This day and age requires us all to be security-conscious – especially when it comes to our identities and our online accounts. To help promote our company goal of open communication, I wanted to share with our customers and non-customers alike a situation that recently occurred.
A customer of ours recently had their account taken over by someone impersonating them. Wired picked up the original story, and in interest of maintaining openness, I wanted to outline our role in it since we were mentioned.
How did they gain access?
The impersonator gained access to the account because they knew the answers to both of the security questions the customer chose for the account. The impersonator did not gain the knowledge of the personal information from Site5 staff.
Once we are provided correct answers to security questions, the person is considered verified and we will make account modifications as requested. This includes password resets, email address changes, and other changes. As evident by the articles, this is exactly what transpired.
Our staff followed procedure every step along the way. To reiterate – at no point did we provide the impersonator the answers to the security questions.
It’s a very unfortunate situation, and we absolutely helped our customer as quickly as we could when the issue was reported to us.
What can you do as a consumer?
We all need to do our part to help protect ourselves! These social engineering attacks aren’t going to go away. A couple high profile attacks have occurred in the recent past both in the hosting industry and outside the hosting industry.
So what can you do?
One suggestion is to write your own security questions. Many online providers now allow its customers to write their own questions, and this is something I highly recommend. The questions should be as obscure as possible to help ensure they couldn’t be social engineered. We have allowed customers to write their own security questions for over two and a half years now.
Another suggestion which may not be obvious is to lie with the answers you use to complete security questions. Just because the question asks for your mother’s maiden name or your place of birth doesn’t mean you have to be truthful! This obviously requires a good management system for notating the answers. But with security being a highly-discussed topic these days, there are many apps that can help keep these things straight. I personally use 1Password on OSX, others like LastPass, and I’m sure there are numerous others that I’m not mentioning!
Other basic steps that help with security (but not necessarily social engineering) include keeping your computers virus and malware free; using strong passwords that include a combination of letters, numbers, and symbols; changing your password often, and not using the same password for multiple websites.
My goal for this post was to be open about our involvement in an adverse situation and to help bring awareness to a type of attack that most likely isn’t going away.
If you have any tips and pointers you’d like to share to our readers, feel free to post them in the comments!