A Password Hacker in Action
The following is from a January 2012 live chat between Apple online support and a hacker posing as Brian—a real Apple customer. The hacker’s goal: resetting the password and taking over the account:
Apple: Can you answer a question from the account? Name of your best friend?
Hacker: I think that is “Kevin” or “Austin” or “Max.”
Apple: None of those answers are correct. Do you think you may have entered last names with the answer?
Hacker: I might have, but I don’t think so. I’ve provided the last 4, is that not enough?
Apple: The last four of the card are incorrect. Do you have another card?
Hacker: Can you check again? I’m looking at my Visa here, the last 4 is “5555.”
Apple: Yes, I have checked again. 5555 is not what is on the account. Did you try to reset online and choose email authentication?
Hacker: Yes, but my email has been hacked. I think the hacker added a credit card to the account, as many of my accounts had the same thing happen to them.
Apple: You want to try the first and last name for the best friend question?
Hacker: Be right back. The chicken is burning, sorry. One second.
Hacker: Here, I’m back. I think the answer might be Chris? He’s a good friend.
Apple: I am sorry, Brian, but that answer is incorrect.
Hacker: Christopher A********h is the full name. Another possibility is Raymond M*******r.
Apple: Both of those are incorrect as well.
Hacker: I’m just gonna list off some friends that might be haha. Brian C**a. Bryan Y***t. Steven M***y.
Apple: How about this. Give me the name of one of your custom mail folders.
Hacker: “Google” “Gmail” “Apple” I think. I’m a programmer at Google.
Apple: OK, “Apple” is correct. Can I have an alternate email address for you?
Hacker: The alternate email I used when I made the account?
Apple: I will need an email address to send you the password reset.
Hacker: Can you send it to “firstname.lastname@example.org”?
Apple: The email has been sent.
Passwords just aren’t safe anymore.