Many years ago I was sitting in my apartment watching television when my home phone rang.
“Hello?”
“Hi, Mr. Torrez, this is your Visa card provider.” (Flashing red light.)
“Yes?”
“Could you help me by providing your credit card number to verify this is you?“ (Clanging alarms.)
I read the number to the caller.
“Thank you. In addition I also need your social security number to update our records.” (Explosions. Gunfire. Rocket powered grenades screeching over head.)
I still remember carefully relaying each digit as I walked around my apartment; eager to get this over with so I could get back to my show.
This was a very dumb thing. I was just a dumb person doing a dumb thing. Right now I can picture myself pacing around that living room, being my helpful self, while my identity was being stolen and I was the accomplice. I want to yell at myself every time I think about it.
The thing is: I knew this scam. I mean, I knew how these social engineering scams worked. As an even younger idiot I used to read about these scams in online message boards and think about how stupid people are.
I’ve been out of the hack/crack scene for many, many years, but in those days for every system actually subverted, many more were simply handed access by an employee just trying to get through their day.
If you knew the lingo and could speak with confidence you could get access to so many systems. For all the money invested in security and encryption, the weakest link was always the humans. Always go for the humans.
My friend Mat just suffered through the repercussions of a social engineering hack. Bravely recounting the possible loss of all his photos from the past year he had to also endure the mocking and finger wagging from people wondering why he didn’t have backups.
It is true: you should not only make regular backups of every machine, you should test your backups by regularly restoring your system. The only thing slightly less depressing than losing all your data is finding out your backups had stopped working months ago.
Mat knew full well he was going to endure that kind of scrutiny. He’s taken the hit for people who might have grown lazy over the past few years thinking their data was safe if it was in the hands of billion dollar corporations.
So thanks to Mat we are now talking about steps you should be taking to secure your data:
- Turn on Google’s two-step verification. It now works for hosted domains if you use a custom domain with Google.
- Buy some local storage for backups. This is great roundup by my favorite gadget review site.
- You might want to also use different credit cards for Amazon and Apple since this played a role in how Mat’s account was compromised. This is pretty much a bullshit fix you shouldn’t have to do. Thankfully Amazon closed that hack today. But who knows which other services will continue to provide this option?
- Use a password management application like Lastpass or 1Password. There is a little bit of complexity in setting it up and it is almost unbearable without the browser plugins/extensions.
And by all means, if someone calls your house claiming to be from your credit card company, give them all the info they need. Their jobs are really tough and they just want to help you!