Skip to main content

Lessons from Social Engineering

It is a common misconception that security is solely a technological problem. Companies and individuals may allocate a significant portion of their spending to design the best security policies, protecting themselves with the latest security products and hire personnel from the top security firms. But such entities are still vulnerable to attacks.

Technology creates a false sense of security among people leading them to ignore the weakest link in security practices i.e. the human factor. Anybody who thinks that equipping themselves with the latest security products and technology makes them immune to attacks buys into this same illusion of security. Security should be viewed as a process and not a product and should be tackled not as a technological problem but a people and management problem.

Why is that the case? It’s because the biggest threat to a business is a social engineer. It’s usually an unscrupulous, glib, friendly and obliging person that distracts you with his left hand while he steals your secrets from the other. A classic example of the same is the story of Stanley Mark Rifkin. Rifkin was able to wire-transfer ten million two hundred thousand US Dollars from Security Pacific’s authorized-only personnel wire transfer room. He used it by gaining access to the room on the pretense of taking notes on operating procedures, and then wrote down the code that was used by clerks to authorise transfers. He was inducted into the Guinness Book of World Records for the largest computer fraud back then. Rifkin pulled off the biggest heist without a gun, but with persuasion and deception, which is today known as social engineering.

At the fundamental core of a social engineering attack lies the tactic of gaining access to information that a person considers as innocuous. Let’s go through the following example.

Call 1
The attacker calls up State Bank.
Attacker: Hello, I am a writer who is researching for a novel. Can you tell me if banks have something called a Merchant ID with card companies? I want to get the lingo right for my book.
Initially, the clerk hesitates but confirms that Merchant ID is the correct term. Here, the clerk parts with valuable information that will help the attacker.

Call 2
Attacker: Hello, I am calling from MasterCard. We are doing a survey to improve our services with partner banks. Would you be willing to answer a few questions?
As the employee agrees, the attacker goes on to ask a few questions and skilfully coaxes out the Merchant ID of the bank from the employee.

Call 3
The attacker calls up MasterCard now as a State Bank employee provides the Aadhar Card details and birth date to the Master Card employee and learns of all sensitive information related to them.

In the first call, the lingo for merchant ID is pretty well-known within the bank, so they might not have judged it as parting with valuable information. However, the second employee could have shown some restraint and judgement before answering questions of the survey. Here, the merchant ID can be considered as a password that was used to gain access to information that can be further used at the discretion of the attacker. The moral of this story is that any information should not be revealed until the identity of the requesting party is established and they need to know. Often, all a social engineer needs to do to gain information is ask for it.

Research is key for social engineering, and often social engineers can call up local law enforcement agencies to learn about ways they can use laws to circumvent your security policies. It is also key that security policies be extended to every employee regardless of whether they have access to electronic devices or storage cabinets that house data. In the chain of transfer, there is a big possibility that information can be provided to an attacker. For example, records that have been marked for destruction can be transferred to an attacker if they set up a ruse where the records are exchanged for a service, and therefore the records get in the hands of the attacker.

The key to any social engineering attack is building trust. An attacker researches and plans out their moves by anticipating the questions that could be asked by the victim and preparing satisfactory answers for them. Once trust is built, the path to executing an attack becomes easier. They can extract information that can be used to crack passwords, gain access to bank accounts or identity theft. Even though our first instinct may be to suspect a person, a good social engineer eventually persuades you to give them the benefit of doubt. They may come as a good Samaritan to help you out and then play on your gratitude to extract some information. They may ask you for a favour in return of their favor and it is paramount that you do not agree until you establish the exact intentions of the person. Such situations may make you inadvertent participants in the attack. Consider a technician who asks you to install some software after he fixes your computer, and you do it because you trust him to know what he is doing. However, you might be installing malware or spyware, that enables him to gain access to your computer and any computer that you might connect to.

Prevention of social engineering attacks begins at education. It is vital that employees and individuals learn about the different kinds of social engineering attacks, and take every proposition with a pinch of salt. It is paramount to verify the identity of the person to whom information is divulged, and security policies should be followed at all times to prevent accidental leakage of data. Care must be taken that no suspicious software or emails are opened on computers as it may put at risk everyone on the network. Technological barriers may act as a deterrent or barrier to attacks, but true protection lies in an individual who follows security policies and understands how others might maliciously influence his behaviour. Ultimately, it’s not a turned off computer that’s the safest, but a well-informed user that protects himself and others.  

Authors:
Sagnik Sen Sarma
Atharva Badve
Mohnish Parmar
Hrishikesh Jadhav

References:
"The Art of Deception", by Kevin Mitnick

Comments

Popular posts from this blog

Penny for a thought?

These glances make acquaintances, subtle and momentous. Of all places, you chose a drenched park bench to seek warmth. There's a buffer between us, a small inclined field of human absence where our coffee cups touch. They have our names in grandiose misspelling. A penny for your name? Another evening, I'm on the opposite side of the road. The street light sneaks through the crowd and falls on your trembling arm. Those lifeless fingers so catastrophically puppeteered on ivory, to cast a defunct melody, reverberating from tinted windows upon my ear. I'm reduced to a standstill and you recede in perpetuity. A penny for your voice? A vision for it's difficult to differentiate from dreams. The bed leaves a small clearance from the wall. Your silhouette, looks down this finite chasm and the darkness fails to hide those strained veins in your eyes. They drip all that was unspoken into that narrow space. The wall is so cold and aloof as it touches your cheek. A whirlwind d...

Home

Creaking doors in tumble down corridors Give away at the slightest push, Trembling legs make it to rest, As this ruse slowly strips away. The dilapidated bed struggles to support a fall, As the shabby blanket embraces a hollow form, Winds howls in through cracks in the window, And the moon checks in from time to time. Eyes peer through this veil of darkness, Light fades in the distance, Ever falling towards the seedy underbelly, Yet never reaching. The dusty floor covered in heaps of clothing, Cleverly conspires with the scorching heat, To hide those tears, That pour out from irreparable gaps of the heart. Wails from some invisible corner, Rouses from a sleepless slumber, Who is this shrunk, morose figure, That begs to leave. The mouth of a well, Overlooks the cold reservoir, Tugging at the damp rope, Oblivious of no escape. Dull and musty curtains, Waving in sympathy, Mourning at the dire sight, Of a soul trapped within itself. Loud knocks and comfo...

Damaged Goods

Do you remember the day? When the heap gave away, Crumbling down as I stood, Even I was rendered damaged goods. Pour some malt through the cracks, And watch as it spills out, The stars look beautiful from a windowsill, The ache muffles you whenever you speak. Empty benches and dry fountains, Cold gusts and tattered blankets, Triumphant endeavors and bolstered hopes, Those painful melodies ringing in heart holes. How long will you sit there? And bear the scrutiny of unkind eyes, Oh, foolish mind, you murder yourself behind closed doors, Over afflicted horrors and lost causes. How long does it take? To strip down all those deceitful layers, Those masked truths, those dark mirrors, Do the tears help? Or do they just aggravate? Running through your shallow veins, Of different colour and make, Illusionist in function, numbing in effect, A bed of pitiful expulsions it lays. These same veins bleed out ink, On papers dirty and clean, Of intimate words and excru...