Yesterday night marked the beginning of a series of interesting events that gives us an opportunity for reflection (or avalokanam, as we call it). My wife received a few text messages on her phone number that has been her for only a couple of weeks. These messages were from Facebook, and had a code and a link which could be used to reset her password. At first she ignored these messages, and then we began to suspect that it was the result of an attempt to hack her Facebook account. She was a bit worried, but more surprised that somebody would actually go through the trouble of doing this. After all, of what use would her account be to them? Partly out of what I have heard and read, and in part due to my own crooked thinking, I tried to explain the different ways in which they could use her account to get access to more useful personal information of those in her friends circle. I also suspected that this was an attempt at hacking by social engineering. Nevertheless, I was pretty confident of the security systems Facebook will have in place, and told her there was nothing to worry as long as she didn’t do anything reckless.

Today morning, at about 11:00 AM, when I would usually have been out at work but was incidentally at home owing to a persistent bout of cold, my wife received a call and I listened to her side of the conversation: “Hello?”. “What?”. “Ok”. “Facebook?”. “I see”. “Got it”. “No problem”. “All right”. As I came to know from her soon after, it was exactly what I suspected it to be. There was a lady on the line who addressed my wife by her name and claimed to have been using her new number till some time back, had forgotten the password to her Facebook account which she could reclaim only by sending a verification SMS to this number, and thus requested that the text messages received yesterday be forwarded to her. My wife, with her trusting and helpful disposition, had gladly agreed to oblige. Myself, being more suspicious and incredulous by nature, was not happy with that.

The first question that came to my mind was how the caller got to know my wife’s name. Looks like she claimed it was from customer care, but I found that even more ridiculous. Why would customer care folks ever divulge confidential customer information to some curious caller? That would be a clear violation of their user data privacy requirements. And even assuming that she somehow managed to get that information, was this the only way to recover her account? Wouldn’t there be an email recovery option? It would take roughly 6 months for an operator to recycle a phone number (well, that’s what I believe) – why did she not care about reclaiming her account till now? Or did she suddenly lose her password within 2 weeks of a new user claiming her old number? That would require a greater degree of coincidence than we usually see in the world around us. I was convinced that this phone call was also part of a plan to hack my wife’s Facebook account, and advised her not to share the password reset code as the caller had requested. At first, she wasn’t happy about not sending the code after having initially agreed to, but on explaining the risks she appreciated the basis of this recommendation.

In about an hour, the mysterious lady called again and was complaining about not having received the code yet. I asked to put the phone on speaker and began to listen to the conversation as some fundamental questions were being posed to the caller. The way she answered those questions showed that she was either genuine or highly trained. The number was being used by her sister who went to Kuwait about a year back and the SIM had gone inactive, as per her account. She had important photos and contact information in her account and the only way to recover it was for us to help her. At some point, I decided to join the conversation. We had no way of telling whether the reset code was for her account or for my wife’s account, we explained. And even if this reset code was for the previous user of this phone number, we had no way to ascertain that this caller was the rightful owner. By sharing the code, we could be compromising my wife’s account or that of somebody else who isn’t even aware of this attempt. We took a lot of effort to clarify that we were not implying that the caller was trying to cheat us, but were only explaining our inability to tell a genuine case from a hacker. Firmly, but politely, we refused her request and she agreed to call Facebook customer care to find an alternate solution.

After disconnecting the call, we discussed and thought about the episode. We were not sure if we just refused help to someone who had sincerely approached us, or if we had successfully thwarted a clever social engineering attempt. We may never know an answer to this question but, looking back, I think we did the most appropriate thing we could at the moment. If she was genuine and happens to be reading this post, my apologies to her for not being able to help and hope that by now she has managed to reclaim her account and also fully understands our situation.

There are three lessons which we perhaps knew already, but can appreciate more in the light of this incident. First and foremost we must have at least two recovery options for our account (say, an email and a phone number), and always keep them updated lest we land in a difficult situation like the caller claimed to be in. Second, if you suspect an attack on your account (as you must, if you get password reset options without requesting for it), it is always better to play safe and never share your account information or secret codes with any unverified (or even verified) caller under any circumstance whatsoever. (This might seem obvious, but that is where social engineering is really effective – in gaining your trust posing as someone you know or by downplaying the actual impact of sharing that information). Finally, these types of attacks are common and any of us may fall for these at times – not because we are not intelligent enough, but because there is good in each one of us and it is this good that is often exploited. So, if we find any suspicious behavior in our friends’ accounts (like a friend asking you via Facebook to send a few dollars to his bank account because he is stranded in a strange place with is belongings stolen), we must urgently advise our friend rather than ignore the hint. If any one of our accounts is compromised, it undermines the security of all connected accounts as well. It is on each one of us to exercise due caution so that we all stay secure. This, perhaps, is one of those rare cases where it is okay to be a little paranoid!