The Weakest Link Is You

I'm a huge personal security nerd.I may not be up to industry standard, but I like to entertain the idea of keeping my stuff secure and locked up. Every hard-drive I have is encrypted, every account I have has a different password that’s unique and over 30 characters and I enable TFA wherever it is supported. Yet none of that really matters. The weakest link between you and a hacker is you.

Recently I had a bet with a coworker. He shook my hand and told me that I wouldn't be able to post a status update from his account to Facebook. I honestly didn’t know if I could, but it would be quite fun to see anyway. There was only one rule: I can’t use his computer/phone while he’s out the room. After all, what skill does that take? So I set off on a journey to see what was possible. It turns out it was a lot easier than I anticipated.

My way of ‘getting in’ would be via the ‘forgotten your password’ link on Facebook. So I went through and started the process. I had hit the first roadblock: I needed his email address. All Facebook provided was the extension and the first/last characters. So all I had to play with was a*******4@me.com. I couldn't ask him for the email without making my plan obvious so I decided to try and find the email myself. I tried various Google search terms but none yielded any luck whatsoever. In the end I signed up for a ‘Yahoo!’ account using my Facebook login and used the contact import tool. Bingo: There was his email loud and clear.

So I tried to use that to reset his Facebook password. I was greeted with Facebooks rather clever way of checking you are who you say you are. I had to select three friends, of which Facebook would ring them and confirm that he was in fact trying to reset his password. I could have gained access this way. After all, we had quite a few mutual friends. 3 of which knew of the bet. It would be trivial to ask two of them to confirm for me and I would be the third. However, I didn't like the idea of depending on other people so I decided to try another way.The only other option left was a verification email that Facebook sent out containing a password reset link.

The obvious thing to do in this situation would be to take the email address over. So I used Apple’s ‘iForgot’ tool to reset the password. Apple provides a much simpler approach to proving your identify than Facebook does. It just asks for a date of birth and the answer to two quite simple security questions. The birthday was almost too easy as it was displayed in public on Facebook. The only thing left between me and winning the bet was the questions. I dropped them both subtly in a conversation, noted down the answers and to my surprise: they were both accepted.

All it took to get into the account was some digging and a few easy questions. You can spend a huge chunk of your time making sure you secure your accounts (which you should, no doubt) but at the end of the day, all it takes is a slip up you weren’t expecting and all that effort has gone to pot.