All It Takes Is Five Minutes

A good hacker doesn’t need much more than a phone to gain access to someone’s online account. Social-engineering hacker Jessica Clark tested this on her own. Her target: journalist Kevin Roose, who had challenged her to show him how it was done.

First, she put together a 13-page dossier on Mr. Roose, pulling in all the information that she was able to find about him online. That meant birthdays, addresses, family, and other habits of his that might be helpful for identifying questions.

Next, she called his phone company. She spoofed his phone number, a relatively easy trick that made it seem like the phone number she was calling from was Mr. Roose’s. She also put on a video of baby crying sounds to run in the background.

When she reached a customer service representative, she put on the act. “Hi! I’m actually — I’m so sorry, can you hear me okay? My baby… I’m sorry.” She laid out a story as the baby cried in the background, explaining that she’d just had a baby and they needed to sort out a loan immediately. “I’m trying to log into our account for usage information, and I can’t remember what email address we used.” She cut herself off, sounding overwhelmed, and begged the customer service rep for help.

It took 30 seconds for Ms. Clark to get Mr. Roose’s personal email address. In a few more minutes, using the name of Mr. Roose’s partner and a fake Social Security number, she was able to add another name to his account and change his password.

Five minutes. That’s how long it can take for a hacker to get in.

Multilayered Prevention

So what can we do? Like, at some point, you’ve just got to give up, move to the middle of the woods in Maine, and keep all your money under your mattress. If you’re working on more than a Bais Yaakov teacher’s salary, you might even find that you can fill the mattress with the cash, thereby both saving you some money and gifting you some extra sleepless nights.

If a hacker could get in anytime, then what options are there, aside from leaving your job and taking up hacking yourself? (Not recommended, says my rav. Check with yours!)

“Multifactor authentication (MFA) adds an extra layer of security to the login process,” A* tells me. “Without MFA, you put in your username and password and log into your account. If a hacker has the password, they can get in, too. MFA uses two or more methods of authentication — something you have, something you are, and something you know.”

Something you have can mean your phone or email, and you’ll have to click a link or type in an extra code to log into your account.

Something you are might mean your fingerprint, on some phones or computers, or your face. (This can be very annoying if you’re my sister, because my face unlocks her phone every time. We don’t even look alike to anyone but her phone and our babies, who get very frightened when one sister is holding them and the other sister walks into the room.)

Something you know might be security questions or a password, the original method that we all use to log into accounts.

So a hacker getting your password might seem frightening, but if you have MFA turned on, then they also might need your phone to log in. And a lot of websites and apps have other protections, too. If you try logging in from an unusual place, you might get an email alerting you to the fact that you were logging in from Lakewood, New Jersey, this morning, but you appear to have made it to Vilyuchinsk, Russia in time for your lunch break.

Then again, sometimes it’s legit. I once went on a Mediterranean cruise with my grandparents and their credit card kept getting stopped because they were in Turkey one day, then Greece, then Croatia. Imagine trying to log on to your Wells Fargo account after boarding the International Space Station.

All that extra authentication can be particularly annoying when you’re in a rush. But convenience only goes so far, and in a world where private information is so precarious, better safe than sorry.

Password Semantics

I had three kids in three separate camps this year that all used the same CampMinder website. This was particularly annoying because I let my phone make the passwords. It gives me a mussar shmuess when I don’t, something kind of like the guilt trip that someone else’s bubby might put them through. (Required disclaimer: My grandmother is perfect.) “Are you sure that’s the right decision, mammeleh? Always using your oldest’s name, followed by 613? You know, the scammers these days know about 613, even if they don’t believe in them. How about some nice string of nonsense letters and numbers and symbols? I only ask because I care about you.”

Fine, Phone. You can do it.

Even though it saves those passwords, I had no idea which one was which, and transferring them over to my computer was even more complicated, which meant that my poor, poor son had to wait at least ten minutes for me to put in the urgent money that he needed for the canteen. (Was it the third-to-last day of camp? Yes. Was he going to have canteen again? Uncertain. But perish the thought that he ever had to go without a pack of Froozies and a Gatorade!)

Is it really so terrible to have the same password for multiple sites?

I ask A* for validation, and she gives it to me. “Technically, reusing a password is a bad idea,” she points out. But she suggests using three levels of passwords instead. You can have one for websites that don’t really matter much, like that one time you made an account with the New York Times because they said they’d save your Wordle and that seemed super important back in 2021. I really don’t think that any hackers are going to get anything of note from my Goodreads account except that I’m an easy five-star reviewer.

The second-tier password would be for places that have your credit card info, like Amazon or Verizon or that one place where I bought a towel robe for my daughter last July that she insisted she would use for several years before reneging on that in June. You want a slightly better password there.

But for the most important websites, like bank or phone accounts, you’ll need a really secure password. And that’s not “Bashie613,” unfortunately, for those of you superfans.

A* estimates five minutes to crack that password, incidentally. “The longer your password is, the more difficult it is to crack.” But complexity helps, too. “You want to use numbers, both uppercase and lowercase letters, and symbols.”

It’s simple math. If your password has six characters, using all of these different variations at once, there are about 95 different possibilities for each character. That’s 95 x 95 x 95 x 95 x 95 x 95, which is 735,091,890,625 different combinations. And a hacker can still crack that pretty instantly. Add a few more characters, and you can make it longer.

I tried it! I plugged some potential keysmashed, Bubby Phone-approved passwords into security app Bitwarden. “fE4&t#” takes only two minutes to crack. But “fE4&t#s1fs3%-sfdkj,” according to Bitwarden, would take centuries. Interestingly, when I try out some of my actual passwords, the time varies based on the letters used. A* says that hackers run through every word in the English language, as well as transliterated words from other languages.

Still, it does slow them down. I test the app, first with “Marcus613” and then “Bracha613.” Marcus is out in 57 seconds, while Bracha takes a whole day. With a hashtag at the end of the name, that number goes up to 12 days.

Long story short: Bubby Phone knows best. Annoying for me, annoying for hackers.

More than a Stolen Credit Card

How about online shopping? Is it safe to put my credit card info into the shady website that is selling the exact adorable houndstooth dress that I wanted to get for my daughter, or am I risking financial ruin over tween fashion?

Probably not, A* tells me. “In order to charge a card, a company needs to follow a specific set of rules called the PCI-DSS. Getting that authorization is difficult, so it’s usually easier to go through a payment gateway to process payments.” Those gateways are more secure and trustworthy.

But there are other concerns when it comes to putting funds online, sometimes even in places that seem harmless. A* tells me about a recent school fundraiser where kids had their own accounts and teams to keep track of what they’d raised. The accounts were managed by the parents, of course. But when she tried to access a nephew’s account, she found that she was able to see the money that he’d raised.

“The kids’ info is there, so now your kids have private info exposed on the Internet,” she explains. “If you’re using your kid’s name as a password, that information is now online.” But most concerning, “If someone sees that your child is in that school, they can run a scam where they call you up and ask for money, pretending that they’re a secretary at the yeshivah and you have outstanding balances there.” (The fundraiser is updating their security for the next round.)

Sometimes, the situation is even more dire. In 2023, during her younger daughter’s ballet recital, Jennifer DeStefano answered a call that she thought was a doctor’s office. On the other line, she heard a voice that sounded exactly like her older daughter, Briana, sobbing, “Mom, Mom. I messed up.”

“What happened?” she asked. Briana was on a ski trip. Had she gotten hurt?

From the other line, a man barked out, “Lie down and put your head back!”

Mrs. DeStefano panicked. Briana told her that she had been kidnapped, and the man threatened Briana’s life unless Mrs. DeStefano would give him $1 million. Mrs. DeStefano muted the phone and screamed for help from the other parents at the recital.

While she negotiated with the kidnapper, the other parents called 911 and reached out to Mrs. DeStefano’s husband — and Briana herself, who was skiing and perfectly fine. The entire phone call was a scam, and the caller had used AI to imitate Briana’s voice.

Many of us shrug off the fact that our lives are public today in a way that they never have been before. What do we have to hide? But those little snippets of our lives can be used against us in unexpected, malicious ways. And even the most innocuous breaches of our personal lives can pose unexpected danger.

Compromised?

Now, I have a terrible memory. I forget passwords constantly. I’ve had to ban myself from using Zelle because whenever it asks for my debit PIN, I guess so many times that I lock my bank account… and when I finally get around to calling and unlocking it, setting up a new debit PIN in the process, I forget the debit PIN by the time I hang up.

So I spend a lot of time on my phone’s passwords app, which should be a wonderful thing. There they are, all my passwords neatly lined up… and a big, blaring alert sign next to almost every one.

Compromised Password!! it warns me. This password has been detected in a data leak and should be changed immediately!!! I added the exclamation points, because I think that my phone really isn’t conveying the gravity of the situation. Maybe that’s why I tend to ignore those.

But A* warns me that they’re legit. “Usually, that means that someone successfully hacked a company and got the logins from the database. Then they processed the passwords (because passwords usually aren’t stored in regular form) and found the original password you typed in. So yes, it’s a good idea to change your password,” she says, and to change it on other websites, too, because hackers will try the same username and password combination elsewhere.

This is a big bummer to me, because I’ve always just assumed that this was scaremongering. But the good news is that your login might never be used. “The average person isn’t all that important,” A* points out. “But they can pick logins at random and test them out on sites like a banking website.”

Fortunately, my most valuable accounts have no alerts beside them. But I am taking a risk by ignoring the other alerts. Then again, I find that I’m not filled with dread at the possibility that a hacker could access my AllTrails account. It might do them some good, anyway, getting away from their screens for a nice hike. I have some great recommendations—

Well, I guess they’ll see them.

Behind the Scams

These hackers and scammers feel like a nebulous kind of bogeyman. When I try to imagine them, I envision a 20-something in a hoodie, down in a basement somewhere, screens flickering through the room as he types furiously. Maybe he pauses occasionally, a sneer creeping across his face so everyone knows that he’s Evil, with a capital E.

Maybe you can tell that I write a lot of fiction.

But the reality of it is often something else entirely.

Zeke Faux, an investigative reporter from Bloomberg, got a text from an obvious scammer. “Hi, David. I’m Vicky Smith. Don’t you remember me?” Instead of ignoring it, he decided to respond to “Vicky Smith.” Soon, she was texting him every day, claiming to live in New York, like him. She would talk about flagrantly expensive hobbies and how most of her income came from trading cryptocurrency.

Mr. Faux kept up with the scammer, curious at where this was going to go. Slowly, she introduced him to something she called “short-term node trading,” an invented way to make extra money. If he put money into an app, she claimed, he could make much more.

Mr. Faux was fully aware that this was a scam, but he put in the first $100 that she asked for, with an ulterior motive. Cryptocurrency can be traced, so Mr. Faux was now able to see all the money going in and out of the account that he had sent his money to. When he looked, he saw enormous sums of money flowing into the account from countless other scammed people in the West.

“These scammers are often not any more convincing than Vicky was with me,” he told NPR after the incident. “But one thing a lot of people have in common is that they’ve hit some sort of desperate circumstance in their life, like they have a terminal illness, or they’ve just lost a loved one.” Desperate people are more likely to take chances, and to respond to someone who wants a connection, even if it doesn’t feel right.

Vicky continued to ask him for more money, getting pushier and pushier, and Mr. Faux began to wonder exactly who was behind the screen. Slowly, he found out more — and discovered that these scammers are often victims, too — women who have been trafficked and brought to a compound where they’re forced to scam people out of their money.

These compounds are all across the world, with Russia, Ukraine, and China topping the list. But Mr. Faux found himself investigating the compounds in Sihanoukville, Cambodia, where thousands of people were allegedly trapped in buildings and forced to run these scams. The buildings are guarded with barbed wire and security.

Many of the people inside did first arrive voluntarily, desperate for a job… even one where they were paid to scam Americans and Chinese people. But soon, they were forced to hit certain quotas so their bosses could make a profit, and the punishments for missing those quotas are dangerous and severe.

Ultimately, it’s all about desperate people. Desperate scammers, desperate targets. Lonely people who are just grateful to have someone to talk to, and vulnerable people who don’t dare risk a few extra minutes to fact-check what they’re hearing. It’s a big, big worldwide web, and anyone can discover that they’ve become a target.

The best way to keep yourself secure is to stay informed. Be careful about the passwords you choose. Don’t give strangers access to your phone and computer. Don’t click any links that are texted to you by unknown numbers — or even numbers that you know, saying something that doesn’t sound right.

Trust your instincts when something feels off.

Daven.

Or throw out all your electronics and move to that forest in Maine. That works, too.

(Originally featured in Family First, Issue 964)