The weakest part of any business computer system is almost always the human being using it with security experts easily convincing workers to reveal their passwords in exchange for a free pen.
Cyber criminals are often portrayed as technical geniuses plying their trade through the use of deviously complex computer code. While there is some truth to this, gaining access to a computer can be as simple as fooling someone into a revealing a password. This tactic of exploiting the “human aspect” of computer use is known as “social engineering” and is widely recognised as one of the most effective techniques used by cyber criminals.
“Human beings are often the weakest link in the security chain,” warns the US government advice site Stay Safe Online. “Criminals and con artists know this and exploit it. Learn how to spot the tricks they use.”
Things to look out for include such simple tactics as phoning a random extension and tricking whoever answers into revealing their network password by asking seemingly-innocuous questions. “If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organisation and rely on the information from the first source to add to his or her credibility,” warns US government security agency US-CERT.
A fraudster used this technique to make calls to the Barclays Bank in the UK, eventually convincing a call centre worker to issue a credit card in the chairman’s name. Armed with the credit card and personal details about the chairman, the conman then went to a Barclays branch and withdrew £10,000 of the banking executive’s money. Ouch!
An example of how easily people can be tricked by social engineering was revealed by the organisers of the InfoSecurity Europe conference. Experts convinced 90 percent of workers stopped at Waterloo Station in London to reveal their passwords in exchange for a free pen. Some more suspicious workers refused at first, but eventually revealed enough information for the experts to accurately guess their password.
Kevin Mitnick, one of the most notorious hackers of all time, has admitted that social engineering was a fundamental part of his approach. “When the average person conjures up the picture of a computer hacker, what usually comes to mind is the uncomplimentary image of a lonely, introverted nerd whose best friend is his computer and who has difficulty carrying on a conversation, except by instant messaging,” Mitnick explains in his book The Art of Deception . “The social engineer, who often has hacker skills, also has people skills at the opposite end of the spectrum — well-developed abilities to use and manipulate people that allow him to talk his way into getting information in ways you would never have believed possible.”