From LINE to Facebook, security professionals reveal how to take over SNS-Weekly ASCII

Is the number of damage unknown? LINE hijacking case

Yazaki: Mr. Mikami's TV exposure has increased in terms of SNS and security. If you search for LINE on the Internet, you will find more stories about Mr. Mikami's takeover than LINE itself. LINE itself has become commonplace, but in this hijacking case, it was sought after by the radio on TV, and even the theory that "Mr. Mikami was actually the culprit?" Has emerged ( Smile). Mikami: When I took an interview in the conference room of a TV station, the back was dark and the lights were licking from above, so when I talked with it, I looked like a criminal. Yazaki: So, it's a "slightly good scam" that far surpasses LINE's oleore fraud, but how did you come up with that procedure, Mr. Mikami, the criminal? (Laughs) Mikami: Even if I ask you (laughs). But it's strange that it never happened before. It's not that difficult, and in an era when password lists are out of the question, everyone can do it ... but LINE is the easiest to do. Yazaki: What was the actual scale of damage? Mikami: The LINE side doesn't give out the numbers. Normally, I announce that there was an unauthorized login and that tens of thousands of accounts were created, but I do not announce only LINE. At the same time, mixi and Nico Nico Douga were killed and the number exceeded 100,000, so I think that there are probably more than double the number of members, 200,000 or 300,000. Yazaki: That's only in Japan, isn't it? Mikami: Yes, I don't hear much overseas. Yazaki: On a scale, has it exceeded the scam? Mikami: The amount of damage is much higher for the Oreore fraud, but the number of people killed may be large. Yazaki: It's the low threshold that made LINE so popular. At the cost of this, there was a trade-off in terms of security. What is the ideal balance between ease of use and security? Mikami: I say "let's do this" in various places, but I can't protect it and no one is listening. Even if you say that you should give passwords individually, not everyone actually does it. Yazaki: I don't do it, and in the end, I don't know how to increase the number of LINE members if I strengthen security. Isn't it really easy to register by phone number? I think security and ease of use are a trade-off because it is closed. Mikami: It's no longer possible to take measures on the human side, and I wonder if we have to create a system or software that can protect the security. Also, I think one measure is not to register important friends in LINE. Yazaki: A messenger may be a really important person.

What is the method of hijacker?

Yazaki: Here, I would like to look back on the takeover of LINE. Mikami: The only trick was "Please buy an iTunes card", but the version has already changed. They are also brushing up their tactics, for example, the oleore fraud type.

"Where is the truth about the LINE takeover that still continues? 』\

"Oreore fraud type LINE takeover"

Yazaki: Originally, I feel like it's a fraudulent type. Mikami: It's more of a fraudulent type. It's the same as starting with "Is there time now?", But "My father had an accident. Now, on my way to the hospital, I don't have enough medical expenses, can you lend me 100,000 yen?" Please transfer it. " The great thing about this is that you take a passbook and expose it.

"How, expose the Japan Post Bank passbook"

Mikami: And Japan Post Bank's cash card. The criminal says, "Deposit here." Yazaki: Isn't it sticking to your feet?

"Oreore fraud type LINE takeover"

Mikami: There was a Chinese person who worked for a shipping company at this address. However, when I actually went there, I had already returned to Japan. In other words, it seems that he opened a Japan Post Bank account in Japan and brought it back to China or his own country. Well, I searched with the TV program up to that point. Yazaki: You chased after that. Mikami: I was trying hard to do an interview on the TV program, but I couldn't do it because I was asked to forgive me. You're crazy, you're exposing your address, right? Since the oleore fraud is coming so much, it may be that the oleore fraud group is embarking on the LINE side. Yazaki: I see, is it an advanced version of the Oreore fraud? Mikami: That's right.

"LINE hijacking method"

Mikami: The first LINE hijacker's mouth is information leakage. There was a lot of information leaks last year, and 20 million accounts such as Yahoo! and OCN have been released in the last year alone. At that time, the news said something like "1 million cases were leaked. According to Yahoo !, it is encrypted, so there is no need to worry about being hijacked." However, it's actually a hash value, not an encryption. Yazaki: Hash value? Mikami: The hash value is the result of the calculation in the password. In other words, it is the hash value that you can tell that the password is the same if only the calculation method is common and it matches. So you really shouldn't be able to go back from the hash value to the password. However, when 1 million cases are leaked, everyone is using a password called "123456". Then, a number of common hash values ​​came out, and it was revealed that this was a password that I often use ... Yazaki: It will be analyzed! Mikami: And I understand the calculation method. Then, in the example so far, 70 to 80% of the passwords can be restored. It is not possible to return from the hash value in the calculation, but it can be understood from a large amount of statistics. Yazaki: Do you have such a tool? Or is it a brute force? Mikami: I think it's a brute force attack. So, if you do that, the passwords that Japanese people often use will be listed. For Americans, the password is most often "password", but for Japanese, it is probably "123456789". That's how it's listed, but it's already dangerous from here.

"The reason for being hijacked is to reuse passwords"

Mikami: Based on that password, I will also do other sites. For Yahoo! and OCN, you can rest assured that you will be asked to reset and reset your password if it leaks. However, even if the leaked site is okay, other sites are dangerous. I know that it was leaked from a certain service, so if I log in to LINE, mixi, or Nico Nico Douga with that password, it may happen by chance. Yazaki: By chance, it's quite difficult to put all the different passwords in your head on a site that you generally use as a matter of fact. Mikami: It's impossible, it's impossible. impossible. So, in that case, you have to write it on paper, use Excel, or use password management software.

Is taboo recommended now?How to manage passwords

"Preliminary survey of login on PC"

Yazaki: You say it's the worst thing to write your password on paper, right? Mikami: In the old days. People said, "What would you do if you brought what you wrote?" Or "If Excel is infected with a virus, it's no good." But which is safer? Is the risk low? It changed. I'm afraid that it will be leaked due to a virus infection, and I'm afraid that it will be done by reusing passwords, but considering which is the lower risk, it is actually less risky to write it on paper. It's better to reuse the same password and be attacked. Yazaki: Writing on Excel or sticky notes has been taboo, but it's still safer than using the same password. Mikami: It would be great if we had done so far, such as not knowing even if we could see it because we made a random number table by ourselves, but everyone can't do so. In that case, I have no choice but to write it or make it an Excel list. Yazaki: I think there are a lot of people who use the same password. Even entering the password in Excel is a bit difficult, isn't it? Mikami: Well, it takes time and effort. The best is password management software, but most of them are charged, so it's difficult to know what to do. Yazaki: Satoshi Endo of the Kakugawa ASCII Research Institute was written in the Weekly ASCII magazine, "What about passwords?" In the first place. Passwords have been around since the computer was created, and there was a concept of login even before the network started. With such advanced technology, there is also fingerprint authentication on the iPhone, but isn't this also a password after all? The technology of personal authentication itself hasn't made much progress, just by registering fingerprints to avoid entering passwords. Mikami: Vocal cord authentication was also copied after all, and even with Touch ID on the iPhone, you can copy it with something like a gummy candy. At this point, it has become philosophical, and who is the person who authenticates himself? That's right. So I think we have to think about the system there.

Why did the hijacker's Japanese improve?

Mikami: I think many people now get the message "Could not log in to the LINE web store." Yazaki: It sounds like a note from LINE. Mikami: This is because the criminal is conducting a preliminary investigation. There is a list of IDs and passwords that you have obtained, and your PC's automation program will first check if they match. The LINE web store is a system for logging in from a PC. Yazaki: That's right. Mikami: Since it can be viewed from a browser, it can be easily attacked with an automated program. In this way, we will conduct a preliminary survey, and only those who have the same ID and password will be hijacked after this. Most people think it's just a message that they couldn't log in, but an acquaintance said they were hijacked shortly after the message "logged in" came. Yazaki: If you say "You have logged in", you will be hijacked! It has nothing to do with replies or reactions anymore. Mikami: At first, I may have been using an Android device, but I can't make it in time, so now I'm using an Android simulator on Windows or Mac. Since the LINE app runs on the simulator, I am doing it from a PC, and I can see that from the hijacking script I got at As PLUS every week. Yazaki: The script was written in Chinese, but the criminal was copying it.

"Weekly Asplus Article (script of LINE hijacker)"

"1st page of script"

Mikami: At the beginning, the notation was more disjointed. Some people wrote "convenience store", others were "kosobini", half-width characters were mixed, and Japanese was more suspicious, that is, they were handmade. If it is copy and paste, the characters should be unified. By the time the script was discovered, the text had become very sophisticated, all in the same text, and in Japanese. Thanks to the script, I think I've become better because I made it a system that runs the simulator on the PC I mentioned earlier and brushed it up. Yazaki: You can now have a conversation. "Let's get married" "Where are you going to have a wedding?" (Laughs).

Why China is not in the IP address of the hijacker

"IP address all over the world. No China ”

Mikami: Regarding the IP address of the hijacker, a certain TV program collected about 100 and mapped it to a map. Then, from all over the world such as Indonesia, Egypt, Peru, Brazil, Spain, Venezuela and Europe. Yazaki: All over the world? Mikami: Almost every country. However, it wasn't only in China. Yazaki: Why is that? Mikami: There are two possible reasons, one is that LINE may be restricted and inaccessible in mainland China. Second, because the criminal is in China, he wants to hide his presence in China. It is not sent from all over the world. There are PCs that have been hijacked around the world, and we use them as a foothold to send them. Yazaki: I see. It's a high-tech crime, not a laugh. Mikami: It seems that the basics of hacking have been properly established. Yazaki: Mr. Mikami has become worried, isn't he targeted? Mikami: It's dangerous because there is a story that I can explain it (laughs). Someone investigated this, and when he said, "I put in four digits for the PIN code, it's okay," he said, "I also tested it, but it has a hole." There is a limit of 10 times even if you make a mistake in the PIN code. However, it will be canceled after 1 hour, so you can try 10 times every hour. Yazaki: Then you can try a good number. Mikami: Since it is 4 digits, there are up to 10,000 ways, so it can be solved in 1000 hours at the longest. But you don't have to do it all, it should be pretty good if you put your birthday first. Yazaki: Do you know your birthday information? Mikami: Even if there are 10,000 ways, if you first enter only the numbers for 365 days instead of doing from 0001 to 9999, you will win quickly. If you start with the numbers that are often used, it won't take long. Even if it takes 1000 hours, it's okay because it's actually running on a PC. Yazaki: Security cannot be maintained as long as it is a PIN code. But at least I should stop the date. Mikami: It's better not to use dates or serial numbers. And the phone number.

Evolving hijackers' tricks every day

"The new trick of LINE is probably half a lie"

Mikami: There is a new method of LINE in the article that is currently being talked about. Yazaki: Do you still have it! Mikami: This is a method in which the address book is pulled out and threatened by taking over LINE. Yazaki: Is it a threat from an acquaintance? Mikami: A threat comes, saying, "I took your address book." Yazaki: It's a threat from the criminal. Mikami: This is a hot topic, but it's probably not a takeover. The fact that the address book is pulled out of the app and threatened is an adult scam that has been around for a year. A message comes from a person with a cute girl icon on LINE, and he says something like "Why don't you exchange a little naughty video?" So, we send videos to each other, but they say, "This app allows you to exchange messages with each other, so put it in." When you put that app in, all the address books are pulled out. Yazaki: You're actually overtaken, right? Mikami: It will be pulled out. Then, an image of proof is sent, saying, "I've pulled out your address." "I will expose the video you sent to all your friends. If you don't like it, pay 200,000 yen." In fact, the victim called me for a consultation. Yazaki: Not the police first? (Laughs) Mikami: The police told me that I had no choice but to ignore it. But I was told that I could pay 200,000 yen by 10 am, so I got a call at 8 am. Yazaki: Wow, sorry ... Mikami: It can't be helped when asked "What should I do?" "It's a video showing your local area, but think twice. There are tens of thousands of AV actresses in Japan, and they are alive, so you have no choice but to give up." I had no choice but to change the phone number instead of changing the model. Yazaki: Certainly, if you change the phone number, you will not be able to send it. Mikami: You should never deal with fraud. The other party is ignored. Yazaki: You haven't actually been exposed because the measures weren't in time, right? Has the damage been spread? Mikami: I haven't contacted that person since then ... How about that? Yazaki: If that happens, it's a crime again, isn't it? It's blackmail. Mikami: As with the current example, groups such as oleore fraud and adult fraud are beginning to abuse LINE. Because LINE has become a tool that makes it easy to approach people. Yazaki: Also, I don't know if the word "low literacy" is appropriate, but it's used by people who aren't aware of it. In short, men and women of all ages use it to the extent that it becomes a social infrastructure, so it's easy to be targeted. Mikami: Everyone has it, so I'm really scared. Yazaki: No matter where you go, the first question is "Are you doing LINE?" Even in a cabaret club (laughs).

Anyone can do it? How to take over in 30 seconds

"Bonus: LINE hijacking of cheating investigation? 』\

Mikami: Here's an extra story. For example, the editor-in-chief of Weekly Risky was having an affair. If I were her, she would squeeze in, "She must be playing with a woman, so show her your smartphone's LINE!" So, if you lend your smartphone here for about 30 seconds, you can take over LINE. You don't need an ID, password or PIN code, just rent this device for 30 seconds. Yazaki: Hmm? what do you mean? Mikami: It's very simple and uses SMS authentication. SMS authentication is to check if the phone number is valid. Since the phone number and the 4-digit PIN are linked, send it from another smartphone or PC, and when the PIN arrives, delete it at a glance. If you return it, you can see it from the sending terminal. From now on, LINE may be hijacked by a wife who is suspected of having an affair, such as an affair investigation or a stalker. Yazaki: But isn't it a crime to take over LINE? Mikami: I think it will be an unauthorized access prohibition law. Yazaki: Is it a crime for your wife or girlfriend? Mikami: It may be subtle if you are a wife. Yazaki: You have to go to the law for Mikami-san's knowledge (laughs). I even receive telephone consultations for the victims. Mikami: You expose your phone number to the internet. Well, the person who calls me is a busy person. He can't tell the police very much, or he told the police but he couldn't get the other person. Yazaki: What else? Mikami: There was a person who was hijacked by Facebook and used a credit card. It's really a mystery, but it was a very complicated pattern of consultation where my Facebook account and credit card were stolen at the same time. Yazaki: Although LINE is the most dangerous, Facebook is also targeted, but is it different from the criminal of LINE? Mikami: It's completely different from what you're feeling now.

Facebook hijacking ads easier than spam ads

"Ray-Ban Promotion Credit Card Registered without permission, Nightmare Facebook Takeover"

"Spam on fake Ray-Ban mail order site"

Mikami: As an example of Facebook hijacking, there was an advertisement called "spam of fake Ray-Ban mail order site". Since the price is 2500 yen, you can tell that it is a lie just by looking at it, but this advertisement appears in the user's name. Normally, I think I was hit by a spam app, but when I asked that person, it was a takeover.

"Ray-Ban Spam was a takeover"

Yazaki: I don't understand that the advertisement will be displayed by hijacking. Mikami: It seems that the hijacked person received a message from Shenzhen, China, saying that he had successfully logged in. I logged in there and wrote an advertisement without permission. What's more, what I did when I logged in was to write this fake Ray-Ban advertising site with a personal account on that person's Facebook page.

"Hiroshima is a famous fake mail order site with an address"

Mikami: It's actually the destination, but it's a self-made site, and the Ray-Ban logo is also bogus, and VISA and JCB are written, but this is also a lie. I had an address in Hiroshima, and when I looked up this address, it was a site that was registered at the Consumer Center as a vicious mail order. From the beginning, fake mail-order scammers hijacked their Facebook accounts just for that. Yazaki: What is their income? Mikami: Just advertise. For example, let's say you hijacked Mr. Yazaki's account. In Yazaki's name, write "Ray-Ban's recommendation is this" and "It's cheap here". Then, Yazaki's friend went to buy, thinking, "Is it true if Yazaki says it?" I just want to increase sales like that. Rather than advertising in spam emails as before, let's take over. Thinking this way, you can see how easy it is to take over. You can do it because the cost of hijacking is low. Yazaki: The cost is low, and the psychological effect of being introduced by people on Facebook is also high, isn't it? Mikami: This hijacking is due to a password list attack, that is, users reusing the same password. At the same time, there are spam apps, so be careful.

Is it useless to change the password frequently?

"Hootsuite hijacking case"

Mikami: Twitter hijacking isn't a topic, but I hear it from time to time. I also got a sub-account. It was not from Twitter itself, but from client software called "Hootsuite", and because it could be managed with a unique password, the ID and password were removed, and there was an incident in which English direct mail was scattered on Twitter. It may be better not to use very strange client software. Yazaki: Hootsuite isn't strange software, isn't it? Mikami: Hootsuite is okay, but if the client software is your own account, you have to manage that too, right? It would be nice if it was linked to Twitter. Yazaki: Isn't it extremely difficult to get a new ID and password? That's why most services allow you to log in with your Facebook or Twitter account, and then your Google+ account. Is there a security issue in itself? Mikami: If there is one reliable ID or password, sharing it is a precautionary measure. It's okay if you can trust it completely and you can't take over. You don't have to use a lot of accounts and it's more reliable. But if one is done, all will be done. Yazaki: So the main thing you use is to change your password frequently? Mikami: The act of changing a password is useless, and it is a very meaningless method. I have to make a long password that is more complicated than that. The reason why you shouldn't change it is that you can change it separately. It doesn't make it less secure, but what do you do when you change it? Yazaki: Resetting is troublesome and resets. Mikami: If you make an effort to change it, you should make an effort to separate it one by one. Yazaki: I think LINE also said, "Please change your password." But everyone doesn't know how to change their password. The article on how to change passwords was a tremendous number of accesses, but I searched for "How to change passwords". Mikami: Then I'll write it in another medium (laughs). Yazaki: Also, what happens to the LINE stamp if you change your password? Mikami: You've done well in that area, though it's likely to be fraudulent.

A suspicious vendor selling accounts and followers

"Follower distributor, suspicious vendor"

Mikami: There is a ridiculous site that asks, "What are these guys doing?" It is a service that sells Japanese followers and acts as a retweet or retweets your tweets 10,000 times. Yazaki: You have various accounts, don't you?

"Sales of authenticated accounts with phone numbers? ?? 』\

Mikami: This is more suspicious. You can see the "Like! Increase" on Facebook. But what is a Facebook mobile phone number verification account? Yazaki: For those who don't have a mobile phone? Mikami: The fact that your mobile phone has been authenticated means that you have a mobile phone with an existing account. We sell even such things. Yazaki: Do you mean selling mobile phones together? Mikami: No, the mobile phone has been authenticated, that is, the account that has been pulled out is sold. Yazaki: But there are vendors because it is profitable. Mr. Mikami has great knowledge about this, but isn't his heart shaken by saying "I like it"? Mikami: No (laughs). But, about 10 years ago, there was a writer in the same industry. A person who writes about security, how to deal with fraud, writes a manuscript even in a bookmark of a famous consumer organization, and appears on TV, which is famous for safe use of the Internet. And that person was a member of the Oreore fraud. Yazaki: Well, there are quite a few cases where police officers are thieves, crackers are police officers, and so on. Leading crackers work for security companies, or instead of arresting them, get a job in national information security measures. It's not Mujina in the same hole, but it's close.

Mikami: I'm scared because if I think about how to do it every time various incidents occur, I can do it. Yazaki: However, there are various businesses ... because the number of YouTube views has increased and my heart is shaking! (Laughs) Mikami: It means that the view of this YouTube live will go up with a bean. For about one tenth of the exhibition fee at the CEATEC booth at Asus every week, you can increase your YouTube live view by about 10,000. Yazaki: That is more effective, isn't it? Mikami: I'm motivated (laughs).矢崎：やらないですけれど、そういう商売が成り立ってしまうのですね。

乗っ取られないためのパスワード管理法

『対策まとめ』

三上：対策をまとめましょう。LINEですけれど、もう最終的にはメールアドレスの登録やめようということです。矢崎：メールアドレスがIDなのがよくないと。三上：LINEはメールアドレスの登録をしないと機種変更ができませんし、PCでのアクセスもできません。すごく不便だけれど、乗っ取られることはまずない……というか絶対にない。もしあったとしたら、LINEの本社が直接やるくらい。だから、これがベストかもしれないですね。矢崎：機種変更のときは、SMS認証だけやって、メールアドレスは登録しない？三上：それだと今までの友達リストがなくなってしまいます。だから、機種変更のときだけメールアドレスとパスワードを設定し、機種変更が終わったらまた解除をする。矢崎：LINE側でバックアップリストアみたいなことをやれないのでしょうか？三上：それをやるのにIDとパスワードが必要ですよ。矢崎：バックアップリストアの概念がないのが、機種変更の障害になりますよね。三上：もともと、LINEは1台に1アカウントという紐づけのやり方なんですよ。矢崎：そうですね、昔はタブレットでも使えたけれど、止めましたし。三上：普通のアプリと違うので、先ほど言ったセキュリティの穴はあるし、まだ整備されてない部分もありますね。矢崎：そう考えるとFacebookのほうが楽なのに。でも、みんなはLINEのほうが楽に思っているのですよね。三上：スマホ的にはそうですよね。みなさん、ぜひ二段階認証をやりましょうということです。Twitter、Facebook、それからGmailです。Gmailは一番使うので、メールアドレスをやられると、全部やられるじゃないですか。それから、パスワードの使い回しはしないように。パスワードが覚え切れないという前提で、Excelに書きましょう。矢崎：もしくはパスワード管理ソフトですね。オススメのソフトはあります？三上：「1Password」だと思います。スマートフォンも一部対応していますが、基本的にはPC用ですね。これをやっていただければと思います。矢崎：今日、目から鱗だったのは、パスワードをメモやファイルで保存しておくという方法。最もタブーだとされていたけれど、むしろそのほうがマシというくらい、パスワードを使い回すことが危険だと勉強になりました。三上：今はパスワードの使い回しをやめましょうキャンペーンをやっています。矢崎：ネットに繋がっているPCとはいえ、ローカル環境に置いたファイルや、ディスプレイにメモが貼ってあっても、インターネットの海には旅をしないじゃないですか。でも、パスワードとIDはいろいろなサービスで使うので、インターネットの大海原を旅している。だから、いつ海賊と遭遇してもおかしくない、そういうことですよね？三上：iCloudの画像流出事件は、秘密の質問と答えがバレたという話ですが、やはりパスワードをきちんと管理しようという発想があれば、「（個人画像のある）iCloudはもっと大事にしよう」といった発想に繋がるので、パスワードをひとつずつ変えるというのは本当に重要なことです。矢崎：乗っ取りと対策はいたちごっこなので、このあと三上さんにどんな相談の電話がかかってくるかわからないですね（笑）。三上：今のところまだお金の話だけだからいいですが、身の危険を感じるような相談がかかってきたら嫌だなぁ。矢崎：あと、こういったセキュリティ対策の啓蒙で、犯人に狙われないか心配です。三上：それも嫌ですね（笑）。

三上 洋 ITジャーナリスト。セキュリティ、携帯電話、スマートフォンを専門にし、テレビでの解説も多数。Ustream草創期から続いている長寿番組『UstToday』のパーソナリティーを務める。 Twitterアカウント 三上 洋事務所HP

対談はCEATEC2014会場の週刊アスキーブースから配信された『週アスYouTubeライブ』の番組を基に編集した​ものです