Dear Lifehacker, My passwords are strong, but if hackers can convince tech support into thinking they're me with a few easy-to-Google details, what can I really do to protect myself? Also, how can I avoid being unwittingly manipulated by these kinds of attacks? Signed, Concerned About Cons
You're right to feel uneasy about hacks that depend only on human vulnerabilities -- so-called social engineering hacks. As we've seen recently from the Apple and Amazon exploits uncovered in Mat Honan's recent incident, skilled hackers can easily bypass technical protections (like strong passwords) and get the information they want just by talking to a person. People are by far the weakest link in any security system's chain.
That said, we can all beef up our security through education -- knowing common types of social engineering attacks and following essential security precautions. Let's review.
What Is Social Engineering?
Social engineering is the art of manipulating people into doing things unwittingly. These are often security-related, such as giving away computer access or revealing confidential information. Rather than breaking into computer networks or systems, social engineers use psychological tricks on humans.
In many cases, these hackers use small pieces of information to gain trust or access so they can then carry out their cons fully. Here are a few examples:
- A hacker might call saying your credit card has been flagged for unusual activity and the bank needs to verify your information (credit card number, mother's maiden name) before issuing a replacement. He or she will offer up the last four digits of your card and perhaps the date and amount of a recent transaction (things easily found in your trash) to gain your confidence and make this sound legit.
- Another classic con is when an attacker poses as someone in your company or a consultant (tech support -- complete with fabricated ID card and clipboard) or another trusted outside authority, such as an auditor. With a little confidence, anyone could just tailgate their way into any building.
- Hackers might even pose as your Facebook friends or other social media connections and then glean information from your profile or your posts.
- Phishing attacks and rogue websites that pretend to represent trusted companies also fall into this category of cons.
- And, as we've seen recently, hackers can get into accounts through lax company procedures that require minimal information (billing address and email) to identify users.
Social engineering relies on our gullibility and the limited amount of information we use to verify people's identities.
You might argue that this is common sense and you would never fall for such a trick, but even tech-savvy people are vulnerable to sharing personal information. When the hacker appears to be in a position of authority or acting for the boss, it's even harder to say no, as this Walmart hack shows.
How to Avoid Being The Victim of a Social Engineering Hack
The most important thing you can do to prevent being socially engineered yourself is to embrace healthy scepticism and always be as vigilant as you can. Being aware of common tricks puts you one step ahead of the game (but don't get too cocky -- remember, question everything).
Never give out any confidential information -- or even seemingly non-confidential information about you or your company -- whether it's over the phone, online or in-person, unless you can first verify the identity of the person asking and the need for that person to have that information. You get a call from your credit card company saying your card has been compromised? Say OK, you'll call them back, and call the number on your credit card.
Always remember that real IT departments and financial services will never ask for your password or other confidential information over the phone.
Also, make good use of your shredder and dispose of your digital data properly. As we saw recently, some (poor) security systems can be bypassed with just the info found on a pizza delivery receipt.
Corporations really need to train their employees to spot social engineering hacks and fix their systems to prevent easy hacking. It helps to know the basics of phishing attacks and how to protect against them. Social-Engineer.org is an excellent resource for learning how the "art of human hacking" is accomplished, and EnterpriseITPlanet's AntiOnline forums have many more examples of social engineering attacks, as does CSO.
Minimise The Damage Done From Socially Engineered Attacks
You can protect yourself from phishers, scammers and identity thieves, but there's only so much you can do if a service you use is compromised or someone manages to fool a company. You can, however, take a couple of preventative measures yourself (some of which we mentioned previously after the recent Apple and Amazon exploits).
- Avoid having all your eggs in one basket (or the dreaded "single point of failure"): The more intertwined and dependent your accounts are the more widespread the damage a security breach can cause you. For example, don't use your Gmail address for every service's password recovery.
- Use different logins for each service and secure your passwords: In a similar vein, never use the same password more than once. And make sure your passwords are strong.
- Use two-factor authentication: This makes it harder for thieves to get into your account, even if your username and password are compromised
- Get creative with security questions: The additional security questions websites ask you to fill in are supposed to be another line of defence, but often these questions are easily guessed or discoverable. You can shift the letters in your answer or use your own special coding system to make sure only you know those security answers.
- Use credit cards wisely: Credit cards are the safest way to pay online (better than debit cards or online payment systems like PayPal) because of their strong protections. If you use a debit card and a hacker gets access to the number, your entire bank account could be drained. You can further secure your credit card by not storing card numbers on websites.
- Frequently monitor your accounts and personal data: To be on the lookout for both identity theft and credit card fraud, check in with your account balances. You can even use Google Alerts as an identity theft watchdog.
- Regularly back up! No explanation necessary, right?
These steps won't prevent your account from being compromised if a service provider falls for a social engineering hack and hands your account over to the attacker, but they may at least minimise the damage possible and also give you more peace of mind that you're doing as much as you can to protect yourself.
PS Have anything to add? Post it below for all to see.
Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.