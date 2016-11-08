Picture the scene: all of your conversations are recorded, from what you say in meetings at work, to complaining about colleagues with your closest friend, to ordering curtains over the phone. The audio files are locked in a filing cabinet at home and only you have the key.

One day, much to your surprise, a uniformed representative of the cabinet-maker shows up at your flat. “Bad news,” he tells you. “We had to stop a Russian-looking guy from opening your cabinet. He had a copy of your key. Give me your old key and we’ll start refitting the lock.” The representative seems confident, concerned for you, and looks the part.

John Podesta, chairman of Hillary Clinton’s presidential campaign, was faced with a scenario like this in March but details have only recently surfaced. It didn’t involve recordings of conversations stored in a filing cabinet, of course, but years of online conversations in his Gmail account. Instead of an in-person warning, it was an email with the subject line: “Someone has your password”.

The message looked like it came from Google. It explained that someone in Ukraine had attempted to log into his Gmail account but Google had stopped them. “You should change your password immediately,” the message advised, offering a large, “CHANGE PASSWORD” button in Google blue. It would be tempting to click it, even though we’d never be so willing to hand over the keys that protect years of private daily dialogue.

It seems highly likely that Podesta clicked the button, giving access to his account to attackers. They controlled the webpage on which he was asked to change his password — and which was a fairly plausible fake.

The campaign chairman’s emails, released in batches by WikiLeaks, have significantly shaped the US presidential race in its final month. Private conversations on strategy, and details of Clinton’s controversial paid speeches to Wall Street banks, provided fodder for headlines and presidential debates. Also in the leaked messages were passwords to other accounts, opening up Podesta to further attacks, not least because of their predictable formulation.

For me, an enduring message from this episode will be how even high-profile, high-value targets can be brought down by “phishing” attacks that trick them into revealing their credentials. Modern cyber attacks often feature such stories of increasingly sophisticated social engineering. It’s more a battle of psychology than technology.

One reason attacks that rely on our online impulsivity are so successful is that hacking has an image problem. Like many people, when Podesta’s emails surfaced, I assumed that the programming equivalent of advanced particle physics had occurred. In my head was a stock image of hacking: a young man wearing a hoodie slumped over a laptop in a dark room. On the screen, zeros and ones stream down in green font on a black background. In this Matrix version of hacking, victims are helpless.

Related article Cyber fraudsters expose vulnerabilities at Tesco Bank Experts suggest thieves broke into computer systems to steal money using card details

But Podesta was probably phished. To his credit, he forwarded the dubious email to his chief of staff. She forwarded it to their IT help desk. Unfortunately, their IT colleague replied with: “This is a legitimate email.” Despite being wrong about that fact, the IT worker then partly did the right thing. He urged Podesta to change his password and turn on two-factor authentication. He failed, however, to warn against the inviting blue button. The fakery of the button could be seen in the fact that the web address included the bit.ly suffix, showing that it had clearly been shortened, allowing the address of the spoof page to be masked. The URL of the page it redirected to was also a conspicuous fabrication.

I find it insane that someone who’s such an obvious target wouldn’t have two-factor authentication on his email. If he had, an additional code would have been required to get into his account. And yet here is an email from March 2016 asking that the campaign chairman of the Democratic candidate turn on this security measure only now.

In a way, I’m glad to have an outsized example of the potentially global implications for email security and the importance of increasing awareness about the nature of phishing threats. But, truth be told, I’d be even happier if we didn’t have it.

lisa.pollack@ft.com

Twitter: @LSPollack