Social Engineering - Part I

Chris Cassell, Technical Team

Category:

  • Security Blog

What makes a person?

It's a far more complicated question now than it has ever been throughout history. Go back over a hundred years and a person was a collection of flesh, blood and bone. Come 1911AD and in the UK a person expanded to include a number, the National Insurance number that represents someone from the age of 16 to death. Forward a little more and you find a person listed again, another number, that of their home phone. When more records began to get held in increasing number, too many names over lapped, so we had to keep track of a person's date of birth.

In modernity what makes a person? Phone numbers, IP addresses, chat logs, e-mail addresses, a spread of holiday pictures on social media, a collection of GPS locations from where they have ’checked in‘, online CVs on multiple sites etc. Your average person has become a splatter of data spread out across a massive swathe of the internet and other more private databases.

So when someone contacts you, what makes that person, that person?

What we share

Think to your social media presence for a moment. If you are at all like the average person you have profiles on a few sites. You‘ve probably uploaded pictures of yourself, your family and your environments. You‘ve put in details to help people find you, where you went to school, where you work now, likely where you worked previously.

In a moment I want you to stop reading this and go check out your profile, think what you see. (Obviously come back after…)

Looking at your profile could I describe you? Could I guess, or even know your date of birth? Could I know where you like to go on holiday? Could I look at your contacts and find out who your parents are? Your mother's account, does it list her maiden name so that her old friends can find her? Ever used your mother's maiden name as a security question? Got your schools on there? Used your school as a security question?

In your posts have you complained about your bank, your mobile phone company? Say their customer service is awful?

The threat

So I‘m a bad man, and I want to gain access to your bank accounts. You‘ve told me who you use, on a tweet, a Facebook post, somewhere.

So I phone a few online shops. I‘m crying as I give them your name, your e-mail address. They don‘t trust me of course, but they ask the questions. Your date of birth, mother's maiden name, where were you born. I have those answers, or I make educated guesses based on what you have told the world. I hit enough of them and the gaps can be explained by my distress so they start to trust me; they want to know why I‘m upset. It's human nature, they want to help. So I explain I‘ve had my bank card stolen and the bank won‘t help as I‘ve forgotten the card number. I just need the details from the front of the card, then I can get it all fixed.

I get those details and hang up, then I phone your bank. I have those details now; I can provide them with the account number or card number. It's enough to start me off. Your password? Pet's name? Partner's name? Favourite landmark? Might get lucky; if I don‘t they‘ll fall back on those security questions. They have to have a fallback else you can‘t get in to your account.

Besides I‘m upset so it's easy for me to forget a single password. But I can play the security question game, I‘ve researched you well enough. Then I‘m in, I reach out to the bank staff, I explain the terrible situation, attacked in my own home, I can‘t go back there but my child needs to eat. Can they get me a new card? I‘m staying with a friend. I can‘t face home so soon after. Can they give me a code to draw some emergency money out of an ATM? Can they transfer some money out to an account I hold in another bank so I can use that card?

Suddenly I‘m you, enough for me to take your money, clone your phone, obtain ID from somewhere to further my attack. And the weakness that exposed you? Your desire to share your life and a few other people's desire to help someone in distress.

This is Social Engineering

It's the art of manipulating people, to play on the innate desire most people have to help others, to take what people give away freely in the form of information, and twist it to become someone else, at least for long enough to obtain a goal.

The very best social engineers can start with nothing; their own charisma and acting abilities can carry them forward to convince people to share just by exploiting that will to help others. Most need a seed, something to start with, to give them a kernel of truth to work from. The more information they have the better; they can paint a fake life to the people they talk to, and build that bond. Talk about your holiday you‘ve just come back from, the places you visited, the sights you saw. It makes them real and they‘re facts that can be proven.

Social engineering levels the playing field for those that aren‘t technically able to commit modern crime or it's a powerful addition to the toolkit to those that can.

Leave a comment




Comments (0)

Latest News

  • ​Is there room for new MSSPs to enter the cyber security market?

    Summary of a recent debate at VSEC 18 discussing the MSSP market ...Read more

    15/05/2017

  • Device Identity Management

    Device identity management critical for secure digital transformation ...Read more

    15/05/2017

  • Securing the Security Operations Centre

    Blog exploring why the Security Operations Centre (SOC) itself must be protected adequately ...Read more

    15/05/2017