Monday, July 20, 2020

Twitter Hack Revelation: People Are Still Human


Last Wednesday, followers of the Twitter postings of famous people such as Joe Biden, Elon Musk, and Kim Kardashian all received some variant of the following message, which came from the Apple Twitter feed:  "We are giving back to our community. We support Bitcoin and we believe you should too!  All Bitcoin sent to our address below will be sent back to you doubled!"  This incident has brought to my mind a series of hoary epigrams, and the fact that enough people actually responded to this transparent scam to enrich the hackers by an estimated $110,000 reminds me of the first one:  There's a sucker born every minute. 

Twitter staff responded quickly, first by blocking the accounts on which the fraudulent tweets appeared, and then by briefly freezing the ability of all registered users to tweet anything.  (So for a few minutes on July 15, 2020, we had a Twitter-free world again, but not for long.)  Eventually, Twitter got things straightened out and life went back to what passes these days for normal.

How was this done?  Details are still scarce at this point, but apparently, it began when the hackers mounted what Twitter calls a "coordinated social engineering attack" on the organization.  That's techspeak for a trick like the following:  a bunch of emails or other messages purporting to be from someone in authority and asking for the victim to do something that they normally wouldn't do.  I partly fell for something like this myself once one Saturday when I received an email allegedly from the dean of my college at the university, asking me to contact her.  I emailed back and the hacker then said she was in need of some gift cards for a meeting, and would I please go and buy some and email them to her?  Only then did I realize I was dealing with a scam.

So by some similar means, the hackers were able to access internal Twitter administrative tools.  In other words, they were in the driver's seat and they proceeded to push the pedal to the metal.  First, they located all the famous Twitter names they wished to hack.  (Republican politicians, strangely enough, were apparently immune from this attack, for reasons that remain to be determined—maybe the hackers didn't think anybody would believe Republicans would give away money.)  Then they changed the accounts' email addresses so the real account owners couldn't access their own accounts.  And then the hackers did something really stupid, which was to ask victims to send money to a Bitcoin account.

According to one authority at a law firm that specializes in cryptocurrency matters, U. S. law enforcement authorities can trace Bitcoin transactions pretty well, so the chances that the hackers will get away with their ill-gotten gains for good are not high.  On the other hand, Bitcoin and similar cryptocurrencies are well known for the shady and illegal transactions that people use them for, so it's hard to say what the truth is here as to how easily they can be caught.  Overall, though, people involved with Bitcoin thought the net fallout from this incident would be favorable for cryptocurrency, because as one spokesman said to a Slate reporter, "Can you imagine if an advertiser wanted to ask all of these people to post about their company in one fell swoop? It would be an impossible purchase; you couldn’t even buy that much media."  Which brings to mind the second hoary epigram:  There's no such thing as bad publicity.  That is to say, just getting your name or product before the public is more important than exactly what causes the publicity in the first place, whether it reflects upon you favorably or otherwise.

The next epigram I will bring to your attention sums up what this incident tells us about human nature:  Plus ça change, plus c'est la même chose. ("The more things change, the more they stay the same.")  While the technology in this incident may be new, the aspects of human nature it exploited are as old as humanity itself. 

The hackers, who are simply criminals with some tech savvy, used their knowledge of human nature to get into the Twitter controls in the first place.  No matter how many seminars on computer security you make employees sit through, if your organization is large enough and if the hackers are clever enough, at least one person is likely to have a lapse of judgment when a hacker mimicks an authority figure and asks the victim to do something that would otherwise be against their better judgment.  And one is sometimes all it takes.

And on beyond that, the fact that enough Twitter users were gullible to the extent of sending thousands of dollars' worth of Bitcoin to Joe Biden or Apple or whoever, not stopping to wonder why the object of their admiration would first want them to send cash before returning twice the amount sent—well, it's people like that who keep con artists in business.  And of course, the millions of followers each of the famous people or organizations have, increased the chances that the hackers would find those few very special folks who both had the money and couldn't resist the thought of missing out.

A story in Physics Today, of all places, confirms that even people who are brilliant in one department can nevertheless be duped like anybody else.  Late in life, Sir Isaac Newton was a well-off government official (he ran England's mint) who others sought out for advice about financial investments.  In the spring of 1720, a government-chartered outfit called the South Sea Company (sort of like the British East India Company that profited from colonial trade, but less successful) began issuing stock.  Joint stock companies were a new thing back then, and Newton first bought some South Sea shares, but then decided there was something fishy about the setup and sold his stock, although at a handsome profit.  The South Sea Company operators were basically operating a Ponzi scheme, but as they were some of the first to hit on the idea of paying off investors who were promised high returns with the money from sales to later investors, few people other than Newton smelled a rat. 

All through the summer of 1720, South Sea stock soared, and the psychological pressure of seeing other people apparently getting rich from their purchases proved too much for Newton, who turned around and put almost all his free cash into the stock again in June and July.  In August, the bubble began to burst, and by the end of September Newton had lost his proverbial shirt, along with everybody else who hadn't gotten out in time.  So even the most brilliant scientific mind of the eighteenth century was taken in by a stock scam.

That may not make anybody who sent a thousand bucks to Kim Kardashian in hopes of financial gain feel much better.  But it confirms the fact that human nature hasn't changed that much in three hundred years, and whether the means are goose-quill pens or Twitter accounts, this final epigram is still true:  If it looks too good to be true, it probably is.

Sources:  I referred to articles on the Twitter hack and scam that appeared in Slate at https://slate.com/technology/2020/07/why-cryptocurrency-advocates-think-the-twitter-hack-could-help-bitcoin.html and the website www.techcrunch.com at https://techcrunch.com/2020/07/15/twitter-accounts-hacked-crypto-scam/.  I also referred to the Wikipedia article on Twitter.  Andrew Odlyzko's article "Isaac Newton and the perils of the financial South Sea" appeared in the July 2020 issue of Physics Today, pp. 30-36.

No comments:

Post a Comment