This past summer UGNazi decided to go after Prince, CEO of a web performance and security company called CloudFlare. They wanted to get into his Google Apps account, but it was protected by two-factor. What to do? The hackers hit his AT&T cell phone account. As it turns out, AT&T uses Social Security numbers essentially as an over-the-phone password. Give the carrier those nine digits—or even just the last four—along with the name, phone number, and billing address on an account and it lets anyone add a forwarding number to any account in its system. And getting a Social Security number these days is simple: They’re sold openly online, in shockingly complete databases.
Prince’s hackers used the SSN to add a forwarding number to his AT&T service and then made a password-reset request with Google. So when the automated call came in, it was forwarded to them. Voilà—the account was theirs. Two-factor just added a second step and a little expense.
thewalrus: Basic security precaution: Don't login to anything on random public/semi-public computers. Assume that any computer you have not personally set up has an operational keystroke logger on it.
Security is not just about strong encryption, good anti-virus software, or techniques like two-factor authentication. It’s also about the “fuzzy” things … involving people. That’s where the security game is often won or lost. Just ask Mat Honan.
« Older “Her early records are collectors’ items. Her writ... | Taking the seen-it route: Sara... Newer »
This thread has been archived and is closed to new comments
Buy a Shirt