Yesterday as I was going through the latest episode of one of my favorite podcast Reply All, the story shared struck me slightly and I decided to write this piece as I feel this is something that concerns most of us who are members of this strange Internet world.
The story was about a woman named Lizzie who got her Snapchat account hacked and sold further by some OG user using the method of Sim Swapping. She was finally able to get the account back but all her contacts and archived photos had been deleted at the time. In addition, she received several threats from the new account holder that made her stop using the app at once as she experienced so closely this violation of her personal security.
The person who originally stole the account sold it for 100$. The reason he targeted Lizzie specifically was due to her unique username Lizard. The username was without any numbers or characters and as a common English noun with a slight edginess, it was a valuable source to sell.
Lizzie is obviously not a first person to fall prey to this system and neither she will be a last one. This is something that these hackers regularly do without thinking about the person connected to the account whatsoever. Accounts can be cracked quite easily using social engineering techniques. Using these techniques hacking can be done without using any code and with a simple vishing call.
Vishing is a voice solicitation. You use the phone to extract information or data points that can be used in a later attack. — Jessica Clark, Social Engineering Hacker
Accounts get hacked by a fairly simple method of Sim-Swapping. Hackers can seize Instagram handles, card details, and cryptocurrency by controlling the victim’s phone number and resetting the login credentials to get access to their account.
The scam begins with a fraudster gathering details about the victim, either by use of phishing emails, by purchasing them from organized criminals, or by directly socially engineering the victim. Once the fraudster has obtained these details they will then contact the victim’s mobile telephone provider. The fraudster will use social engineering techniques to convince the telephone company to port the victim’s phone number to the fraudster’s SIM. For example, by impersonating the victim and claiming that they have lost their phone. (Wikipedia)
With this sophisticated type of fraud, we are vulnerable enough to get exploited by the attackers who can even compromise the methods like two-factor identification to get their thing done.
We use 2FA thinking that it will keep our accounts secure and prevent attackers to enter our system. But this system can be easily exploited by social engineering techniques and won’t stand up longer against a pro or sophisticated user. But when it comes to nothing or 2FA, go for the latter one. At least, it will add the extra layer of protection to your accounts.