Social Engineering at its finest!

A Password Hacker in Action

The following is from a January 2012 live chat between Apple online support and a hacker posing as Brian—a real Apple customer. The hacker’s goal: resetting the password and taking over the account:

Apple: Can you answer a question from the account? Name of your best friend?

Hacker: I think that is “Kevin” or “Austin” or “Max.”

Apple: None of those answers are correct. Do you think you may have entered last names with the answer?

Hacker: I might have, but I don’t think so. I’ve provided the last 4, is that not enough?

Apple: The last four of the card are incorrect. Do you have another card?

Hacker: Can you check again? I’m looking at my Visa here, the last 4 is “5555.”

Apple: Yes, I have checked again. 5555 is not what is on the account. Did you try to reset online and choose email authentication?

Hacker: Yes, but my email has been hacked. I think the hacker added a credit card to the account, as many of my accounts had the same thing happen to them.

Apple: You want to try the first and last name for the best friend question?

Hacker: Be right back. The chicken is burning, sorry. One second.

Apple: OK.

Hacker: Here, I’m back. I think the answer might be Chris? He’s a good friend.

Apple: I am sorry, Brian, but that answer is incorrect.

Hacker: Christopher A********h is the full name. Another possibility is Raymond M*******r.

Apple: Both of those are incorrect as well.

Hacker: I’m just gonna list off some friends that might be haha. Brian C**a. Bryan Y***t. Steven M***y.

Apple: How about this. Give me the name of one of your custom mail folders.

Hacker: “Google” “Gmail” “Apple” I think. I’m a programmer at Google.

Apple: OK, “Apple” is correct. Can I have an alternate email address for you?

Hacker: The alternate email I used when I made the account?

Apple: I will need an email address to send you the password reset.

Hacker: Can you send it to “”?

Apple: The email has been sent.

Hacker: Thanks!

Passwords just aren’t safe anymore.