A few days ago I was hacked for the first time in my life.
I keep telling me that everything is fine, that given the statistics this is nothing to be ashamed of. Even experts get hacked from time to time. It was meant to happen, for someone who spends such a large amount of his time online, it is actually a surprise that it hadn’t happened earlier.
Yet I still feel betrayed. I feel guilty. I feel insecure.
The guilty feeling is easy to understand, I know about computer security, I know how vulnerable our passwords have become, I should have known better. Yet I was still hacked. So let me tell you the story of what and how it happened as a warning to others who might be waiting to be the next victim.
Like most people in the world, I normally operate with a handful of passwords with varying degrees of security. There was a really easy-to-remember and insecure password that dates back to my early days online (23.9 entropy bits). Then there was a “more secure” variation of that password using a combination of numbers and caps (from 33-41 entropy bits). Then there was a long and complicated password using special characters (46 entropy bits). On top of that I had a long pass-phrase using an uncommon combination of words (47.4 entropy bits, not as high as recommended by xkcd). I believed that most of the important sites that I care about were relatively secure, including banks, game accounts, email, and some sites which store credit card information.
I was wrong, there was one important service that was still using the password with the lowest level of security: Skype. Most people tend to use Skype for free, but the communication tool offers a useful subscription service in which people charge money into their account, allowing them to call international numbers at competitive rates. Back in May 2012, I had charged $10 USD to my account in order to conduct some business phone calls while on the road. I never used the service again, so I forgot that I had any credit in my account. More importantly however was the fact that my credit card details had remained stored.
Another important fact was that whenever I purchased the credit last years, Skype had enabled by default the option to automatically charge my card if the Skype credit got too low:
On July 7 2013, at exactly at four minutes past midnight GMT, an unauthorised person logged into my account and in a period of almost five hours placed 151 calls to mobile phones and land-lines in Cambodia totalling 149 minutes, and spending $62 USD in the process (see attached CSV file). When the starting credit of $2 USD ran out, my card was charged six times for a total of $60 USD.
At this moment the credit limit was hit, and then the service started rejecting subsequent attempts to charge the card.
It was only at this point that some sort of alarm was raised at Skype, and access to the service was cut off. I found out the next day when I tried to log in only to be presented with the unpleasant fact that my account had been locked due to suspicious activity. I did not even think that I had been the subject of an attack, and assumed that Skype had simply noticed an attempt to log in from a mobile device in a new location and had considered it suspicious. It was only after my first validation failed that I realised something might be wrong. After a lengthy chat with a Skype representative I was able to log in and change my password, and only then I learned what had taken place. It must be said that Skype have been very helpful, and they refunded all of the charges made to my card. While I think that their system should have flagged the anomalous transactions earlier, I will just be thankful that I was lucky and got off lightly.
So, how did this happen? Undoubtedly I must carry a large chunk of responsibility for having a low-level password. I have to assume that there is a gang of Cambodian hackers doing this sort of thing, as I was able to find some details of similar victims. But why now? Had they hacked the account before, and were just waiting for me to log out? Had I done something that brought me to the attention of the hackers? Just the day before the attack I had used the Skype app in my new HTC One phone for the first time, but I suspect that this is just a coincidence. The truth is that I won the hacking lottery ticket, it was my turn.
The Skype hack attack has had a positive effect, I have seriously revamped my security across the board. I changed many mid-level important passwords to a range from 40-57 entropy bits, and finally started using all of the capabilities of a password manager called LastPass, which allows me to identify weak passwords and to generate secure ones. My new ultra secure pass-phrase has 84 bits of entropy, pretty decent all things considered. I am also buying a YubiKey, and will continue to try to get as many security tokens as possible for things that are truly important.
Long term, this episode has continued to cement my belief that the password is dead. How long will we continue to live in this world of stupid password policies that actually make us less secure? When security is really important, people are moving towards security tokens and two-factor authentication. While hackers will continue to gain access to accounts, the current systems make it easier for them.
And just in case you’re wondering, this blog is protected by a 48 entropy bit password.
A guide to password strength, from here:
- < 28 bits = Very Weak; might keep out family members
- 28 – 35 bits = Weak; should keep out most people, often good for desktop login passwords
- 36 – 59 bits = Reasonable; fairly secure passwords for network and company passwords
- 60 – 127 bits = Strong; can be good for guarding financial information
- 128+ bits = Very Strong; often overkill