Last Night a Hacker Stole My (Digital) Life

Rethinking the User Experience of Data Protection

18k tweets, 1.5k followers.
This may not be much to compare to Katy Perry‘s stats, but it represents a 10 year career in the digital industry.
And it’s gone in a minute — because a teenager with some basic hacking skills threw a tantrum over my four character Twitter handle — but more importantly, because of bad design and lack of consideration for users data.

“You always think that those stories happen to others, that it will never happen to yourself. Until it does.”

A broken User Experience with a dramatic impact

My Twitter account as well as my Instagram account were hacked on Friday night.
It took me a few hours to figure out what happened: the hacker broke into my webmail client and used it to trigger the process to reset your password.
As simple as that.

I was naively using my @domain.ext email address to authenticate on both Twitter and Instagram. And of course, my webmail doesn’t benefit from fancy 2 step authentication (which is breakable anyway, don’t get high hopes, it’s just much more complicated).
I should have read Naoki Hiroshima extraordinary article about how he got his valuable Twitter handle nicked, earlier.
Social engineering can help evil’s deeds. But you always think that those stories happen to others, that it will never happen to yourself. Until it does.

Let’s go back to my hacked mailbox: what caught my attention was this specific email sent automatically from Twitter.

“We have noticed a recent connection to your account” — Automatic email from Twitter sent when someone connects to your account from an unusual device/place.

As you can see, this email was sent at 3am on Friday night and being over 30 years old now, I was obviously already asleep (don’t judge me).

When I found it in my mailbox in the morning, I tried to click on the link following the “IF IT WASN’T YOU” directions to change your password. This wasn’t possible because the hacker had already changed my Twitter password so I tried to reset it. This was impossible too since the email address associated to my Twitter account had been changed as well. I had no way to reset my password, and therefore no way to access my account.

I contacted Twitter Support four times, adding screenshots to my request, explaining everything, from the hack of my webmail to the hacker bragging about his crime on his account. Every time my case was closed because I wasn’t writing from the email address associated to the account. Which seems obvious as the first thing the hacker did was to change the address!

Doesn’t this user flow look a bit broken to you?

“That’s the complaint of the digital natives, ‘I wish some human would answer my request’.”

Then I wondered: what exactly is the purpose of this email?
This email is notifying you that someone is currently performing a hold up on your account… but does nothing to actually prevent it.
I discovered afterward that Twitter offers a 2 factor authentication, which is great. However, it would have been even better if I had only known that before. Besides I mainly use the Twitter app on mobile and this feature isn’t available from there.

The moment the hacker enters your account, it’s already too late, there’s nothing you can do apart from potentially winning the race of changing your password before he does (which I don’t think is even possible given the time it takes to actually send and receive the email that informs you of the hold up).

Twitter has the capacity to tell that something is off, but the user experience they designed out of it is simply frustrating and — let’s face it — quite useless.
This didn’t prevent my account from being stolen, this just notified me it was being stolen. Hashtag popcorn.

Sit back and relax as your digital identity is being destroyed.

For two days, I wasn’t able to talk to a human from Twitter or Instagram support team. I actually surprised myself repeating that I wish I could talk to a human being. This is so 2016 by the way. That’s the complaint of the digital natives, I wish some human would answer my request.
Of course this happened on a Friday night, which left me the entire weekend for panicking and cursing this kid for the next seven generations (that’s an old trick from the south of France).

I then started to measure the scale of the problem.
I sometimes used Twitter connect to authenticate but not being able to log into my account anymore prevents me from connecting to those services too.
Let’s take Twitpic for instance, I used to use this third party app to post images on Twitter before Twitter allowed uploading pics directly from their interface. I told you I was an early adopter.
I’m now unable to connect to this service and therefore unable to delete the fifteen pages of pictures of myself, nor am I able to revoke this third party application from my stolen Twitter account.

Oh, irony.
“This account had a major role in my credibility as a digital expert”

To be perfectly honest, I never thought 10 years ago that this new Twitter platform would have the success it has today.
When I signed up and created my account — it was in 2007 — nobody was using it and nobody even knew what this was all about.
I was 22, studying at Gobelins school in Paris, and one of my classmates introduced the rest of us to this new social platform that could send a text message when someone you followed posted something on their timeline.
It may sound insane now but back in the day it was possible to setup your account so that you’d receive a text message every time you got a mention.
And this is how my relationship with Twitter started: as a hack.
Remember 2007: Steve Jobs announced the forthcoming release of the first iPhone, Britney Spears started her long and painful breakdown, and texting was utterly expensive. You had to pay for each text message you sent, or for the lucky ones who didn’t have a low-cost-student-mobile-contract, you were allowed 30 text messages a month. A bargain.
Twitter was our way to communicate and work as a team, for free.

Tell me your @ and I’ll tell you who you are

Twitter has now become one of the most popular social networks with about 320 million active accounts and 500 million Tweets sent each day.
It is used by individuals as well as brands, for whom Twitter represents an amazing opportunity to reach out to more and more customers, spread the word by identifying influencers and reduce the barrier between them and their audience. This facilitates communication and understanding of their target audience. 
Twitter has been working hard to provide better tools for brands, to help them measure their impact on this social network. Now 60% of consumers expect brands to respond to their query within the hour on Twitter!

Twitter has become a real tool that both brands or even individuals use for work on a daily basis. Brands, recruiters, freelancers, events organisers… all types of professionals use Twitter as a more personal version of LinkedIn.

As the years went by I built up a network of friends and professionals — those aren’t mutually exclusive — that I could always rely on when I needed an opinion, a RT, some help, or just a funny gif to cheer me up on a rainy Friday afternoon (I live in London).
I also found my first proper internship thanks to Twitter and even though I can’t say that my Twitter account was 100% professional (although I’m sure cats gifs now count as professional tweets, right?) this account had a major role in my credibility as a digital expert. I mean, I was once called the J.Lo of PHP by one of my followers just because of my geeky SQL themed tweets and my inclination for eccentric outfits. As silly as it sounds this may have been be the most catchy tagline I ever had on my CV.

“Digital companies should know that these flaws in their system will eventually result in a loss for them, business-wise.”

It’s valuable to a business to protect their users’ data in the best way possible

The user flow is indeed broken. Once your account has been hacked, as your email address doesn’t match anymore, there’s nothing you can do to get it back as only robots respond to you (and robots are quite stubborn). The only thing you can do is watch your 10 year digital profile slowly disappear and be replaced with images of Japanese anime, tweets with dodgy grammar — this hurts a lot — and try not to panic too much thinking about the fact your line manager happened to finally follow you two days ago.

I’m a User Experience Architect and I currently work at the BBC. You can imagine how much I consider and value data, specifically user’s data.
My job mainly revolves around finding the best way to display and store data in a way that will not compromise its meaning, in order to enable designing personalised and valuable features for BBC users.
I understand and fight everyday at work to make people realise how much users’ actions and history of activities are way more interesting than random old school information such as age or gender, in order to tailor content to any user. This is exactly why Netflix is nailing it by the way.

What happened to me is happening to thousand of people every day.
Actually, the hacker himself is bragging on his Twitter account that he hacked my Twitter and my Instagram.

I told you. Dodgy grammar.

This kid certainly knows some tricks but what he did was quite simple, relatively speaking, compared to the value of 10 years of user data. Not specifically my data; any user’s data.
And our hacker has no clue how valuable user data is — or will be, as service design is shaping the future of technology — but digital companies should know that these flaws in their system will eventually result in a loss for them, business-wise.

All the actions you perform are motivated by something: an opinion, an emotion, a belief… By being able to read the motivation behind an action, products create value. This is basically how recommendation engines are built. Your actions feed the product, and the more complete, clean and accurate the data you provide is, the better the product will perform.

What happened to me is the online equivalent of waking up one morning and going to your office — let’s say a nice boutique perfectly located on Upper street — and discover that someone else moved in during the night.
But when you try to call your landlord, an automated message tells you that everything looks fine, there’s the current tenant’s name on the door bell, and hangs up. You’ve basically been erased.

“How can you prove that you are yourself when everything which is required to prove your identity can be stolen or counterfeited?”

Knock, knock.
Who’s there?

You’re hanging around there and you can’t get home anymore.
Yes, it sounds like a bad joke.
So how could we make it better for the user?
How can you prove that you are yourself when everything which is required to prove your identity can be stolen or counterfeited?

Naoki Hiroshima’s story— and a few others I stumbled upon as I looked on the internet to find similar stories to mine — shows that giving more personal or sensitive information about yourself to services will not help proving it’s you. The human factor has weakened this process, and it makes social engineering all the more powerful.
On the other hand, all I wish for today is to explain my situation to a non-binary human being; the human factor here would definitely be a strength to help me get my account back.

How do we find the right balance between the rigidness of robots & coded processes, and the empathy of human beings?

Other big companies such as Facebook for instance, on top of notifications and 2 factor authentication, allows you to select some of your friends to vouch for you in case you can’t access your account anymore.

In another article I read, the author — Possibly Mat Honan — got his Gmail account hacked and wiped, amongst other even more upsetting things.
Fortunately, Google allowed him to get his account back by asking him a long list of specific questions about how he used to use his Gmail/Gdrive account so far.
The whole process is explained in this article.

“I guess the lesson is learned.”

Yesterday, thanks to my network and the help of my Twitter followers who reported my account as hacked, I finally got a human answer from Twitter, and I got my account back.
I lost all my tweets in the fight, and all the people I followed — a 10 year history, and as much time spent curating sources to keep on the cutting-edge of technology — and I doubt anybody will ever be able to help me restore them as my hacker used third party apps to delete everything, 3200 tweets at the time.
Most importantly, I got my account back and I will be able to run my workshop at EuroIA #euroia16 later this week, without the risk of seeing inappropriate tweets popping on my feed. I’m the only one to blame for my loss of credibility from now on :)

As for my Instagram account, I haven’t heard back from anyone so far — either robot or human.
I wasn’t using Instagram on a professional level but I used to follow people who did or who ran a business through Instagram. I’m wondering what the loss would be for these professionals after a few days of hacking and no reply from the company, and therefore, how the process could be improved for them.
Anyway, this comforted me in the idea that memories are safer in your mind or in a physical box than in a Cloud.
This misadventure also convinced some of my followers to invest in a more secure solution for their passwords, such as 1password or Lastpass, and to turn on 2 factor authentification everywhere they could. I guess the lesson is learned.

I also asked my host if I could access my webmail’s logs in order to have some proof when reporting the crime (hacking a webmail is a crime that you can — and should — report).
So far they didn’t provide me with anything but told me that “human factor was certainly responsible for what happened”, that I “must have clicked on a phishing email and given away my credentials”, and that I “should learn good practice on the internet” and “pick a password matching the conditions”.
I mean, of course, blame it on the user.

“It’s mainly a matter of making the most sense of the data you own.”

How to design a cyborg

Acquaintances, human relationships and personal habits seem to be our best guess to bring our real-life identity to our digital presence.
If a man is the sum of his actions, it sounds legitimate to consider our online habits and history of activity to help define — or here, prove — our digital identity.

Companies like Twitter or Instagram own the data that would enable them to design the right solution. The right balance between human empathy and robot rigidness. It’s mainly a matter of making the most sense of the data you own, and this is exactly what User Experience Architecture is about.

Topics of interest

More Related Stories