Thursday, May 20, 2010

Social Engineering


Was reading through Teri Bidwell’s book called Hack Proofing your Identity and found this excellent note on “Social Engineering”


Social engineering, also called pretexting, is a term used for a variety of scams and con games involving tricking a victim into voluntarily giving up private information that’s useful. Pretexting is an attempt to elicit a specific response to a social situation the perpetrator has engineered; for example, someone gives you false People who might be savvy enough to shred their paper trash might not be thinking about the trashcan on their computers. Your computer’s recycle bin might contain files with private information in them that you’ve deleted over time. If someone gains access to your computer while you’re away from it, those files might provide useful information. For instance, let’s say you make an online purchase using a credit card, and the Web site provides you with a confirmation form showing what you purchased along with the credit card number and shipping address. You keep the confirmation page on your hard drive until you receive the merchandise. After you receive the merchandise, you delete the confirmation form because it’s no longer needed. The form remains in your recycle bin until you empty it. Even then, the file isn’t irretrievable. It can be restored using special undelete software, which is discussed Information for the purpose of obtaining otherwise forbidden information from you. You might receive the false information via postal mail, email, computer chat program, Web site, telephone, or in person. An example of this is the Nigeria 419 email scam. The Nigeria 419 scam is designed to trick you into disclosing your bank account number. In any case, you are asked to give up information that you would not normally give to just anyone. Most of the time, the victim has no idea he or she has disclosed information under false pretenses, unless it results in a crime that can later be traced back to having disclose information to the person doing the social engineering. As an example of social engineering, an identity thief might pose as a potential landlord or employer in order to obtain a copy of a victim’s credit report. Or, let’s say you needed to find someone’s address and couldn’t find it using one of the online “People Search” type programs. You might phone up the gas company and pose as a relative. The phone conversation might go something like this, in which the gas company clerk is tricked into disclosing the address you’re looking for:


You: Hello, I’m Joe User’s daughter. We just moved my dad to a senior community, and I need to make sure he changed his gas service over to his new address. Bless his heart—he doesn’t remember things the way he used to! Can you tell me the address that’s showing on his account?


Gas Company clerk: I show his address is 555 Shady Lane. Is that the retirement home?


You: Yes it is; thank you very much. Bye.


Social engineering is by far the most effective, least costly, and hardest to prevent method of obtaining private information. Technology can’t be used to block it, and people targeted have to be on their toes in order to even notice it when it’s happening. What’s more, it’s not illegal unless someone uses the obtained information to commit a crime. Unfortunately, most people have an even harder time noticing social engineering when it’s happening using a computer. Some of the most successful social engineering scams today are sent to victims via e-mail. When you can’t see a person’s facial expression or hear his or her voice, inferring their intent when they ask you for information can be difficult. You need to be even more vigilant online than in person against social engineering, due to the numerous places a thief can hide on the Internet.

No comments: