The password is among the oldest security artifacts that we have. It was in use for thousands of years, mainly in military applications, before some misguided soul had the idea to use a password for authentication on a computer system. We all know how that’s worked out.
In the decades since then, things have not advanced a whole lot in the area of authentication, especially when it comes to trying to identify someone over the phone. Most companies rely on knowledge-based authentication there, a system that has proven to be perhaps even less well-suited to that task than passwords are.
Just ask John Brennan.
Brennan is the director of the CIA, a position that requires him to spend much of his waking time thinking about security. The security of the country, the security of the agency’s officers, and the security of the information those officers gather. But, like everyone else, Brennan is a target for scammers and attackers. And kids with a point—real or imagined–to prove.
He found that out the hard way recently when a pair of teenagers were able to take over Brennan’s personal email account using nothing more than a series of social engineering tactics. A scheme that began with the teens getting hold of Brennan’s mobile number ended with them taking over his AOL email account and having a look at a number of emails Brennan had forwarded from his official government account. Some of those messages included sensitive, if not classified, attachments.
The attack took advantage of the key weakness in KBA systems: finding the knowledge needed to bypass them is not difficult. In the attack on Brennan’s account, one of the teens called Verizon, Brennan’s mobile provider, and posed as a Verizon employee and said he needed access to the target account but couldn’t get to it because he was having software problems. The attacker used a fake employee identifier to authenticate himself and then was given the information on Brennan’s account, including his PIN, the AOL email address, and the last four digits of the credit card on the account, according to Wired.
The teens then called AOL and posed as Brennan, saying they were locked out of the account.
“They asked security questions like the last 4 on [the bank] card and we got that from Verizon so we told them that and they reset the password,” one of the attackers told Wired.
And that was that. The teens had control of Brennan’s email account, off and on, for several days and posted on Twitter some of the documents they found in the inbox.
In addition to proving embarrassing for Brennan, the attack also highlights the vulnerability that many companies have to such schemes. An attacker who takes the time to research a potential victim typically can find out one or two pieces of information he might need to help him convince a call center employee to give up more information. And from there he can repeat the trick and gain more and more data on his victim, until he finally reaches whatever his end goal is.
In this case it was taking over an email account, but in many others it’s taking over a bank or credit card account, something that can cause much more lasting damage than forcing Brennan to shut down an AOL account that should’ve died a quiet death years ago.
Photo from Flickr stream of Jason Persse.