amw (amw) wrote,

feeling elite

This week we had to deal with a persistent hacker at work.

They had realized that they could sign up for a free trial on our service, then enable two-factor authentication (2FA), then get a "free" SMS sent to confirm their identity. So they proceeded to use our 2FA feature to send messages to premium SMS services in Nigeria. Which we had to pay for.

Most people who use 2FA only use the "app on your phone generates a new password every 30 seconds" version, so they only confirm via SMS once and then never use it again. People who use SMS regularly are usually folks like me who stubbornly refuse to install any apps on their phone. So for our moderately-used service, that means we only need to send 20-30 SMS a day. Costs us a few bucks, which is nothing. Keeps the customers happy. Price of doing business.

Then suddenly we're getting done for hundreds of dollars a day.

First we set up a throttle to block the IP address of the hacker. Then the hacker started using zombie computers and/or VPNs to rotate around different IP addresses. So then we set up a throttle on the phone number, assuming that the hacker would only be using one premium phone number. Then the hacker started switching phone numbers on every request.

They must have hundreds of phone numbers set up, and hundreds of zombies.

And i thought to myself. I am in the wrong fucking business. Because if a hacker can set up one little automated script to cycle through 200 phone numbers a day, that's $200 a day for about 5 minutes work. Now imagine they set up that same script on 50 different companies who all provide 2FA on their trial accounts. That's fucking $10000 a day! Just for recording your login and replaying it with different numbers.

I suppose it's not really a hacker in the sense we imagine hackers to be, like some punk kid with bleach blonde hair who wears sunglasses inside and listens to techno music. It's probably a team of dudes in developing countries working for local crime bosses, slavishly plugging their scripts into every website on the internet.

So score one for the good guys because we finally beat him today by blocking all SMS access to new trial registrations. It's not really much of a win since this will also affect real potential customers who try to set up 2FA, but we will fix that next week, perhaps by making 2FA a feature that can only be enabled on a trial account after contacting customer support.

Anyway, it doesn't matter that our fix was crude. It was fun watching this hacker mess around in real time. Trying different IP addresses, then different phone numbers, then registering whole new accounts, trying multiple users, or waiting 10 minutes to get around a throttle and trying again. I like to think we wasted several hours of their time as they tried and tried and failed and failed to screw us out of more money.

Yes. I felt elite. Not just elite. Leet. 1337.

That almost never happens in real life software development.

You never get to be elite, because the vast, vast majority of hackers are just little shitheads who are spamming your site with a million useless strings to try exploit vulnerabilities that already got fixed years or decades ago. They still try it on because there is a small but significant number of companies who never bother upgrading their software. Hackers only need to own a few boxes to potentially find customer information that they can then use for identity theft or fraud. Or they can encrypt your shit and demand a ransom to unlock it (which is what happened to that pipeline company in the US recently). Even if they find nothing useful, they will still turn your computer into a zombie that will now be used to hack someone else.

PSA from your friendly neighborhood nerd: upgrade your software, folks. Do not stay on the old versions, you will be pwned.

Anyway, thwarting those hackers is just like. Meh. Oh well. I clicked the upgrade button. Phear me.

But thwarting a hacker who is costing you hundreds of dollars a day? That feels good. It feels like. YAS. U R PWNED. WE ARE SAMURAI. WE ARE THE KEYBOARD COWBOYS. AND ALL THOSE OTHER PEOPLE ARE JUST THE CATTLE. MOO. HACK THE PLANET! HACK TEH PLANET!!!!1111one...>>> Etc etc.

Someone play me some fucking Prodigy because it's time to do the elite dance.

The Prodigy - Voodoo People

Ah, there we go.
Tags: career, teh internets

  • i'm getting itchy feet

    I am ready to go! All of the stuff that i really needed to start this bike tour safely has arrived. The only things i don't have that i probably…

  • Dear Americans,

    Please write your representatives and ask them to open the goddamn land border. From August 9, fully-vaccinated Americans will be allowed to visit…

  • went out for a test run

    This was almost entirely fully-loaded. The only thing not in there is my tablet and charger (fairly small), my toiletries (very light) and food.…

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.