The OpSec Blog

Security and privacy information and advice at home and abroad.

Social Engineering: Your Identity’s Greatest Threat

leave a comment »

Social Engineering is the attack vector that strikes at any security system’s most vulnerable component; its users.  Here are some common examples of how social engineers can get at your personal information, safety, or comfort zone- and how to prevent it.

Password Verification Questions.  Famously exemplified when Sarah Palin’s e-mail account was broken into, password verification questions are often all too easy to figure out or research.  The choice of questions is often poor, and the explosion of social media and networking sites makes the task of resetting a password that much easier.

  • Countermeasure #1: Write your own question, or better yet- make up your own challenge-response phrase.  Instead of adding a question such as, “What color was your first car?” which is easy to guess (statistically the answer is “white”), try adding half of a unique phrase that is memorable to you.  Inside jokes work great… as long as you trust your friends.
  • Countermeasures #2: Sign off social media.  While most people probably aren’t willing to give up Facebook or linked in, you can mitigate the threat by removing non-essential information from your profile.  If you’re a mid-career professional, nobody cares where you went to High School.  Protect especially sensitive information like phone numbers, e-mail addresses, family links (“What’s the name of your favorite uncle?”), important dates (not just your birthday), and anything else that could possibly be used against you.  If you don’t want to remove it, at least restrict your profile so that only your known contacts can see your information.
  • Countermeasure #3: If you refuse to do any of the above, make the answer to the verification question stronger.  If the make of your first car was a “Toyota”, try “T0yo7a” instead.  The longer and more complex, the better.

Financial Institution Contact.  For whatever reason, authentication for financial institutions and transportation arrangements hinge on passing sensitive information over unsecured phone lines (SSN, account numbers, departure/arrival dates, etc).  To make things worse, if you receive a call from your bank ostensibly to inform you of a suspicious charge, you have no way of knowing who is actually calling you.

  • Countermeasure #1: Do not give the caller any information other than informing them that you will call them back momentarily after you look up their phone number.  You should never pass personal information to someone who calls you.
  • Countermeasure #2: Ask the caller to authenticate their identity to you.  For banks, ask them what their routing number is (they should answer immediately).  For credit card companies, ask what the current balance on your card is (you should check your statement daily, so you know roughly what it is) or ask what your reward balance is (social engineers will not have this information, as they are trying to get it out of you).
  • Countermeasure #3: Decide on what contact method you wish the company to use and report all instances of the company attempting to contact you via a different method.  I have an alert set on my account to send me an e-mail every time my credit card thinks a charge is unusual (which is all the time since I travel so much).  Despite this, I still get calls to my personal phone number from them inquiring about this or that.  As soon as I hear, “This is American Express calling…” I hang up.

People Who Want Something.  Moving away from protecting your personal information a little, People Who Want Something are after your money or can compromise your safety.  Beggars on the street holding signs numbering their children or how hardship befell them are social engineers- they bank on the fact that you are an upstanding citizen with a soft spot for the less fortunate.  Once you pause to acknowledge them they exploit the gap, quickly establishing a bond that you, being the polite person you are, will find difficult to break without feeling guilty.  In some places in the world, breaking this bond without the expected monetary handout is an excuse for violence.

  • Countermeasure #1: “The Obvious” – Do. Not. Acknowledge.  Walk straight past without sparing a glance.  Brush them aside if they stand in your way.  Do not roll down the window if they approach your vehicle.  Let the next sucker get drawn in.
  • Countermeasure #2: Make yourself less approachable.  Groups work well.  Walking as if you are in a huge hurry also works well.
  • Countermeasure #3: If you do get drawn in, get out as fast as possible.  The longer guilt has to work, the more you lose your ability to walk away without giving a handout.  Do not, under any circumstance, break your attention from your surroundings to reach into your bag, answer a phone call, or otherwise.  You are in a vulnerable situation and need to get out of it fast.

I tried to keep these tips as simple and as “doable” as possible.  The hardest part for most people is recognizing a situation in which the risk is present.  While hindsight is 20/20, it is extremely difficult to recognize a social engineering attack in progress if you’ve never experienced one.  Quash your guilt and stop being afraid to be rude.  Seconds of rudeness can save hours, days, or months of anguish.

Questions or comments are encouraged.  Have you ever tried any of these countermeasures?  What works?  What doesn’t work?  How do you deal with situations I’ve mentioned above, or how do you think you’d react?

Advertisements

Written by OSB

23/05/2011 at 18:14

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: