“Hello sir, this is Mr. X calling from ABC bank, can I talk to Mr. Y please?”
“Yes I’m on the line.”
“Sir, we have to call you because we have learned that someone was trying to gain illegal access to your online account, have you requested recently for password change?”
“No I haven’t.”
“Then sir you should change your password right now, we need to know your login id and password so that we can change it for you.”
Mr. Y, without bothering to verify that was this call really from ABC bank, gave the login id and password to Mr. X.
“Thank you Mr. Y for your time.”
“No thank you for your help Mr. X.”
And that’s it. Without any tool, without any effort, Mr. X successfully gained access to Mr. Y’s account by a simple process known as social engineering. All security softwares, all firewalls installed by the ABC bank to protect their customers’ personal information proved useless. Although the above tale was just a fiction, yet it can also be applied in actual life.
What the heck is social Engineering?
Social engineering is the art of deceiving, persuading someone to reveal information that in other way he or she will not expose. The attackers usually carry out some research about their target, deceive their potential victim to disclose sensitive information and gain unauthorized access to their targets. The targets of social engineers vary from big corporations to government organizations, from banks to private institutions. No organization is safe from these gadflies because the human element is the weakest link in a security chain. And perhaps the kernel of a security chain is the human element. An organization, complying with every recommendations of a security analyst, installing the latest software upgrades and patches, is still vulnerable, mostly because human element does not seem to be a matter of concern. As software developers trying to overcome technical deficiencies in security softwares, making it harder to trace potential loopholes, more and more hackers now exploit the human element to break in to their target’s system.
Social Engineers’ tool: Human weaknesses
Why social engineers even come close to success? Are people so stupid that they just simply give away their confidential information? Well as Albert Einstein had said, “Only two things are infinite, the universe and human stupidity, and I’m not sure about the former”. An organization, if wanted to make its security chain unbreakable, has to train its employees against social engineers, thus putting a barrier infront of so called “human stupidity”. Lets check out some common tactics these criminals use to exploit the weaknesses of their targets.
Some social engineers first try to get the information which seems to be useless to his or her potential victim but precious to the attacker (like phone numbers of employees of an organization, locations of different branches, number of departments, etc). This information will give the attacker an opportunity to know about his or her further victims and the information he or she might get from them. For example, knowing about different branches, the attacker can then pretend to be an employee of a particular branch and will simply ask for some sort of information not meant for outsiders. The victim, thinking about the attacker as his or her colleague, finds no objection to give him or her what he or she has asked for.
Some pretend to be from the organization whose security recommendations are being used by the victim’s company. This usually requires some good research. The attacker will simply tell the victim to update some sort of security patch he or she has sent to victim. The victim, installing the patch, does not realize that a deadly trojan has also been installed in the victim’s system.
No one can be sure what kind of tactics and techniques these people will use and what kind of hat they will put on to gain your confidence. No one knows what these people are after, it can be money or it can be the information about the product your company is planning to launch soon. In short, the list is endless.
Some Basic Countermeasures
So to counter these intruders, one has to prepare against these criminals. For organizations, make a concrete policy to not reveal any kind of information (even trifling one) without verifying the identity of the questioner. Train your employees to handle such kinds of intrusion attempts. For individuals, never ever reveal your personal information even if someone pretends to be an employee from the organization in which you are working or a friend of one your best friend. Verify first and then act accordingly.
If anyone wants to know extensively about social engineers, techniques usually applied by them and there countermeasures, I recommend getting a copy of Kevin D. Mitnick’s book: “The Art of Deception”. Kevin was a renowned social engineer and hacker, but now he is a computer security consultant. You will find his book quite informative.