Hacking Humans is Easier Than Hacking Computers

Oftentimes thieves find that hacking humans is easier than hacking computers. It is called social engineering and it has been happening long before Identity theft was a buzz word or computers ever existed!

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques (essentially a fancier, more technical way of lying). You are a victim of social engineering every day.  Social engineering is an important part of our society. Actually it is an integral part of our basic social skills. We all use social engineering to get what we want. Whether it’s your child negotiating an extra scoop of ice cream or a co worker urging you to cover her shift so she can care for her “ailing mother”, you are being hacked( manipulated).  You are a social engineer as well.  You probably have called upon your own “engineering” skills to nab that new promotion or sway your family to go to your favorite restaurant. Social engineering is used among thieves that rely on weaknesses in physical security rather than software. The aim is to trick people into revealing passwords or other information that compromises security or personal information.

Reformed computer criminal and later security consultant Kevin Mitnik popularized the term “social engineering”, pointing out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system. He claims it was the single most effective method in his arsenal. A good social engineering scam always starts with pretexting.  Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim. This is the scam artist’s cover story; what convinces the victim that it is safe and reasonable to give up information or allow access.

Pretexting is often used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim.  Most of the time, the pre-texter just needs to sound authoritative and be able to think on their feet to get what they need. AOL experienced a social engineering attack that compromised their system and revealed confidential information of more than 200 accounts. In that case the caller contacted AOL’s tech support and spoke with an employee for an hour. During the conversation the caller mentioned that his car was for sale at a great price. The employee was interested, so the caller sent an email attachment with a picture of the car. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall. Through this combination of social engineering and technical exploitation, the caller gained access to the internal network. Social engineering is not limited to phone calls; many cases involve visitors impersonating a repair technician, a legitimate looking  email requesting account verification, or convincing delivery drivers to drop packages around the corner instead of at delivery address.

Social engineering is here to stay and is expected to grow even more complex in it’s implementation. Now is the time to be aware, alert and always trust your instincts.  It is always best to question the authenticity of phone callers, emails, letters and individuals.