Large technology companies amass huge amounts of personal data from their users. Because of this, they work hard to assure both customers and shareholders that the data is safe and can’t be easily stolen through the more conventional methods of hacking and intrusion. For two of the largest tech companies globally, Apple and Meta—the parent company of Facebook—this is certainly the case. However, even the largest corporations can sometimes fall for well-implemented deceptions, and that’s exactly what happened in a case of bold social engineering.
The Human Factor
Social engineering refers to attacking the weakest link in most security chains, human error. Social engineering tricks a victim into voluntarily performing an action that would compromise an otherwise secure system by gaining trust, exploiting greed, provoking fear, or other psychological manipulation tactics.
In the case of both Apple and Meta, the social engineering tactic here was for hackers to impersonate law enforcement officers and send emergency data requests. This legitimate legal request overrides the requirements of presenting a subpoena, warrant, or other court-approved documents before needing to comply. The Apple and Meta employees faced with these bogus emergency data requests complied and handed over IP addresses, mailing addresses, and phone numbers.
The Ongoing Challenge
While embarrassing, especially for companies that typically use up-to-date security measures such as biometrics and other forms of cyber security, neither Apple nor Meta have disclosed the full amount of data given to the hackers. But it is a testament to the ambition of criminals that regardless of the cyber security measures taken, some criminals refuse to give up and resort to the most extreme measures to get the data they want.
Biometrics, USB encryption, decryption keys, and other passwordless authentication methods are all incredibly efficient forms of cyber security. However, they are forms of personal protection, giving individuals the security they need to restrict access to their data. There is no accounting for what happens when a social engineering scheme works at the very “top” of the pyramid, with the data technology companies themselves, who can override any security and provide data on request if they are presented with legitimate, verifiable legal requests, or fall prey to believing a request is legitimate without securing more verification from the parties making the request.
Apple joined the FIDO Alliance in the Fall of 2020 a new global standard in the world of passwordless authentication. Apple has now authored a multi-device FIDO standard known as “Passkey” which allows a user to use a FIDO private key to access their Apple accounts. If a device is lost or replaced, the FIDO private key can be recovered from another Apple device owned by the user. With Apple joining the other 340 FIDO Alliance members, the global establishment of the FIDO alliance is considered complete.
It’s crucial, however, for every company to take its own cyber security seriously. Your data on your systems and networks need to be protected. If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.