If you’re part of an IT department or a help desk, feel free to share this story with your end users. Especially the ones who have trouble believing IT security is important. This story is fiction – I made it up – but it’s realistic. Enjoy.
Abby Kramer was a third year student at a Bible college in Colorado. A pastor’s daughter, she liked to socialize online with friends from all over the world and kept a large library of pictures and videos from friends in her Facebook account. After a hard day of classes and studying, she allowed herself a few minutes each evening before bed to watch a new video or laugh at a few pictures and comment on posts from her online friends. The dialog with friends was always refreshing and no matter what frustrations the day brought, these few minutes always brightened her mood before bed.
She was shocked when she woke up one Saturday morning after a difficult mid semester week filled with tests to find this email waiting in her inbox:
From: Facebook [mailto:email@example.com]
Sent: Saturday, March 16, 2013 4:16 AM
Subject: You requested a new Facebook password
You recently asked to reset your Facebook password.
Click here to change your password.
Didn’t request this change?
If you didn’t request a new password, let us know immediately.
This message was sent to firstname.lastname@example.org at your request.
Facebook, Inc., Attention: Department 415, PO Box 10005, Palo Alto, CA 94303
It was a shame Abby never looked at the email header. If she had, she would have noticed it originated in Florida and routed through a relay server in China. It came from a character who called himself “Duceml.” It didn’t come from Facebook.
But Abby didn’t know or care about how to look up any of that.
First alarmed that somebody tried to change her password, then relieved that Facebook had the wisdom to put in this email safety mechanism, Abby quickly clicked the “Change Password” link, which took her to what looked like a Facebook password change screen. Obviously, somebody had her password. She would change it and make sure nobody ever knew it this time. If Angie Gilroy ever saw what she said about Angie’s brother to Donna Gustafson, it would be awful.
A few seconds after filling in the old password and new password boxes, she found herself looking at the Facebook login screen. She was dying to know if Angie Gilroy found out what Abby said about Angie’s brother and what she had to say about it, so she decided to log in and check. When she saw a popup box with “Invalid username and/or password,” she tried again with her old password. Curious – her old password still worked. Didn’t she just change it? Annoyed, she went through the password change process again. This time it worked.
It was time for breakfast in Abby’s dormitory, and a school dance was coming up that night and Abby quickly forgot about her Facebook scare.
But a Russian FTP server did not forget. FTP – file transfer protocol (or program) – is one of the oldest programs on the Internet. Millions of people use FTP every day to upload and download files to and from websites. And criminals use FTP to surreptitiously upload and download information to and from computers owned by naive users.
Had Abby looked more closely at that first Change Password screen, she would have noticed it said, www.facebrook.com.ru. It was a website in Russia designed to look like Facebook. But Abby didn’t look closely. Instead, she entered her old and new password and waited several seconds as that fake website scooped it all up and redirected her computer to the real Facebook website. And even though she changed her Facebook password, she used the same email address and password for the bank account she shared with her parents to cover college expenses.
An anonymous criminal somewhere in Russia eagerly monitored the growing list of Facebook usernames and passwords accumulating in his FTP server. He would try these credentials against a list of retailers and banks and no doubt find a few matches. It would be tedious trying variations of user email@example.com with password either, “IheartJ3sus” or “i@msav3d” against thousands of banking websites, but that’s why people write software – to handle tedious tasks. And a program could do the job in a few minutes.
He smiled when he found a match at a large bank website and looked up the bank balance – more than $1000 US dollars. After posting the credentials for sale on an underground website, somebody in the US named Matt1117 bought them for $750, paid into an anonymous escrow account. The transaction was routine. Just one drop in an ocean of transactions every day.
Two weeks later, Tamara Kramer, Abby’s mother, waited in the checkout line in the local grocery store. She wanted to surprise her starving college daughter with some ramen noodles and other snacks. When she swiped her debit card from the shared checking account with her daughter, the cashier politely told her it was declined. Surely there must be some mistake? She swiped it again and was declined again. As people queued up in line, Tamara called her bank. What was going on? After waiting on hold for more than 15 minutes, she finally connected with an agent named Nancy with a thick Indian accent who tried to be helpful. The language barrier was difficult to overcome, but Nancy eventually told Tamara that her bank account was over drafted.
“What? How can this be? I deposited $1000 in that account 3 weeks ago and haven’t bought anything since then.”
“Ma’am Tamara, it says here you spent $1232.55 at an online electronics store last week.”
“I did not! … Unless Abby did. Thank you, I will talk to my daughter.”
Embarrassed, Tamara paid for her groceries with a credit card and apologized to the cashier and everyone waiting in the growing line. She called Abby and left a message. Abby returned the call several hours later and felt the wrath of a mother betrayed. Abby tearfully assured her mother she did no such thing. Tamara called the bank, disputed the bill pay and closed the checking account. She had to visit the local branch of her bank to open a new account, and contacted everyone with checks from the old bank account that had not yet cleared. Over the next two weeks, Tamara managed to reimburse everyone to whom she or Abby had written checks by scavenging money from savings and delaying other bills. The bank fraud department investigated and after 3 months, filed an insurance claim and reimbursed Tamara for the stolen money, less Tamara’s $50 liability. The bank called appropriate law enforcement agencies about the matter, which took the reports and filed them away with thousands of similar reports.
Nobody tried to recover or even locate the stolen money. But a teenager named Kenny enjoyed the new game console he bought on Craigslist from somebody named Matt1117.
If you liked the story about Abby Kramer, you’ll love the book titled, “Bullseye Breach.” Here is a link to a teaser.