Author: Martin Boyd
Where online security fails – Social engineering and Amazon
Customers concerned about security try to do all the right things. They use randomly generated unique passwords for every online service, and keep those in a keylogger. They use 2-step verification. They look for HTTPS secure connections. And yet a little social engineering is all it takes to undo this hard work.
The Internet retailer Amazon has just demonstrated how devastatingly effective social engineering can be applied to its users.
Yesterday, Eric Springer, a writer on the Medium blogging community described how his Amazon account was breached by someone who impersonated Eric over Amazon’s text-chat service. The impersonator knew Eric Springer’s name, and email address. Both of which are easily found online for almost everyone who uses the Internet.
The impersonator did not know Eric’s real shipping address, and instead used the address of a hotel from the same zip code. He found the zip code by investigating Eric’s website registration information. The impersonator got this information from a simple WHOIS inquiry.
You can see from Eric’s description that the scammer was able to use this fake address to get Amazon to give him Eric’s real shipping address and phone number. From this the scammer was able to get Eric’s bank to issue a new copy of Eric’s credit card.
It didn’t matter how complex Eric made his password. It didn’t matter that Eric was using two factor verification. A guy was able to breech his security using chat, and later by merely calling Amazon and speaking to them.
Frankly, the scammer did too much work. It is amazing how much information can be found about most individuals by merely googling their names and city online. For those people who live in bigger cities, googling their name and zip code is usually sufficient. Unless the target has a name as comfortably anonymous as “John Smith”, they usually easily found.
Companies will usually follow up a communication with an email, or even regular postal mail. This isn’t enough. Email has become flooded – if you use email you must aggressively monitor and filter it to be useful. Scammers count on the fact that most people do not watch their incoming email too closely. Email services may automatically filter messages by importance, and the email that you reply to is often on the top of that list. An email conversation with a best friend or employer ranks much higher than an unanswered notification from a financial service.
Here are some things that may help you.
- First, use a credit card service that texts your phone whenever anything is charged to your credit card. Capital One offers this service with a “threshold” charge you can set before you are notified. Casual credit card users will find this useful.
- Next, every month go over your charges, and follow up any charge you do not recognize. Notify your financial institution for any fraudulent charges.
- Create and use “Business only” email addresses. Google’s Gmail address alias format allows you to use your normal email address (Jdoe@gmail.com) as a special purpose address (Jdoe+BofA@gmail.com). This is done in a “your.username+any.alias@gmail.com” format.
- Set up two-factor identification on any service that has access to your financial or personal information.
- Use a password manager that can randomly generate, store and use strong passwords.
And last, demand that your service conforms to good safety practices. Eric’s response from Amazon was less than stellar so he published his results with the Reddit social networking community. Afterwards many other users repeated Eric’s experience by successfully social engineering their own accounts. After about 8 hours, Amazon changed their procedure and started demanding better security checks and stopped allowing successful social engineering. But it took public social shaming to get this result from Amazon, which is really disappointing.
Professional development
I’m currently working on several areas of professional development.
- FE Exam – I’m working toward my Professional Engineer license for Electrical and Computer engineering. My first step is to take the Fundamentals of Engineering (FE) Exam. I plan on taking the FE Exam this fall.
- CAPM Certification – I’m studying for the Certified Associate in Project Management certification. I will apply for the CAPM certification in June / July.
- Software / Firmware – I want to keep up my skills in firmware programming, so I’ll be developing an embedded project in C++, and an Android platform project in JAVA.
Other things I’m working on include:
Programmable Logic Controllers – I’m really interested in using PLCs for my own permaculture / aquaponics projects. I’ve downloaded the PSIM PLC simulator, and am looking at purchasing a copy of PLCLogix when I’m have a better handle on the different languages.
I’ve also ordered a chipKIT uC32 based on the Microchip PIC32MX340F512H. I’ll use MPLAB X and a Microchip ICD to program it. My idea is to eventually use this to measure water levels and quality in an Aquaponics setup. I’ll be programming it in C++.
And finally, it’s time to upgrade my Amateur Radio licence class again. I’m currently a General class ham (KD6TXV) and want to upgrade to Amateur Extra class. I’ll be taking the exam this summer.
Microchip purchased Atmel – Some background and what this could mean to the Maker community
Traditionally if engineers needed a small microcontroller that was easy to use and program, they would likely choose a Microchip PIC. A design was still required to couple the microcontroller together with a power supply, clock, and I/O, but that was relatively simple for any engineer. The software was a little more difficult since the PIC was programmed using Microchip RISC assembly language.
This was less useful to the Maker community, who could understandably find hardware design and the Microchip PIC environment to be very confusing.
Then in 1992 the Basic Stamp 1 by Parallax came along. This device used a Microchip PIC on a small circuit board with its own clock, I/O, and power supply. It also had FLASH memory. The PIC ran an interpreter program, and the user could program it in a version of Basic (PBASIC). The most important aspect of the Basic Stamp is that it allowed the fledgling Maker community to create real microcontroller-based projects. But the Basic Stamp has always been too expensive for Makers.
In 2005 the Arduino was invented as a lower cost alternative to the Basic Stamp. Based on open-source hardware Arduino boards could be manufactured by anyone. It was originally designed to use the ATMEL AVR microcontrollers, and this tradition has continued on from 8-bit to 16 and 32 bit AVRs. Manufacturers have created Arduinos based on different microcontrollers too, which isn’t a problem as long as the board is compatible with the Arduino IDE and libraries.
Arduino boards have a wide range of abilities and features and can be programmed in multiple languages. A simple Arduino board can be purchased for under $20. These features make the Arduino a very handy device for the Maker community.
Microchip is still the 800-pound Gorilla in the microcontroller and memory marketplace. And this marketplace has been consolidating as margins grow tighter. Microchip just purchased Atmel for $3.6 billion.
What does this mean for the Maker community?
Microchip has always tried to be attractive to the Maker community. Its parts are very inexpensive, and it provides explicit guides of “how to” build a complete circuit board based around its PIC microcontrollers. For a while the Maker community seemed to be moving toward Microchip, with books like “Easy PIC’n” becoming somewhat popular. Microchip had a market share in the Maker community as long as they were competing with the Basic Stamp and its expensive counterparts. That seemed to fall away when the Arduino arrived.
Microchip, along with Digilent and Fubar Labs, decided to create their own open source hardware platform to compete with the Arduino and Raspberry PI. Billed as “Arduinos on Steroids” this platform is called the chipKIT, and it uses the very powerful PIC32 series of microcontrollers as its engine. The chipKIT boards were introduced in 2013 at $20 for the low-end boards. These boards were supposed to be able to port code created for the Arduino right into the chipKIT.
However, increased raw power and a different microcontroller have created problems with library compatibility. This isn’t a big problem for programmers who are used to tweaking libraries for their own use, but the Maker community values greater compatibility and ease of use, and many do not have a need for the power available in the chipKIT. The chipKIT has a decent market niche, but the Maker community really loves Arduino.
Now that Microchip owns chipKIT and Arduino, it will be interesting to see if a pathway is created to urge Makers on to more powerful products. A partial pathway already exists since chipKIT can be programmed with either the Arduino IDE or with MPLAB and its In-Circuit Debugger.
Microchip shines with excellent product support and online designer forums. But these tend to cater to engineers more than Makers. ChipKIT questions do not get the immediate response that other PIC questions elicit. Some engineers on the Microchip forums have a dismissive attitude toward the Maker community too.
It would be to Microchip’s advantage to create a Maker community forum as part of their otherwise excellent forums, with Maker-friendly moderators and assistance. They could combine this community with the Arduino and the chipKIT Makers. Maybe Makers can be encouraged to join the engineering career fields.
From a personal note – I’ve always loved the Microchip PIC, and have programmed it in RISC and C++. I’ve also programmed the Arduino in C++. If Microchip can make the libraries easier to use, the PIC32 has some serious power I’d love to play with in an Arduino environment.
