- Thierry Spanjaard
Social engineering: we are all potential victims
Our bias as being part of the secure transactions industry is to concentrate on technological issues, thus technological answers. However, there is an old saying in computer science, abbreviated as PEBCAK: "problem exists between chair and keyboard." Many issues are more human than technological.
Social engineering is probably the best example of such issues. Social engineering includes the methods cybercriminals use to get victims to take some sort of questionable action, often involving a breach of security, the sending of money, or giving up private information. Social engineering is as old as humanity. Methods for tricking people into doing damaging actions have been built for centuries under all civilizations.
In our connected world the consequences from social engineering range from giving passwords or letting intruders into buildings to wire transfer scams, including identity theft.
Typically, social engineering builds upon basic human emotions:
Helpfulness: many of us are ready to help others, without always questioning the legitimacy of the demand.
Fear: in the corporate hierarchical world, the more an order seem to come from the top of the org chart, the more it will be executed without question.
Curiosity: humanity has often made progress thanks to curiosity. Hackers know and exploit it!
Greed: most people want to believe in instant money rewards. If an offer is too good to be true, it is often too good to be true.
Other emotions such as intimidation, demand for inclusion, fear of scarcity, may also come into the picture.
Traditionally social engineering operated thanks to phone calls in which the con artist was impersonating authority, security services, or technical support, or whoever, in order to lure the victim in giving information or in accomplishing actions. Phishing in the form of emails is the most common social engineering attack nowadays. Typically, phishing emails appear to come from a legitimate business, bank, utilities, web hosting services, major eCommerce websites, etc. requiring users to type in their login and password or details of payment means. Smishing, or phishing using SMS text messaging, is increasingly common. Vishing use fraudulent calls or voicemails to reach the same goals.
What are our options to fight social engineering? To deal with human issues, the best is education, training, repeated awareness raising, … combined with stress tests. On top of this, technology methods can be implemented. Numerous anti-
phishing tools exist, and none of them is perfect. In corporations, a good resilience to social engineering comes from a structured approach to identity, using better tools than logins and passwords, and establishing clear processes and rights for each employee. Biometrics, of course, are among the tools that significantly improve resistance to social engineering.
The secure transactions industry has all the needed resources to fight social engineering, we have a full toolbox, the only thing we have to undertake is to build consistent architectures using all these tools and not to forget the most important: the human!