It all started as all good things start these days : on irc.

Person didya get my last email

Person they sent a passport pic now, badly faked

What the...

So I look in my inbox, wherein :

---------- Forwarded message ----------

From: *

Date: Wed, Feb 19, 2014 at 2:49 AM

Subject: Fwd: Change of email

To: * wow such identity --

* ---------- Forwarded message ----------

From: cuddle-puddle@riseup.net

To: *

Cc:

Date: Tue, 18 Feb 2014 17:41:14 -0800

Subject: Change of email

This is Martha McCuller, owner of bitbet.us. I would like the email associated with my account changed to cuddle-puddle@riseup.net. Attached is a scanned image of my United States passport for proof of identification. If more proof is necessary let me know and I'll be happy to comply. :)

And yes there's a passport. Behold :

This, obviously, is a fake, and a very cheap fake at that. Not only because the purported photograph of an actual item does not have the metadata associated with pictures normally, not only because even on a casual examination of the thing it's apparent it was generated scripturally rather than by actually photographing an actual physical item, but for a myriad other reasons I'm not going to go into because I'm not running a free critique and improvement service for fakers. They should be obvious anyway for anyone who isn't twelve, isn't retarded and isn't a third worlder.

Let me just reiterate and thickly underscore an older observation :

I. Social engineering is the #1 threat you face. Appallingly coded pieces of crap made by mentally feeble dorks (such as Tor or Bitdaytrade) are defeated through technical means all the time, sure. Nevertheless, if you’re not mentally feeble and you’re not coding a piece of crap the possibility of technical breach shall be and should be the least of your concerns. Mind that BitInstant lost a few hundred BTC in a social engineering attack last year, mind that Lavabit ended up closed through a social engineering attack last monthi, mind that even the NSA, for all its lavish expenditure out of ill gotten proceeds and all its advertised (if false) abundance of young bright minds and qualified engineer hands has pretty much abandoned technical attacks and is concentrating primarily on social engineering tactics. [...] Social engineering is your enemy, social engineering will stay your enemy. Permanently, your biggest enemy. If you don’t have plans to fight this beast in all its multifacetious forms you don’t have plans to survive, and that’s how it is.

This is exactly how things stand, today as six months ago, as they will stand six years and perhaps sixty decades from now : social engineering is your biggest enemy. Take measures.

As a service provider, take measures to protect your customers from social engineering. Do not allow some random know-nothings handle their accounts the way bullshit non-companies like Twitter do it. The people working customer identification have to be the best paid, most senior and experienced people in your entire organisation, with decades of experience working as ranking customs officials and lead detectives in tough precincts. And if you can't afford them, simply don't do customer identification. At all. There is no rule laid down on Moses' tablets that idiots who lose passwords should be able to ever recover them. "Sorry sir, the most we can do is wipe and reinstall your server for you, that is absolutely all" can perfectly acceptably and perfectly adequately be the limit of your customer support. You don't have to provide email reset services over the phone or password reset services over email or all the rest of the crap. In fact, if you don't have excellently good reasons why you would, simply don't. No, it's not true that "all customers lose their passwords sooner or later", and if it were : it would have been your fault. And if it ever becomes, it will be your fault.

As a customer, take measures to protect yourself from providers' social engineering ineptitude. Ask them to reset your password : if they do just move to a sane provider. What's so hard about that ?

Think this through. Think this through long and hard because it is big, it is huge, it is important. The biggest, the most important. Do not be surprised by it. Be prepared for it.

———