College of Engineering News • Iowa State University

Daily reporter gets hacked

One hour is how long it could take for my identity to be stolen.

And that’s how long it took three graduate students to create a website façade that would allow them to see the password that could lead them to my social security number, my identity.

With today’s push in mobile technology, people may not realize just how much of their information is “out there,” said Kevin Scheibe, associate professor of supply chain and information systems.

“Identity theft is the big one now,” Scheibe said. “Can I open an account in your name? Can I somehow steal money that’s tied to you and not tied to me? It’s not an uncommon thing.”

Password protection is an issue that should be on the top of college students’, and anybody’s, priority list, Scheibe said. A matter he said some students don’t take seriously enough, especially with passwords to log into social media and email accounts.

About 9 million people in the U.S. have their identities stolen each year, according to the Federal Trade Commission. About 12.7 million students were victims of identity theft in 2014, according to a Javeline Strategy & Research Identity Fraud report. The most common type of fraud was familiar fraud, or when family, friends, roommates and acquaintances are hidden risk factors and the victim’s personally identifiable information is stolen to create a new account or to take over existing accounts.

Doug Jacobson
Doug Jacobson

Doug Jacobson, director of Iowa State’s Information Assurance Center, cautioned students about sharing password information with friends and significant others.

“One of the classic ways that students can get in trouble is when the relationship status changes,” Jacobson said. “You’re in a relationship, you share things, including passwords, and then you change your status from in a relationship to single, one should change one’s passwords. I have been involved in cases in which people have misused that knowledge.”

If someone were to figure out an email password, Jacobson said, the information within the email is what hackers or phishers — those who try to trick people for personal information — would be looking for.

“If I had your email, I would use that to get your bank password,” Jacobson said. “It depends on how you handle it, many banks are getting better about this, but many times, you can click a button that says, ‘I forgot my password,’ and get a reminder.”

Hackers could then change the password without the user even knowing.

The experiment

To see how someone can be tricked into giving a password or being “hacked,” I asked Jacobson to see if there would be any students in information assurance willing to try to hack my online information or passwords.

The three volunteers — Nick Spear, Garrett Yord and Eric Rodine, all graduate students in electrical and computer engineering — had my name, email address and phone number, anything easily found on the open web, and about a week to see if they could get any of my passwords or other information.

We made sure they wouldn’t get into any legal trouble, which they won’t because I gave them full permission to try to hack me, and they got to work.

How a hacker can get your passwords

The students sent me two emails that looked like they were sent from a third party: one to my Iowa State Daily email account and one to my ISU CyMail.

The email to my Iowa State Daily account was tailored to me and my personal interests using social engineering, a technique hackers use to find out information about someone to either guess someone’s password or trick users into giving passwords.

“Social engineering is using interpersonal communication for the purpose of getting enough information that I can then use that to hack into something,” Scheibe said.

Nick Spear, one of the graduate students who agreed to help with the experiment, said social engineering was the longest portion of the project.

Social engineering could be something college students are most susceptible to, Scheibe said.

“We as Americans are a very trusting culture,” he said.

Andrew Weisskopf, senior systems analyst for Iowa State’s IT department, said students tend to be most susceptible to socially engineered phishing scams such as this example.

I definitely would have fallen for it, considering the topic of the email was something I am very interested in. The email contained information on human trafficking, a subject I am passionate about and report on frequently.

Spear, Rodine and Yord spent hours researching me using Facebook, LinkedIn, Twitter and a Google search to tailor a message containing information that would convince me to click on the provided link, bringing me to a Facebook page lookalike. Type in the password on the Facebook façade and it instantly goes to their computers.

“The first thing we would have done is copy and paste that password into all your other social media sites and emails,” Spear said.

Many people tend to reuse the same set of passwords for different logins, Scheibe said, which is a convenient, yet dangerous, habit.

Both Scheibe and Jacobson said they use password managers, such as 1Password or PasswordBox, which holds multiple generated complicated passwords to use for different sites. The only password you need to remember is the password to enter the manager, which should be strong, Jacobson said.

Jacobson said he also uses password phrases and adds a few numbers to make his password nearly impossible to guess.

How the hacker can get your personal information

Spear, Rodine and Yord also sent an email from what I thought was Iowa State’s Accounts Receivable.

The mock email to my CyMail account looked like it was from Iowa State’s Accounts Receivable saying this was the final notice to pay my U-Bill and provided a link to go directly to AccessPlus. The link contained my personal student netID and “ubill” in it, leading me to think it was legitimate.

Click on the link and up pops a nearly identical site to the real AccessPlus. Type in a password, and the password is instantly sent to the students’ computer.

Once on my AccessPlus, they could have easily found my social security number.

“If the password gets me to personal identifying information, such as social security number, that’s what I really need to steal your identity,” Jacobson said. “Then your social security number and public information about you would enable me to set up a credit card in your name. That’s what typically happens in identity theft. You use that person’s identity to convert it to money.”

For students employed at Iowa State, as I have been, W-2s are provided through AccessPlus. To view the W-2, the student must enter the last four digits of their social security number. However, anyone can find the social security number through the tax information section under the student tab.

Weisskopf said this was the first year Iowa State has added the requirement to type in the last four letters of the social security number to view the W-2.

“That was an addition this year and we missed one form that should’ve been behind that,” Weisskopf said.

The university has been working on creating a dual-factor identification to log in to AccessPlus, he said, but IT is running a pilot system now. It could be up to a year for the login method to go university-wide.

While most college students aren’t the most sought after individual targets for large sums of money as a top researcher or CEO of a company might be, Jacobson and Weisskopf said they should still be leery of how well they protect their passwords and how much they put online.

“It takes one moment of inattention for you to be a victim,” Weisskopf said.

This article was originally written by Danielle Ferguson of the Iowa State Daily.