It’s nearing Halloween, so it’s time for a story that will chill you to the bone. It’s the story of how a group of hackers turned one man’s life upside down. And here’s what’s even more disturbing- he asked for it.
Adam Penenberg reached out to Nicholas Percoco and his team and asked them to see what kind of damage they could do to him via hacking. It’s a scary thought, right? You think you’re pretty safe. You choose unique passwords, you have your wifi locked down, you don’t have your ATM pin written down anywhere, but how safe are you really? Percoco is the Senior VP of SpiderLabs which tests your IT Security via ethical hacking in order to identify your vulnerabilities.
Please go read Penenberg’s article on what happened next. I can’t do his story justice with a summary of everything Percoco’s team accessed, but if it doesn’t scare you then nothing will. As someone who’s own baby monitor was hacked this week, I read every sentence of this article like a horror story. The threat is real and everyone is vulnerable in some way. But what I want to highlight here is the amazing critical thinking behind every step the SpiderLabs team took.
Let’s be clear here- you don’t have to be a technical genius to get a lot of the info that Percoco found. A good recruiter, sourcer, or thief can ask the right people the right questions to get started accessing your personal information and even steal your identity.
What Percoco’s team did was look for pathways. The same way a thief rarely comes through your front door, these ethical hackers started with the points of least resistance and they devised a plan. Their plan actually accounted for multiple entry points and back-up plans in case those methods failed.
Here’s the plan:
Without breaking into Penenberg’s home or stealing any of his physical possessions, the team quickly accessed his home computers, phone, financial information including credit cards and bank account passwords, social security number, iCloud account, Amazon credit card, and Facebook and Twitter accounts.
The thinking it took to devise each step in the plan fascinates me. It’s like a mental chess game. There are so many ways to win. It’s just a matter of making the right moves, anticipating the response, and planning 3 steps ahead. These individuals employed critical thinking, strategic thinking, problem solving, and creative thinking skills in the most unbelievable way!
The plan to have someone enroll in a Pilates class and leave a thumb drive behind is particularly interesting. A Good Samaritan could have easily plugged that thumb drive in to find the owner. When that failed, they relied on a nice person who would be willing to plug in the thumb drive to print a resume. They believed people would want to be helpful, and they were right. And that’s what most of these hacking/identity theft stories boil down to– one person wanting to be helpful who unknowingly provides key private information.
Earlier in the article, Penenberg talks about a private detective he once hired to see how much information he could glean about him. The techniques he used were less technical, but took just as much critical thinking. Who has information? Where is it stored? In what circumstances would that information be released? How do I assert myself as someone with the authority to have access to this information?
What we do online is never private. That’s a reality. You might think “What’s the harm in mentioning my dog’s name on a random Twitter post? I’m just an Average Joe, no one would want to steal my information.” Well, most people create passwords they can remember using personal information such as a spouse’s name, pet’s name, anniversary, birth date, favorite sports team, etc. So, what you share about your personal life online, although seemingly innocuous, could be all the breadcrumbs a thief needs to lead himself into your financial records.
Perhaps we need to start thinking like a thief. Before you post, ask yourself “What could someone do with this information?” The same way you look around your house and think “If someone wanted to break in here, how would they do it?” You need to take the same approach to the information you share and data you store. If Percoco’s team had been open to breaking laws, they could have probably done all of the same damage within a few hours. For example, if they broke into Penenberg’s home, chances are the password to his wifi network would be listed on his router. Why cable companies do this, I’ll never understand. Once they’ve accessed your wifi or broken into one computer, you may as well waive the white flag. You’re toast.
And don’t forget, you aren’t the only gatekeeper of your personal information. As mentioned in the article, anyone you have an account with can be an entry-point to identity theft. Your bank, your cell phone/cable provider, your gym, your employer and your mom. The critical thinking thief would ask himself “who is the most likely person to give me personal information?” These days, it’s probably not a professional working at the bank, but it could easily be the distracted front desk worker at the tanning salon or your mom who just wants to help you out.
Are you scared yet? I am. Take some time today to take stock of your physical and online life. What are the vulnerabilities? If you were a thief or fan of mischief, how would you cause trouble?