| | 3.7 Knowledge
02. How to Hack an Account | |
|---|
| 3.7.02. How to Hack an Account: | | 1. It would be illegal to hack an account, but it is critical to know how others may hack into an online account. In this example, Gmail and Outlook email accounts are used to demonstrate how so many email accounts have been made public. In fact; all online systems that has a "forgotten password" procedure, such as paypal, amazon and ebay are equally at risk. | | 2. The first step is to understand how easy it is to hack into an online account and the second step is to use methods that cannot be hacked. It is recommended that a person with 50 online accounts must have 50 unique email addresses - no email address should be reused from one account to the next. | | 3. The attack procedure showm below can be documented because most people do not have access to a simple online robot. |
| 2. Prepare Attack: | | 1. The criminal will prepare for a targeted attack by profiling the target person to discover one of their favourite subjects. A professional or educational subject tends to be more effective than a sporting subject. | | 2. A bespoke email is created to appeal to the target and justify the targe spending a little time to register for a reward. The amount of the reward must be modest and reasonable. but a lot of social engineering can be done to strike the right balance of giving something in return for asking the target to register. | | 3. For example; an email is created to invite the target to join a focus group that will pay 167.50 pounds (tax free) to review a new online education program. The correct balance of reward and effort may be varied to match the motivations of the target. Some people will be offered a free 5 day cruise in return for three one hour film sessions to promte the cruise. | | 4. The email may be to invite a person to join a energy price comparison scheme, to join a cheaper car insurance plan or to get cheaper home insurance for people who have not made a claim in the last 5 years. An invitation for a job with a new company, discounted food from a new delivery service or discounts on taxi rides have all proved to get a person to register. |
| 3. Attack Procedure: THIS IS ILLEGAL | | 1. The target is invited to register at a web site to gain the benefits on offer. All the normal privacy and security policies are shown to ensure that everything can continue as a normal registration procedure. | | 2. The first question may be "what is your email address". A robot will analyse the reply and initiate a "forgotten password" procedure on behalf of that email address. | | 3. When the forgotten password procedure asks the robot any question, the question is rephrased and asked of the target as a reasonable registration question. The robot completes the forgotten password procedure with as many question-replies as may be involved. | | 4. In the event that two-factor authentication has been enabled on the email address, the forgotten password procedure will send a one-time access code by SMS. The robot asks the target for the one-time access code as part of the registration procedure and continues with the forgotten password procedure. | | 5. Within one minute, the robot is asked to enter a new password and has gained access to the online email account or web site account. The robot thanks the target for registering and assures the target that the private information entered will not be sold or shared with any other party. |
| 4. Post Attack: | | 1. The criminal will download all emails, including those that have been deleted but can be restored. The robot will scan each email looking for passwords and access details to other accounts. | | 2. A few moments later, other accounts will be accessed by the criminal using details available in the emails. The criminal will simply download as much data as possible for post-analysis and sale to others. | | 3. In general, the criminal has no reason to delete any data, so the target may eventually reset their password and everything looks unchanged - they have no idea what happened. By leaving the data unchanged, the life and value of the stolen data is maximised. |
| 5. Threat Analysis: | | 1. Each and every registration procedure is a threat that must be mitigated against with simple methods. Each and every security question must have a reply that is long and specific to the web site being used. It is recommended that a unique email address is used for each online service. | | 2. Every online service with a "forgotten password" procedure is equally at risk, no matter how clever the forgotten questions may be. By definition, every online system with user defined passwords is not fit-for-purpose and can be accessed using robots that can do a million password guesses while you sleap. Every forgotten password procedure is in fact a secondary password that consists of some questions and stored replies. | | 3. The way the robot can easilly change a forgotten password question into a registration question means that any and every type of question-reply dialogue can be emulated. The standard questions asked by Google, Apple and Microsoft are well practiced by robots and will fool any person who wants to register for a new online service. | | 4. It is said that world-wide agencies exist that can fake the forgotten password procedure for most online services. This dark-web service is available to competitors to steal intellectual property, product launch plans and financial share dealings. The service has spilt over into politics where campaigns can be countered by fake news and counter arguments that can be prepared in advance. | | 5. Vendors of free-of-charge email accounts and online accounts have a vested interest to keep people registered using ineffective security methods. If a person looses their password, then vendors need to be able to restore that service and source of revenue, even if that means using ineffective methods that can be faked by others. Vendors will not resolve this vulnerability because Governments imagine they need to be able to access any selected online account. |
| 6. Solution: | | 1. Passwords are too important to be assigned by people - every password must be assigned by the online service to make it strong, unique and unguessable. Every "forgotten password" procedure is the single most vulnerable part of any onlne service - any forgotten password procedure can be faked by a criminal. | | 2. Free-of-charge email services are not-fit-for-purpose and must be upgraded to private email services that do not have a "forgotten password" procedure. The one-time access-code method used by TIES/2 is being promoted by the security community, however the life cycle of a one-time access code may need to be reduced to a few minites, rather than one hour. | | 3. A person with 50 online accounts should have 50 unique email addresses, 50 unique user names and 50 unique strong passwords. A first class block chain password manager is mandated so access contol is fully automated and nobody can loose a password and nobody will ever need a forgotten password procedure. Block Chain must be used so all such data is encrypted and replicated to a large number of remote places so it cannot be stolen and cannot be lost. |
| Document Control: | | 1. Document Title: How to Hack an Account. | | 2. Reference: 163702. | | 3. Keywords: Knowledge; How to Hack an Account. | | 4. Description: Knowledge; How to Hack an Account. | | 5. Privacy: Public education service as a benefit to humanity. | | 6. Issued: 13 Feb 2017. | | 7. Edition: 2.2. |
|
|