Last week, we discussed defending yourself against attempts to gain information through social engineering. We particularly looked at two key issues. The first was the impact of growing narcissism in our culture. The second was our vulnerability to flattery.
Just after posting that article, I came across a similar article on Yahoo News. This article was entitled Hackers Don’t Need a Computer to Access Your Accounts–They Just Need Charm. This article refers to s The article provides some examples of how hackers may use social engineering to collect your personal information. They can later collect additional information or use what they have to steal your identity.
Perhaps the most interesting part of the article, was the attached YouTube video, which demonstrates a number of capabilities hackers have to attack. The portion of the video I am particularly addressing is the part where Chris Hadnagy and his associate Jessica Clark use social engineering tactics to gain access to another person’s wireless phone account. Check out the video below.
If you watched the video, you experienced how quickly a professional social engineering hacker can access your personal and account information. In just a few minutes, Jessica was able to convince a customer service to grant her access this person’s account and change his password. It was both impressive and scary.
Social Engineering and Economics
This hacker was taking advantage of tension experienced by every online and telephone customer service representative. They walk a fine line between security and customer service. Think about it. What if the story Jessica told the customer service representative was true and for security reasons the representative did not help her? Her husband may get angry and complain about the representative or change his wireless provider.
Social engineering hackers are relying on this tension and the plausibility of their approach. The competition between wireless providers and the ease of changing providers contributes to the likelihood of success in this types of hacking attempts.
Social Engineering and Psychology
There is an additional dynamic at play in these types of attacks. This time it is not economic. It is psychological. Hackers are playing on a strong tendency that exists in peoples’ psyche. What I am talking about is that most people want to feel good about themselves. This is one of the key concepts we discuss during my training programs on building rapport. Make someone feel good about themselves and they will like you. If they like you, they are more likely to be influenced by you.
Think about this tendency in the customer service representative context. Many, perhaps most, people who call them are not particularly polite. They want the customer service representative to do something for them. They want it done now. And, they are not happy they had to call the customer service line in the first place. This does not make most of these calls a particularly pleasant experience.
Notice when the hacker in the video called. She was nice. She was apologetic. And, she was experiencing distress. But, unlike so many callers, she was not blaming the customer service representative for her problem. Most people would want to help out someone like this. The customer service representative is in a position where her/she can help this young mother in distress. When they do, they are a hero. They feel good about themselves. And why not? They did a good thing.
Unless…it was all a lie!
Guarding Against These Types of Social Engineering Hacks
There are ways where we can all guard against these tendencies. The economics-related issue is a matter of procedures and training. Security must be thoroughly integrated into policies and procedures. Further, customer service representatives must be trained and periodically retrained to follow security procedures while maintaining a professional posture with those calling for help. Customer service representatives should be exposed to social engineering tactics, so they are better able to identify them when they experience them. This is difficult. When in doubt, they should adhere to their professionalism and the security policies and procedures.
So, how do we resist the temptation to bend the rules for someone in distress? How to we stand firm on our security policies and procedures when we subconsciously what to have that good feeling that comes from helping others in distress?
The answer is the same as the one I gave last time. We work through the Thinking and Feeling steps of the Smart Talk model. Check out the blog post from last week for more information on how to do that.
If you or your organization would like to learn more about improving your communication skills, contact me for a consultation on training and coaching opportunities.
The first step in defending against social engineering hacks is to listen carefully. So I leave you as always with the advice: be swift to hear and slow to speak,
Photo by ukCWCS