Engineering Ethics Blog: Twitter Hack Revelation: People Are Still Human


Last Wednesday, followers of the Twitter postings of famous
people such as Joe Biden, Elon Musk, and Kim Kardashian all received some
variant of the following message, which came from the Apple Twitter feed:  “We are giving back to our community. We
support Bitcoin and we believe you should too! 
All Bitcoin sent to our address below will be sent back to you
doubled!”  This incident has brought
to my mind a series of hoary epigrams, and the fact that enough people actually
responded to this transparent scam to enrich the hackers by an estimated
$110,000 reminds me of the first one:  There’s
a sucker born every minute.
 

Twitter staff responded quickly, first by blocking the
accounts on which the fraudulent tweets appeared, and then by briefly freezing
the ability of all registered users to tweet anything.  (So for a few minutes on July 15, 2020, we had
a Twitter-free world again, but not for long.) 
Eventually, Twitter got things straightened out and life went back to
what passes these days for normal.

How was this done? 
Details are still scarce at this point, but apparently, it began when the
hackers mounted what Twitter calls a “coordinated social engineering
attack” on the organization.  That’s
techspeak for a trick like the following: 
a bunch of emails or other messages purporting to be from someone in
authority and asking for the victim to do something that they normally wouldn’t
do.  I partly fell for something like
this myself once one Saturday when I received an email allegedly from the dean
of my college at the university, asking me to contact her.  I emailed back and the hacker then said she
was in need of some gift cards for a meeting, and would I please go and buy
some and email them to her?  Only then
did I realize I was dealing with a scam.

So by some similar means, the hackers were able to access internal
Twitter administrative tools.  In other
words, they were in the driver’s seat and they proceeded to push the pedal to
the metal.  First, they located all the
famous Twitter names they wished to hack.  (Republican politicians, strangely enough,
were apparently immune from this attack, for reasons that remain to be
determined—maybe the hackers didn’t think anybody would believe Republicans
would give away money.)  Then they
changed the accounts’ email addresses so the real account owners couldn’t
access their own accounts.  And then the
hackers did something really stupid, which was to ask victims to send money to a
Bitcoin account.

According to one authority at a law firm that specializes in
cryptocurrency matters, U. S. law enforcement authorities can trace Bitcoin
transactions pretty well, so the chances that the hackers will get away with
their ill-gotten gains for good are not high. 
On the other hand, Bitcoin and similar cryptocurrencies are well known
for the shady and illegal transactions that people use them for, so it’s hard
to say what the truth is here as to how easily they can be caught.  Overall, though, people involved with Bitcoin
thought the net fallout from this incident would be favorable for cryptocurrency,
because as one spokesman said to a Slate reporter, “Can you imagine if an advertiser wanted
to ask all of these people to post about their company in one fell swoop? It
would be an impossible purchase; you couldn’t even buy that much media.”  Which brings to mind the second hoary
epigram:  There’s no such thing as bad
publicity.
  That is to say, just getting
your name or product before the public is more important than exactly what
causes the publicity in the first place, whether it reflects upon you favorably
or otherwise.

The next
epigram I will bring to your attention sums up what this incident tells us
about human nature:  Plus ça change,
plus c’est la même chose.
(“The more things change, the more they stay
the same.”)  While the technology in
this incident may be new, the aspects of human nature it exploited are as old
as humanity itself. 

The hackers,
who are simply criminals with some tech savvy, used their knowledge of human
nature to get into the Twitter controls in the first place.  No matter how many seminars on computer
security you make employees sit through, if your organization is large enough
and if the hackers are clever enough, at least one person is likely to have a
lapse of judgment when a hacker mimicks an authority figure and asks the victim
to do something that would otherwise be against their better judgment.  And one is sometimes all it takes.

And on beyond
that, the fact that enough Twitter users were gullible to the extent of sending
thousands of dollars’ worth of Bitcoin to Joe Biden or Apple or whoever, not
stopping to wonder why the object of their admiration would first want them to
send cash before returning twice the amount sent—well, it’s people like that
who keep con artists in business.  And of
course, the millions of followers each of the famous people or organizations
have, increased the chances that the hackers would find those few very
special folks who both had the money and couldn’t resist the thought of missing
out.

A story in Physics
Today
, of all places, confirms that even people who are brilliant in one
department can nevertheless be duped like anybody else.  Late in life, Sir Isaac Newton was a well-off
government official (he ran England’s mint) who others sought out for advice
about financial investments.  In the
spring of 1720, a government-chartered outfit called the South Sea Company
(sort of like the British East India Company that profited from colonial trade,
but less successful) began issuing stock. 
Joint stock companies were a new thing back then, and Newton first
bought some South Sea shares, but then decided there was something fishy about
the setup and sold his stock, although at a handsome profit.  The South Sea Company operators were
basically operating a Ponzi scheme, but as they were some of the first to hit
on the idea of paying off investors who were promised high returns with the
money from sales to later investors, few people other than Newton smelled a
rat. 

All through
the summer of 1720, South Sea stock soared, and the psychological pressure of
seeing other people apparently getting rich from their purchases proved too
much for Newton, who turned around and put almost all his free cash into the
stock again in June and July.  In August,
the bubble began to burst, and by the end of September Newton had lost his proverbial
shirt, along with everybody else who hadn’t gotten out in time.  So even the most brilliant scientific mind of
the eighteenth century was taken in by a stock scam.

That may not
make anybody who sent a thousand bucks to Kim Kardashian in hopes of financial
gain feel much better.  But it confirms
the fact that human nature hasn’t changed that much in three hundred years, and
whether the means are goose-quill pens or Twitter accounts, this final epigram
is still true:  If it looks too good
to be true, it probably is.



Source link