A case study in social engineering
With the recent hacking of Mark Zuckerberg’s Twitter and Pinterest accounts bringing cyber security back to the top of the news I thought I would look back to my information security days for this blog.
One of the more often overlooked parts of hacking is social engineering, which is basically tricking people into divulging information or giving access to information that they shouldn’t.
Social engineering can be used on its own or can be one step in a much larger cyber-attack. Below is an example of how someone could use social engineering for nefarious purposes
Emptying your bank account
Whether through luck or by design, I’ve got your bank information. This includes your account number and bank identification number and I’m going to empty your bank account.
To do this, I’m going to need to be able to answer your security questions but how am I going to find out that information? Easy.
- Look at your Facebook account. It’s amazing the amount of information you can get from here, even if it is locked down. Things like publicly available pictures can hint at locations, as can public groups you’re a member of. If you haven’t locked your profile down I can find out basically everything about you, including your pet names, date of birth and maybe, if I’m lucky, your mother’s maiden name. Those stupid quizzes that go the rounds are particularly useful for data mining.
- Look at your LinkedIn account. From here I can verify that the person I’ve identified through other means is you. Using your employment history I can narrow down my searches on other sites as well. If getting your information through other means proves difficult I can use the information gathered here to contact you directly and engineer the information I need out of you.
- com. Luckily this isn’t available in New Zealand but it is a social engineer’s dream. From this one site I can get access to electoral roll information which can let me trace you back to your childhood giving me the means to identify your mum’s maiden name.
What do I do with it?
Now I’ve got a heap of useful information on you, how am I going to use it to empty your bank account?
I’m going to start with telephone banking.
Because I have your name, address, account number and list of information I’m going to impersonate you on the phone and change the address on the account – most likely to a P.O. Box number. I’ll then request a new debit or credit card to be mailed to the new address.
Once the new card has been received I will do a couple of small test purchases, likely less than $10 a go, to make sure that the card is active and there are no problems. Once that has been done I will transfer a chunk of money from your account to a Paypal or other untraceable account such as Bitcoin, and disappear.
So how can you make life more difficult for me?
- Lock down your online life. If you can opt out of having your electoral roll information made public, do so.
- Be careful with your papers. I personally cross shred everything with anything remotely identifying on it. This includes delivery notes, airline tickets and junk mail as well as the usual stuff like bank statements, bills etc.
- If you are asked to provide something like your mother’s maiden name for security questions make something up. The institution asking for the information is not going to know the truth. Just make sure you can remember it.
- Regularly check your bank statements and query any rogue transactions; you’ll be surprised at how many people don’t do this regularly.
I hope this has given you some food for thought.