rhacker 5 months ago

> She explains to me how she got an email from Apple about her account and there was a phone number in it. I tug my collar several meters into the next room, knocking over several carefully-potted indoor plants.

That line was fucking gold.

  • neilalexander 5 months ago

    > Shout outs to Aerobatic for the smooth smooth phishing UX. Use the referral code DIANA to be immediately reported to the NSA.

    This one definitely got me!

    • chilledheat 5 months ago

      "I reach under my desk, unwrap a parcel addressed to “DIRECTOR OF CYBER, NSA”, slide out a yellow and black canister labelled “CHINA”, break open the safety seal, and use safety tongs to extract the following red-hot phish."


edoo 5 months ago

Banks and the rest hate me. I use keypass to generate random alpha numeric 'passwords' I use for the answers to personal questions.

  • nothrabannosir 5 months ago

    I have personally experienced a CS rep accepting “it’s just a bunch of random characters” as an answer. Combined with the fact that you just went on the record as using that scheme, your opsec just took a dramatic hit.

    Use plausible sounding, but random answers.

    • panopticon 5 months ago

      The first time I had a CS rep require me to recite my 64-character alphanumeric answer was what prompted me to switch my strategy. Now I generate a list of four arbitrary words for every answer to security questions... so much easier to answer.

      • samstave 5 months ago

        Whats the name of the first school you went to?


        Whats the name of your first pet?



        I use this scheme when i need to come up with these types of answers for a service that i dont deem as super critical or risky...

        • vermilingua 5 months ago

          That’s twice in this thread that someone has revealed pretty potent details of their personal security.

          • chii 5 months ago

            it just goes to show that these questions are useless as a security barrier. Any institution still using them are doomed to have social-engineering vulnerability.

            • rkho 5 months ago

              Any company employing low cost workers is vulnerable to social engineering and bribery.

              • kazinator 5 months ago

                I think I would refine that like this: among companies that train workers against social engineering, ones that pay workers peanuts are going to still be more susceptible than the others simply because of the don't-care factor.

                Other than that, anyone is susceptible to social engineering, regardless of pay. Social engineering is crafted to suit demographics.

          • mattkrause 5 months ago

            What's the absolute worst that could happen if you crack my free account on some cooking website?

            Maybe you favorite a bunch of recipes with lima beans (which I hate). Instead, you discover that I was really into lentil dishes for a while, but have been more interested in dumplings this fall. Maybe this could be used in some sort of elaborate social engineering scheme that nets you more valuable information, but I'm not seeing how....

            • kazinator 5 months ago

              > What's the absolute worst that could happen if you crack my free account on some cooking website?

              The worst that could happen is that you used the same password there as for your online banking, or important e-mail account and such.

              If you didn't do that, then the impact is approximately zero.

              Of course, that cooking site still wants you to use a sufficiently long password with at least one digit, capital and lower case letter, and special character ...

            • YouAreGreat 5 months ago

              Wherever you can publish text or media (eg, on a cooking site) speech crimes can be committed under your account.

              Fancy a prison term in one of the more enlightened European jurisdictions, or Canada?

              • mattkrause 5 months ago

                Okay, I set myself up for this by saying "absolute worst", but this strikes me as so unlikely that it's not really worth worrying about. After all, someone could make a new account using your name (+ some numbers) /right now/!

          • 14 5 months ago

            I disagree. I do the same for certain sites. I have a gmail that I use for weird sites that I most likely won't visit again or any time soon and answer the security questions much the same. If this account gets compromised I literally lose nothing other then make a new gmail and do it again. This shows nothing about my bank or Facebook or actual gmail account security as those I do take steps to protect.

          • icedchai 5 months ago

            Hopefully they're using unique usernames and not using the same username all over the Internet. Or, worse, a variation of their real name as a username.

        • MisterTea 5 months ago

          That's Amazing! I've got the same security answers on my luggage!

    • jgtrosh 5 months ago

      In this case a password like “to be repeated exactly: <random string>” has the same properties and can be divulged without affecting opsec particularly.

      • nothrabannosir 5 months ago

        (Un)fortunately, normal people don't think like programmers. That's why security questions exist, in the first place. Do you think they won't accept "It's to be repeated exactly, and then gschgschgsch. Ahh, youth. Those were the days."

        If you think that's bad: I always enter a fake phone nr. Once, a company turned out to use them as verification for phone support. I didn't know, and had forgotten, so gave my actual number. "Oh, it says something else here. Shall I just go ahead and remove that, then?". I wanted to cry.

        Don't play games.

        • function_seven 5 months ago

          Not that I condone this strategy, but what is the threat model where an impersonator knows to say, "It's to be repeated exactly, and then adso&#fjsou..."?

          • nothrabannosir 5 months ago

            I'd go with "putting your security question strategy on a public forum", for starters.

            Security through obscurity strikes again.

            • function_seven 5 months ago

              Well yeah, in this case that's the weakness. But before parent announced their strategy on this forum, what was the threat model? Hell, let's assume OP obfuscated the introductory part in their comment to avoid that leak.

              • ChristianBundy 5 months ago

                If they're willing to brag about their passwords on the internet, I'd be willing to bet that family and friends have the same information.

                Assuming that wasn't true, a customer service rep for the phone company could call the customer's bank and try to impersonate the customer, assuming it's used often (like the poster stated).

      • lozaning 5 months ago

        Im always shocked by how small the fields for some of those inputs are though. How much space for entropy do you have left after including the notice about needing an exact match?

    • Pxtl 5 months ago

      This is where "correct horse battery staple" password generators might be good.

    • lstodd 5 months ago

      Well, hell, I got off with just saying "I don't remember it" an then following up with details of _recent_transactions_ not one time. This whole "personal question" scheme is useless.

      • wtvanhest 5 months ago

        I just reset my password for American Airlines. They ask me 3 (what I would consider public questions) about myself, then let me reset the pw in browser. No emails or any other authentication. Im still blown away.

  • tvanantwerp 5 months ago

    Got bitten by this when I had to give a 32-character alphanumeric answer over the phone. I groaned and asked, "Can I just give you the beginning and the end?" The rep laughed and accepted my compromise. Since then, I use a collection of random words (in the style of correct-horse-battery-staple) for security questions.

  • RickS 5 months ago

    What are some of the ways this blows back? Having to answer them over the phone when they're not passwords, but more like customer service gatekeepers?

    I do this as well and it has yet to blow up in my face, though it does seem like an inevitability.

    • telesilla 5 months ago

      I got pretty good at memorising alpha bravo charlie[1] so I just jump straight into that, and for characters like #, * and ! I try and use the word I know is most common, e.g. in english "pound", "star" and "exclamation mark". "hash" and "bang" get me what I suppose are the equivalent of blank looks..

      So I have nicely complex passwords generated by Keepass and the staff usually don't think anything of it once I mention I work in "computers".

      [1] https://en.wikipedia.org/wiki/NATO_phonetic_alphabet

    • edoo 5 months ago

      I used to do a slightly different system where I'd have ridiculous answers, sort of a word game play on the question itself, and forgetting your secret answers with a company like Verizon can take days to figure out.

      • AckSyn 5 months ago

        I do this but instead of passwords like `NGIyNzgwMTEyNDczYTIyNjEwYWRhYWZh` I'd use `BatteryHorseStaple33` to the question: Where were you born.

        I've never had it blow up in my face with any rep, and I make sure to keep the passwords in an offline (never touches any network) laptop.

    • captn3m0 5 months ago

      My bank (HDFC India) specifically states while setting up the security question that the bank will never ask for these (over phone or elsewhere), so I'm happily using random UUIDs

      • greenshackle2 5 months ago

        HDFC appears to have truly terrible security, someone managed to sign up with my email address and a really weird mailing address - like an airport warehouse or something, then proceeded to fill up the card and never paid it back. I emailed HDFC about it but they never responded.

        Apparently they don't even do e-mail verification.

      • jandrese 5 months ago

        What is the point of a security question if they never use it?

        • enitihas 5 months ago

          Asking you to fill them online for password recovery etc?

          • captn3m0 5 months ago

            Yes, they use it for 2FA sometimes on netbanking transactions.

        • psergeant 5 months ago

          I get asked for single characters of mine a lot

  • pasbesoin 5 months ago

    I treat them as less secure passwords -- passwords that often a representative at the company has access to. (I've experienced instances of people on the phone (upon my calling the organization at a known number) soliciting their answers and checking them against what they have on their screen. Usually these days, with actual passwords, they undergo a computerized check and members of the organization have no access to their values -- or at least to their unencrypted values. (Although, don't blindly depend upon that assumption.)

    Security questions introduce insecurity. I remember being mightily puzzled when they were considered a "best practice" and the organization I was at was all "het up" to implement them.

    The real reason? They save head count / expense -- at least, in the short run. One less "I can't remember my password" interaction -- one that, from an optimistic perspective, at least doesn't just blindly depend upon emailing the email address of record... Only, many sites seem to implement that alongside their security questions flow, so...

  • adzm 5 months ago

    Diceware phrases work well here, too!

mdrzn 5 months ago

> At this point Diana has been completely gaslighted as to what her hotmail password is, because my phishing site said the wrong password was right, and then said the right password was wrong, and she thinks it’s the real Hotmail.

Most underrated footnote.

Insanity 5 months ago

the content of the article is good - but the writing style does not sit well with me. It's an odd sense of humour and a writing style more suited to instant messages perhaps rather than a blog.

  • deckar01 5 months ago

    Going off on quirky tangents can be an effective tool for keeping a reader interested. It reminds me a little of Douglas Adams. He punctuates the hard science fiction with goofy anecdotes to get the reader thinking about the subject from another perspective and to keep them entertained.

    It is not a tutorial on how to phish or a vulnerability report, but rather a story about how motivation is potentially more important to phishing than technical skill. Without the casual writing style, the main character (and author) might have seemed more sophisticated, which would have diminished the point of the story.

    • y_tho 5 months ago

      A joke here and there is fine, but this person injects his jokes attempts pretty much every sentence. That gets annoying quickly.

      • GiuseppaAcciaio 5 months ago

        I guess the threshold isn't the same for all of us, I didn't get irked by he jokes at all... however around halfway through I started wishing for it to be over soon(tm)

  • Sileni 5 months ago

    Eh, I liked it. Many writers in the tech space are trying to be as concise and clear as possible. If this article had been more 'academic' in that sense I think I would have lost interest after a few paragraphs because, well, nothing in this article is really new. It's just a fun anecdote about the reality of cyber security.

    • stevew20 5 months ago

      I use prefer to read concise writing, because it imparts the information I want without all of the distracting fluff. This is also why I don't like a lot of academic writing, as over the years academics have become much more verbose and fluffy.

  • tom-- 5 months ago

    It can be seen as a style that emphasizes just how 'casual'/easy this attempt was, so I think it adds to the content.

thunderbong 5 months ago

My goal here is to figure out what Diana’s actual password is, given that I have her password hash. This process is commonly known as “hacking”.

This is hilarious!!

NPMaxwell 5 months ago

This is an interesting model for how to provide training/education

godelmachine 5 months ago

This post periodically makes it way back to the top. Last I checked it was 6 months ago

5555624 5 months ago

Posted numerous times, a year ago, including: https://news.ycombinator.com/item?id=14919845

  • baud147258 5 months ago

    On the site (https://mango.pdf.zone/), the above link is called 'Salty Hacker News comments'

    • bspammer 5 months ago

      That's pretty funny. I didn't like the writing style at first either, but it got funnier as I carried on (or maybe the writing got better too). By the end I was questioning why I was so resistant to light-heartedness in the first place.

      Overall, a really great breakdown of a textbook phishing attack.

lgierth 5 months ago

This is certainly not how trust in human relationships is reinforced :)

Get consent before hacking your friends.~~

Edit: This is awkward - I was sure I read it one of the previous times it was posted. Chapeau!

  • mnw21cam 5 months ago

    Consent was obtained, as described in the article.

  • hyperpower 5 months ago

    Did you read the article? The author got consent.

    • craftyguy 5 months ago

      > Please don't insinuate that someone hasn't read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."


      • smus 5 months ago

        To be fair to the above it's a pretty central factoid that is mentioned more than a few times, but yes, I agree with you.