Lentis/Social Engineering

Introduction

edit

Social engineering refers to the psychological manipulation of people to divulge confidential information. Social engineering impacts individuals through phishing and identity fraud and companies through corporate espionage. Hackers may be motivated for financial gain, personal entertainment, or notoriety. This chapter will explore the 2012 hack of Mat Honan[1], a writer for Wired, who had multiple accounts compromised, losing his personal data and twitter handles in the process.

Psychological Foundation

edit

Social engineering takes advantage of a central facet of human interactions: trust. If the victim believes the attacker’s claims, be it that they are a person in need of assistance, or someone who should have access to whatever information is sought, then the victim is likely to help the attacker gain that information. Further, once trust is established, the victim is more likely to ignore red flags, such as ignorance of key information, due to perceived legitimacy. This trust can be established in many ways: wearing a fake uniform, calling a help line and using easily obtained information (such as a billing address) to impersonate a user, or starting a conversation and forming a friendship with the victim to make them feel secure.[2]

Techniques

edit
  1. Peripheral Persuasion- Contrary to direct persuasion, which relies on logical arguments and reasoning to convince the listener, peripheral persuasion relies on convincing while bypassing logical thought, often via triggering strong emotions in the victim. When people feel strong emotions such as fear or excitement, they are not as able to rationally evaluate a problem or situation, and are thus more easily persuaded.[3] Social Engineers use this in ways like calling up a help line and pleading for assistance, or telling someone they’ve won a sweepstakes and just need to fill out this form to claim their winnings.
  2. Information Overload - When a person hears a lot of new or unexpected information or arguments, they mentally shift from processing the information to simply accepting it in order to take it all in. [4] Attackers take advantage of this by quickly spewing a glut of statements at the target, overwhelming them such that they will take statements they would usually question at face value.
  3. Reciprocation - If a person is given a gift, or a service is performed for them, they are more likely to return the favor to the giver if they request something later.[3] A simple example would be an attacker holding the first of a set of doors open for an employee, who then holds open the inner, badge access door for the attacker.
  4. Authority - A person receiving a request or a demand from a purported superior is likely to follow it with very little question, especially if it seems not too far out of the ordinary. Attackers have used this for a variety of purposes, including ordering a wire transfer of money to their account [5]

Mat Honan Hack

edit

Progression of Hack

edit

In the space of 22 minutes, Honan had multiple accounts compromised and all his personal data wiped by Phobia, a hacker. Phobia’s goal was to take over Honan’s twitter handle, @mat. Using his twitter page and personal domain, Phobia discovered Honan’s gmail address, which had his Apple Me address set as a recovery option. Knowing that access to the Apple account could be gained with the last 4 digits of Honan's credit card, Phobia turned to Amazon to obtain them. He added a new fake credit card number to the Amazon account using Honan’s name, email, and billing address, all publicly available information. Next he used this card to add a new email to the Amazon account, which was used to reset the password. With access to the Amazon account, he found the last 4 digits of Honan’s credit card, and was able to gain access to the Apple account, reset the Gmail account, and ultimately reset the Twitter account.

Disparity of Sensitive Information

edit

When a user forgets their login credentials and no longer have access to his or her email account, online services must verify his or her identity with other information. This information must be secure enough so others cannot commit fraud yet easy enough for users to access, which requires a judgment call. Online services differ in what they consider sensitive information. In Honan’s case, Amazon considered the last 4 digits of a credit card unimportant enough to display on the web while Apple considers that secure enough to verify identity. The following list shows what information may be used to prove identity for different online services.

Service Type Recovery Information
Apple ID Email/Commerce Name
Billing address
Last 4 digits of credit card number
Wells Fargo Banking Social security number
OR
ATM or debit card number
Blizzard Battle.net[6] Gaming Security questions
OR
Valid government issued ID
Amazon Commerce Name
Billing address
Credit card number
Facebook[7] Social Media Government issued ID
OR
Two non-government issued ID with same name (one with picture or birthday)
OR
Two ID from above with same name and one with any name and birthday or picture

As expected, Wells Fargo and Facebook place a larger burden of proof on the customer due to the high cost of fraud incurred. However, Amazon and Apple, both of which hold financial information, have a relatively low burden of proof using mostly public domain information. Blizzard, as a gaming service, may seem overly strict; however, the data stored represents years of customer investment.

Effect of Connected Accounts

edit

In Honan’s case, the only account that could be compromised alone was Amazon. Every other account required information or access from another account. The vulnerability created from connected accounts allowed the rest of the hack to occur. According to Experian, the average Briton had 19 different online accounts with 25-34 year olds averaging 28 accounts each.[8] Each account a person creates not only has its own vulnerabilities, the interaction of an account with other connected accounts create new vulnerabilities not present in individual accounts. In systems theory, this is an emergent property of the interaction of online accounts.

Motivation

edit

Social engineering, while typically committed to obtain money or privileged information, may be used to improve standing as well. DefCon hosts a competition every year where dozens of individuals compete to social engineer their way into many companies, with one participant in 2012 getting critical information from two different Target stores in 20 minutes.[9] This competition allows social engineers both to share techniques they use and find out who is the best. This showing off, or display, is common in human life, and actually stems from our primitive ancestry. According to ethology, animals use display to scare off potential competitors, for food or mates, as it is far more economical than fighting. While its purpose has changed, humans still show off to prove they are the best, and many will show off given the chance. In Honan's case, Phobia was motivated both by material interest in the @mat handle and display demonstrated by publicly claiming responsibility for the hack.[1]

Convenience Versus Security

edit

Consumer Preferences

edit

75% of U.S. adults say that customer service is important to them. One quality of good customer service is the ability to help a user quickly and easily regain access to their account.[10] Since millions of users forget their account details every year, and companies want customers to have good experiences with customer service, minimal details are required to prove account ownership. In doing this however, it becomes easier to gain access for malicious purposes. This creates a trade-off between convenience and security.

In many cases, consumers prefer convenience. When services ask for more information to prove account ownership, users find it harder to provide quickly and easily. For example, the online digital distribution service, Steam, sometimes can request the first product key ever registered with an account to regain access. Many times this will be very difficult to provide, causing consumer frustration and possibly loss of future customers.[11]

There are differences between companies in the amount of information required for account retrieval depending on what can be gained from the account. This is because consumers are more willing to trade convenience for security when there is a greater loss incurred from a compromised account. For example, Apple requires only a billing address and part of a CCN, while a bank may require your social security number.

Defending Against Social Engineering

edit

Social engineering depends a lot on both human behaviors as well minimizing the compounded vulnerabilities of multiple accounts. There are different methods, both technical and social, to combat the techniques hackers use.

Standardizing Sensitive Information

edit

In the case of the Mat Honan hack, information was taken from another account where it was treated as non-sensitive, to gain access to an account where that information was sensitive and enough to prove ownership. To reduce the compounding factors of vulnerability between connected accounts, online services could standardize the information they consider sensitive, such that a breach in one of the systems would not permit access to other accounts.

Reducing the Manipulation of Trust

edit

Many instances of social engineering occur because sensitive information is given to people who are not authorized to view it. The Global Information Assurance Certification (GIAC) contends that this is because employees are not trained enough to recognize instances of Human Information Fraud, the case where someone is trying to get information through deceptive means. Extra efforts in training employees to handle sensitive information more carefully greatly reduces instances of trust related social engineering. These are methods such as refusing to give information to people they do not directly know or taking all the asker's information upon the request to notify all affected parties.[12] It is also recommended that this training be ongoing

Conclusion

edit

There are different factors that lead to the facilitation of Social Engineering: manipulation of trust, disparity of sensitive information, emergent properties of connected accounts, and consumer preferences for convenience over security.

Certain factors, such as consumer preferences of convenience or security are applicable in other areas of society. There are many examples of where society trades convenience for security and vice versa. The security checks done by the Transportation Security Administration (TSA) before boarding an airline are time consuming and intrusive, but nearly two thirds of Americans support the TSA checks, saying: “they put a higher priority on combating terrorism.”[13] On the other end, millions of Americans drive motor vehicles, despite the thousands of deaths occurring from traffic accidents every year.[14] There is enough convenience to offset the amount of risk associated with driving.

Some of these factors only apply to social engineering targeted towards consumers, and further examination is needed to find and interpret the factors that apply to corporate social engineering.

References

edit
  1. a b Honan, M. (2012). How Apple and Amazon security security flaws led to my epic hacking. Wired.
  2. Grag, D. (2003, Dec). A Multi-Level Defense Against Social Engineering. SANS Institute.
  3. a b Rusch, J. (N.D). The ‘Social Engineering’ of Internet Fraud. US Department of Justice.
  4. Payne, J. (2011, Nov). Overcoming Information Overload in Decision Making. TED@AllianzGI Source.
  5. Krebs Security. (2015, March 13). Spoofing the Boss Turns Thieves a Tidy Profit.
  6. Blizzard. (2015). Can't log in?
  7. Facebook. (2015). I can't log in.
  8. Beach, D. (2014, October 21). Keep your personal information safe online [Blog post]. Experian UK.
  9. Cowley, S. (2012, August 8). How a lying 'social engineer' hacked Wal-Mart. CNN.
  10. Faw, L. (2015, September 9). People Want Helpful Brands. Media Post. [Article].
  11. himmatsj. (2015, August 1). It is scary to know that to recover your account, Steam will ask you for your earliest product key you redeemed on Steam. Reddit. [Forum Post].
  12. Peilocik. (2004). Social Engineering-The Friendly Hacker. SANS Institute.
  13. Cohen,J, & Halsey, A. (2010, November 23). Poll: Nearly two-thirds of Americans support full-body scanners at airports. Washington Post. [Article].
  14. Highway Loss Data Institute. (2013). General Statistics. Insurance Institute for Highway Safety.