What happened with Albert Rivera and WhatsApp again shows two things; politicians don't know anything about technology, and journalists, neither.
I will begin by clarifying that I am Argentine and I live in Argentina. I have enough with the political situation in my country to deal with Spanish politicians. The objective of this post is not to disqualify or defend Mr. Rivera, is educate so that the same thing does not happen to other people.
Table of Contents
WhatsApp encryption and the Indian padlock
Peter Drucker He was one of the most important specialists in organizations of the XNUMXth century. One of my teachers used to compare it with other specialists with the phrase:
Peter Drucker worked with the most important companies in the world, the rest read in the libraries of the most important universities in the world.
Drucker says that one of his first jobs (in the 20s) was in a company that exported to India. The most successful product was a very simple padlock, a very easy model to open even without the key.
The firm decided to market a better model, one that would resist any unauthorized opening attempts. It was a failure.
When they went to investigate they discovered that the padlock, for the less educated Hindus, was a magical symbol. It was enough to see the padlock on a door so that no one dared to enter without authorization.
The new model was too expensive and too complex for the industry that bought the other model. And also unnecessary, since the protection sought was psychological.
Of course it was enough with someone less superstitious for that advantage to disappear.
In this case we were talking about uneducated people. But when it comes to technology, there are people with a good level of training to whom it happens. A blind and irrational trust in technology that makes you forget the elementary precautions.
And before falling to Mr. Rivera, let us remember that within the Linux community the mantra is often repeated that "I am protected from computer attacks because I use Linux"
Albert Rivera and WhatsApp. This is what happened
WhatsApp developers want their application must be used with a telephone mobile. Even desktop applications need the mobile to access them by reading a QR code.
Now, the application does not necessarily have to be installed on the mobile. For years I used WhatsApp on an Android tablet with no phone capability. You only need a mobile that can receive an SMS and a wireless connection.
The procedure to access Rivera's account was as follows:
- Unknown person / s reported to WhatsApp that the mobile number that Rivera used was usurped.
- WhatsApp sent Rivera an SMS with a verification code to validate its ownership.
- The unknown person / s, posing as WhatsApp, asked him / her toSend the verification code by sms.
Differences between hacking and phishing
And here it comes to why I spoke at the beginning of the ignorance of journalism. Rivera was not hacked, he was a victim of pishing.
Hacking: It is the use of computer techniques to gain unauthorized access to systems or information.
Phishing: It is impersonating an institution or person to make the victim voluntarily provide private information.
Although both practices are ways of obtaining information, they differ in the choice of the method used. In phishing a user is deceived with an email, a phone call, or perhaps a text message and you convinces him to get him to answer "voluntarily" with information. Obtaining information is no more complicated than making an email or website look official enough to mislead the victim.
In a hack, information is inadvertently extracted, which forces the author to take control of his computer system, by brute force or more sophisticated methods, to access confidential data.
Actually, both techniques are often combined.
Years ago, the Joomla content manager had a bug that allowed access to the servers on which they were installed. Someone used one of my clients' installation to put up a fake Bank Of America home banking page. He then sent emails to a mailing list with a link to that page disguised as an official bank email.
I ended up having to delete the domain because for months the bank's security officers continuously monitored the server, eating up the bandwidth.
There I learned not only to verify the links that come to me by mail, to periodically control each of the files that I have hosted on my servers and to ensure the identity of my interlocutors by other means.