The Weakest Link

Story of the Week May 9, 2021 5 min read

📚  Story of the Week #40

Would you ever hack someone’s Facebook account? What if they’re grooming underage students and you need evidence to convict them? This is the story of how I helped catch a criminal.

I remember when the internet used to sing. Explaining it to someone unfamiliar with the days of dial-up makes it sound like fiction: “Back in the early 2000s, you’d have to manually connect your computer to the internet using the telephone wired into your house. Wi-Fi? Oh, that wasn’t a thing yet. You’d clack on your keyboard, click and then your computer would start beeping and screeching, crunching electricity until it connected. It was magical.”

My family were late movers with dial-up, and the treadmill of progress never stops, so it wasn’t long until we leapfrogged onto broadband, dial-up’s less musical and faster evolution. The transition wasn’t without its teething problems.

Computers have always fascinated me. Ever since my uncle brought a beige Windows 95 PC into our house, I’d been tinkering away on them. Usually, I’d break them and then learn a ton in the progress of panic-fixing them less I got in trouble. That reputation earned me the nomination to talk to the technicians that had come to fix our broadband.

They were huge, though I was 11 and small, so most everyone was huge. They were also jolly confused.

We’d been promised getting broadband would be easy, though that’d been exposed as a sale bluff to get you through the door, as it had been a month and we still didn’t have an internet connection. We’d followed all the instructions, and spent hours on the phone with customer support. Our case was then escalated, resulting in two specialists being sent to our house to, once and for all, crack our connectivity conundrum. The issue was that nothing they tried worked.

What frustrated me was that the broken broadband went against the most basic term of my relationship with computers. They’re puzzles. They follow a consistent set of rules. Understand those rules, find the pattern, pull the levers and the puzzle will be solved. But here we were, with all the puzzle pieces present and in place, but the computer was refusing to comply.

I was just playing around at the time. My Dad had taken over talking to the technicians, as they’d exhausted all avenues within my remit and were now discussing drilling through the exterior walls to wire a direct line. You know, Dad stuff.

My idea of play was to see how fast I could type our login details and then click connect. Connection failed. Connection failed. Connection success. What? That was by no means my fastest attempt; my fingers had fumbled halfway through. Also, even if it was, computers don’t suddenly start working because you’ve proven yourself to be a demon on the keyboard.

At the speed of the information superhighway, the technicians had gathered around me to figure out how I’d solved the problem without the assistance of a power drill. That’s when we saw it.

For this bit, you need to know that my Dad’s name is Brian. As he’d opened the account, the username we’d created was ‘Brian’ followed by a string of numbers. Only it wasn’t. Where I’d meant to write ‘Brian’ during my speed run, I’d entered ‘Brain’ by mistake, but it worked. The month-long saga was the product of a tiny (and not that uncommon) typo by the sales rep who set up our account over the phone. My faith was restored: computers make sense; people were the real puzzles.

6 years later.

Friend: "Hey. Jamie. You’re meant to be smart. Can you help me with something?"

Jamie: "Errr… sure. Wait. What is it? I already liked your mum’s Facebook business page."

Friend: "Oh lol. Thanks. No. Can you help us catch this guy who’s been grooming boys at our school on Facebook?"

It started small, but then it passed a tipping point and caught the attention of a guy in my year group. His younger brother had been chatting with his friend from class on Facebook when the conversation took a sharp turn.

I’ll spare you the details. All that’s relevant is that the topics and tone were far too adult for a twelve-year-old. Weirded out, he’d told his older brother about how strange his friend was acting. His brother then contacted my friend, who then contacted me.

They’d deduced that the other twelve-year-old boy’s Facebook account had been hacked, and was being used to start conversations with a ton of boys similar to the one described above. They all followed the same pattern and ended with invitations to meet up in person.

That’s when they reached out to me. They wanted me to help hack the hacker and get back the compromised account.

No. I’m not a cryptographic genius. I have dabbled with bots and some scripting in my early teens, but hacking into a Facebook account was far beyond my reach. Something had to be done though, so I tried to get in through the side door by using the handy password reset feature.

Back then, there were two paths to resetting an account’s password. You could either do it via email or by answering a secret question. The hacker had changed the recovery email, so that left the secret question. This was the hacker’s first mistake. The secret question they’d written was, ‘2 + 2 =?’. The situation had turned from a computer puzzle to a people puzzle, and people tend to be lazy when rushing.

There’s a cliché in computer security that the greatest security threats come from people, not computers. Those are the weak links you need to strengthen, especially because people tend to be predictable in their typos or passwords. If you’re a password123 sort of person, then you’ll know what I’m talking about.

‘4’ was the obvious guess, but that proved to be too easy. It was rejected. I had two guesses left. What else could two plus two be except four? ‘Four’ would turn out to be my last guess and the correct answer. That’s when I noticed the hacker’s second mistake.

Inside the account, I could see every claw the hacker had tried to sink into the account owner’s friends: messages, images, and who’d they’d been sent to. That was when something odd struck me. Only one of the message threads was with someone significantly older.

Everything was handed over to the police, with the information gathered forming the case that sentenced the lead suspect. When the police poured over all the messages they could see how the hacker tricked the boy into revealing all the information they needed to hack his account. The fortunate part was, once in, none of the children they messaged took the bait to meet up in person. They all knew, even when the signs were subtle, that something was off.

Stay curious,

Jamie |  @JamoeMills


Jamie Miles

🌱 Building a media company to make sense of the 21st century 🍎 Sharing the best ideas along the way 🍵 Former @Airbnb @Onfido @UniofOxford

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.