Lessons learned from the compromise of a child’s account
This post was originally drafted 2020. My attention to this blog fell off during the last couple of years and I’m working on wanting to do more work. Hopefully, this blog will be a place I use for that and some others will benefit or at least find it enjoyable.
We had a bit of an incident on Sunday, July 26th. After successfully playing Fortnite earlier in the day on their Switch with friends, junior went to play again later in the afternoon. The Switch prompted them to log in again and then said the account was locked (encrypted too) when they tried. They looked at more info and saw a message that the account had been disabled for violating the terms of service (I’d paraphrase those here but who ever reads those things?)
So, naturally, they came to Dad. We quickly went through a history of actions taken that may have violated the service; did you use any codes you found online in those videos? Any of your friends or family have your Nintendo account login info? I checked my email and, sure enough, had a notification about a login to their account happening around noon, from a device and browser that neither of us was using. Clearly, something had happened to the account. I checked the mail account they use in haveibeenpwned, nothing (I do regularly monitor all family email accounts, so this was more formality). I logged into my account, which is the main account for the family, and there their account was listed as unusable. It was time to triage the account and review with them about account safety.
Now, before you all start thinking I’m the InfoSec parent that makes everything a lesson, and how this was not likely the time to preach about the weakness of the user, how you must learn better habits, and all of the other evangelizing we can be guilty of, that’s not what we did. We did a review of what they had done for their account. I had a “user” that was being victimized. It was time to also be Dad, the Professional (though not Jean Reno the Professional, though I wish I was that character to hunt those that had gone after my child’s account. That or Liam Neeson).
First thing after reviewing the activity and if anyone else had account access, was to go over this account itself. Did you ever share the password with anyone? Is it the same password that you use on any other accounts? Is it one of the passwords from your password manager? Did you enable the 2FA on it, as we discussed? The thing to know, and a point of pride for me, is when they started to create their own accounts, we discussed best practices. Passphrases being better than passwords, not repeating them on other accounts. A few years ago, I added them to the family plan for the password manager and taught them how to use it. Always working with them, whenever they wanted to create an account, so they learned the process, and to make that process the default way of creating their accounts.
Instead of teaching the random password generator, we started with making sure every account has its own, unique password; not even passwords, but passphrases. They understood this and did well to create passphrases that were unique, weren’t easily guessed based on them, and went for length over complexity. Then we would enter their new passphrase into the password manager and practice using it to log in. Once they were familiar with that process, we moved to 2FA.
Fortnite, for all the talk of being the downfall of an entire generation’s attention span and focus, was instrumental in helping this lesson. Epic Games offered a prize within the game if users adopted 2FA for their account. This was shortly after they suffered their own data compromise, which exposed a number of their users’ accounts. The fact that they could get a new skin, made adding 2FA all the easier to learn. So we adopted a code-generating app to use for their accounts. And we learned how to apply it and how easy it is to use on a mobile device and when logging in on a computer. Now that we were creating good habits, it was easier to work with them when they wanted/needed to create new accounts.
The downfall was failing to go through all of the older accounts that we had created. That’s on me entirely, there’s no reason they should be thought to be responsible for making sure it happened. But I realized I had grown lax or neglectful when I discovered today that the authenticator app was not installed on the new phone that they’ve had for months. How could I have missed such a step? So we talked about how vital the 2FA step is and how it easily stops this kind of account loss from happening.
Most importantly, after we had done all of that, I made sure to have a moment with them. A moment that we should all have with our users when they are the ones victimized, or that friend/family calls after clicking a link, or having their account compromised. I told them the most important thing for them to know about this whole situation was that they had done nothing wrong. They weren’t at fault. That I’d work on getting the account back (though dragging my feet would curtail the Fortnite playing, but I’m not that type of parent) and that they had done nothing wrong. And the only reason I was asking the questions at the beginning was I was in “work mode.” It’s better to know exactly what happened when responding to an incident. That they needed to tell me everything, complete honesty, without fear of reprisal, just so I knew all the facts.
I’m writing this the evening of the event occurring. It’s still locked, I have to call Nintendo back. Their online support couldn’t do anything, so I have to call back to work on my case. The chat support was good, for what it was though, and they were very helpful. I just didn’t have time to make the call today, we were quite busy.
The most important thing is, the child, the victim in all of this, is fine. They’re good. They understand what happened, that it’s not their fault, they’re not in trouble, and that they’ll get access to their account again soon. And I’m sure they’ll remember this occurrence, which had no real fallout except an account being locked out, and they’ll be sure to remember to apply what they’ve learned. They want to make sure they install the app on the phone. They want to make sure they fix the problem with any other accounts. And they’re going to be more aware, and make security-conscious decisions when they create accounts. This is good, because we’re almost a teenager ($deity help me) and the social media accounts are about to come fast and heavy.
And that’s really the most important thing. I may be an InfoSec person, and I may do IR as part of my duties, and user awareness, and speaking when possible to local groups and at schools. This blog and new Twitter account, may be a way for me to try and be more active in the community, to build relationships. But first and foremost, I’m Dad.