy tech support to hand over enough personal data to extort Naoki Hiroshima out of his @N Twitter handle (valued at $50,000). The interesting thing is that the breach wasn't via weak password settings or shortcomings in source code, but because of human error.

According the the story:

...Hiroshima reported that someone was attempting to hack into his Paypal account. Hiroshima had two-factor authentication set up, and when the attacker attempted to reset his password, he received a text message requesting his approval for the change, which he ignored. 

Unable to get through Paypal’s gates, the attacker took a surprising next step, attacking Hiroshima’s personal domain name through his registrar, GoDaddy. The hacker got through GoDaddy’s security measures by calling a representative on the phone. The hacker claimed to be Hiroshima and said he was having trouble accessing his account. GoDaddy asked for the last six digits of his credit card number on file as proof of identity, which the hacker miraculously was able to provide. 

How’d he do that? Again, via a simple phone call...the hacker had also called Paypal’s support staff and used social engineering tricks to get that representative to tell him the last four digits of the credit card he had on file... 

The hacker then took those four digits and was—amazingly—able to parlay that into the last six digits. How? According to Hiroshima’s narrative, the GoDaddy support agent simply let the hacker guess them, two by two, until he struck upon the right combination, unleashing the keys to the account. The hacker reported to Hiroshima that he told GoDaddy he’d lost his card, but remembered the last four digits, opening the door for the guesswork operation. The hacker got it all done in one call..."

Common Sense Customer Service VS. Security 

From a business perspective these type of social engineer hacks are difficult to overcome because there is a careful balance at play - that of providing good customer service to honest people and also protecting their data. 

How many real customers call in each day that have lost their password or credit cards? I'm sure every tier one tech support agent receives dozens of these calls a day. And if a company is preventing business owners from accessing their data when they need it - which is NOW - then many customers will simply find somewhere else to do business. 

So maybe the problem is not just with the shortcomings of companies like Paypal and GoDaddy, but also with the expectations of the average user. It seems like the security culture of the average person has to change - a change that gives tech companies that want to protect your private data a little more leeway to be a little more strict when it comes to privacy. Even if that means being a little angrier at tech support some days.