How I nearly got hacked and what I learnt from the experience

Sunday morning. Tall latte, pooch curled up next to me, I am catching up on my Facebook. Twitter and LinkedIn feeds.

The phone interrupts my “social” adventures — I pick up the phone rather reluctantly

It’s an 800 number but it might be important.

The phone call is actually from Apple Care stating that there has been a security breach on my iCloud account and I need to call an 800 number urgently to fix issues. I diligently dial the digits and an Indian voice answers the phone — heavily accented, with the background noise of a call center, oddly familiar and reassuring.

A little about me: I have an Engineering Degree and an MBA and live and work in technology marketing in Silicon Valley. I’ve even worked on a security product in my career. This is important, I say to myself. The latte can wait. Security is important and there are sociopaths all around trying to take my identity and my hard-earned money. Apple cares, I think.

The kind Indian man proceeds to ask if I had been traveling anywhere with my phone — I say no, why? He tells me that there have several attempts to hack my iCloud account in Mexico last night and that I should discontinue online shopping and remove my credit cards from the sites I visit often. And oh by the way, which sites do you visit? — he enquires softly. I say I usually shop at Amazon or Macy’s. He asks me to go ahead and remove the cards from those sites. He asks me to stop online shopping till he fixes the breach.

He proceeds to ask me how many Apple devices I have. Proud Cupertino resident that I am, I rattle off the number — 3 iPhones, 2 iPads, 2 Macbooks. Everyone in my family has an Apple device — mom included. I live next to Apple, I say proudly. Great. Now, let’s go to your iCloud account, he says and I can hear several voices in the background. I wonder if the call center is in my hometown, Bangalore. Has Apple started outsourcing their geniuses, I think.

He asks if I have sold any of my old iPhones with data — that could be the problem, he says. He asks me to delete data before selling my phone to anyone. OF course I know that.

“Can I log into your machine?” — he asks

“Why” — I ask

“Just to make sure everything is ok — let me log in”

He asks me to go to a site called https.www.gotoassist.com

I ask if it’s like logmein — he says yes, very reassuringly. Asks me to type in my Apple id and phone number,

Now that he has access to my Macbook, he tells me I have too many windows open and proceeds to close them. He tells me my machine is slow because of this, and that I should close them. I tell him I know that, but work is stressful and I need to multi-task. He then asks if I have my iPhone nearby. I go and bring it.

He asks me to open my iCloud account and change my password, after the two-factor authentication process is done on my phone. He asks if all the information on my iCloud is correct. I say yes.

Next, he asks me to go to google.com and asks me to type “ What is my ip”? Why, I think?

He then asks me to go to my phone and remove the card linked to my Apple Pay — this is when warning bells start going off very loudly. He asks me to go to my settings and check the General tab under Regulatory — and asks if I have been to any of the countries there. Odd. More warning bells and louder now.

He goes on to say he needs more information on my payment on Apple Pay and that I need to remove the payment and add Google. Duh, I think. Why would Apple want to remove payment from Apple Pay? I ask why needs this information. He says he is nearly done and I just need to finish this one step to be secure. I think he is starting to sound angry. I tell him I will go to a Genius bar trying to disconnect from gotoassist.com. I hang up on him, feeling mortified.

Then I proceed to change all my passwords with maniacal urgency.

So, this is what social engineering feels like. The sequence of steps that happened in my case were:

• Instilling fear — I had gone to Mexico a month ago, and the situation seemed plausible
• Establishing trust — unfortunately, we trust people that are culturally akin to us. Also, trust is something that comes easy in certain cultures whereas it is more difficult to gain in others
• Escalating action — given that I was doing what the caller was asking me to do, he kept making new demands
• Stealing — luckily this did not happen to me

Social Engineering is hacking the human brain with manipulation with or without technology

It may be much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is weak and obvious).

Do I feel foolish I nearly got hacked? Yes, but but I think it is important to recognize anyone can be fooled.

Lessons Learnt:

What you need to do if someone you don’t know calls on the phone:

Have an established protocol with every phone interaction with strangers.

• Is the person really who they say they are ?
• Can they prove who they are?
• Why are they helping you?
• What do they expect out of this interaction?

And of course, keep changing all your passwords regularly. I wish I could say don’t pick up the phone, but I won’t!!

Here is a link to the United States Computer Emergency Readiness Team (US-CERT), part of U.S.A. Homeland Security Dept, with tips to avoid social engineering happening to you: http://www.us-cert.gov/ncas/tips/ST04-014.

Questions for the reader:

What do you think happened? Please comment.