“So what if someone hacks me? I don’t have anything sensitive in my emails. I don’t have any money. Let them do their worst.”
These were the words of a friend of mine when I lectured him for the umpteenth time about re-using passwords and his general lack of security awareness. I know several people who have a similar attitude.
The friend in question text me on a Sunday morning a few weeks ago:
“I think I’ve been hacked”
I received another message moments later.
“No I’ve definitely been hacked. I woke up this morning to this”
A picture followed. It was a screenshot of his messages on his iPhone. There were loads of message threads full of Chinese characters, sent to numbers beginning +86, the international dialing code for China.
I then spoke to him on the phone. For somebody who didn’t care about being hacked and said it didn’t matter, he sounded panicked. He explained to me that he had got an email the previous day from Apple, notifying him of a login to a Mac using his Apple id, but had ignored it.
He spoke to his mobile phone network, who said there were no international charges on his account, but advised him to restore his phone from his computer to ensure there was no malware on it.
It turns out his Apple account was just used to distribute spam. If you log in to a Mac with an Apple id, you can use iMessage. Those messages then sync to your other Apple devices.
I translated the text using Google translate. It appears to be a message about an online gambling site.
Usually, to allow a new device to be used with iMessage, you have to activate it by pressing ‘yes’ on a prompt on an already registered device. My friend doesn’t know whether he did this or not.
To clean up, he restored his iPhone to factory settings and changed his password on every account (he had used the same password for everything). He then realised that the hacker may have been in his email, read his phone messages, even viewed his pictures.
So what was his attitude once he had actually been hacked? He told me he felt violated. He felt like someone had invaded his privacy and the feeling was akin to somebody breaking into his house and going through his stuff. Yes, there was no material or financial damage, but in his words, he felt “weird” about it for days.
It’s not clear how his password was compromised, but since he’s used the same password for years across all of his accounts, it’s likely either one of those accounts was compromised in a mass data breach, he had malware on a computer he logged in on or else he fell for a phishing scam at some point. Either way, his lack of awareness likely contributed to this breach.
Wake up call
He has now had a wake up call and tells me he has a different, randomly generated password for every account and stores them in a password manager.
It’s unfortunate that it took an event such as this to make him alert to the threat and do something about it, but it is also rather telling. The average user can be told about cyber security, read about breaches in the news and know that they shouldn’t do something, but might not take notice until they’re hacked. This is human behaviour and is difficult to change.
In the same way, nobody can claim to not know that smoking is bad for you and causes a myriad of diseases and health problems, yet almost 1 in 5 of us still smoke. This figure was much higher in the past and the drop in the UK has been put down to a number of factors such as the rising price and a ban on smoking in the workplace. Education of the risks has played a part, but according to the government reducing the convenience and practicality of smoking with the smoking ban and high taxation has had the biggest impact on the number of smokers. Stop smoking aids are also credited with having a sizeable impact.
Perhaps this thinking could be applied to security. If the technology industry can make it more difficult and less practical to have poor security habits, then maybe users will cease to be the weak link. How we do this isn’t clear, but how to reduce smoker numbers wasn’t clear in the past, so we should keep trying. The stop smoking aids have parallels in cyber security. Tools such as password managers or the Naimuri password card can contribute to security, but are only an aid to the user. It’s still up to them to change what they do.
Unfortunately, there’s no silver bullet and incidents like this will likely remain common in the near future.