My passwords are strong, but if hackers can convince tech support into thinking they’re me with a few easy-to-Google details, what can I really do to protect myself? Also, how can I avoid being unwittingly manipulated by these kinds of attacks?
Concerned About Cons
You’re right to feel uneasy about hacks that depend only on human vulnerabilities—so-called social engineering hacks. As we’ve seen recently from the Apple and Amazon exploits uncovered in Mat Honan’s hack, skilled hackers can easily bypass technical protections (like strong passwords) and get the information they want just by talking to a person. People are, by far, the weakest link in any security system’s chain.
That said, we can all beef up our security through education—knowing common types of social engineering attacks and following essential security precautions. Let’s review.
First, What Is Social Engineering?
Social engineering is the art of manipulating people into doing things, particularly security-related—such as giving away computer access or revealing confidential information. Rather than breaking into computer networks or systems, social engineers use psychological tricks on humans.
In many cases, these hackers use small pieces of information to gain trust or access so they can then carry out their cons fully. Here are a few examples:
- A hacker might call saying your credit card has been flagged for unusual activity and the bank needs to verify your information (credit card number, mother’s maiden name, etc.) before issuing a replacement. He or she will offer up the last four digits of your card and perhaps the date and amount of a recent transaction (things easily found in your trash) to gain your confidence and make this sound legit.
- Another classic con is when an attacker poses as someone in your company or a consultant (e.g., tech support—complete with fabricated ID card and clipboard) or another trusted outside authority such as an auditor. With a little confidence, anyone could just tailgate their way into any building.
- Hackers might even pose as your Facebook friends or other social media connections and then glean information from your profile or your posts.
- Phishing attacks and rogue websites that pretend to be trusted companies all also fall into this category of cons.
- And, as we’ve seen recently, hackers can get into accounts through lax company procedures which require only minimal bits of information (e.g., billing address and email) to identify users.
Social engineering, as you can see, relies on our gullibility and the limited amount of information we use to verify people’s identities. Photo by Jared and Corin
Before you say this is common sense and that you would never fall for such a trick, know that even tech-savvy people are vulnerable to sharing personal information. When the hacker appears to be in a position of authority or acting for the boss, it’s even harder to say no, as this Wal-Mart hack shows.
How to Avoid Being The Victim of a Social Engineering Hack
The most important thing you can do to prevent being socially engineered yourself is to embrace healthy skepticism and always be as vigilant as you can. Just being aware of common tricks puts you one step ahead of the game (but don’t get too cocky—remember, question everything).
Never give out any confidential information—or even seemingly non-confidential information about you or your company—whether it’s over the phone, online, or in-person, unless you can first verify the identity of the person asking and the need for that person to have that information. You get a call from your credit card company saying your card has been compromised? Say okay, you’ll call them back, and call the number on your credit card rather than speaking to whoever called you.
Always remember that real IT departments and your financial services will never ask for your password or other confidential information over the phone.
Also, make good use of your shredder and dispose of your digital data properly. As we saw recently, some (poor) security systems can be bypassed with just the info found on a pizza delivery receipt. Photo by Ben Brown
Corporations really need to train their employees to spot social engineering hacks and fix their systems to prevent easy hacking. For your own protection, it helps to know the basics of phishing attacks and how to protect against them. Social-Engineer.org is an excellent resource for learning how the “art of human hacking” is accomplished, and EnterpriseITPlanet’s AntiOnline forums have many more examples of social engineering attacks, as does CSO.
Minimize The Damage Done from Socially Engineered Attacks
You can protect yourself from phishers, scammers, and identity thieves, but there’s only so much you can do if a service you use is compromised or someone manages to convince a company they’re you. You can, however, take a couple of preventative measures yourself (some of which we mentioned previously after the recent Apple and Amazon exploits).
- Avoid having all your eggs in one basket (or the dreaded “single point of failure”): The more intertwined and dependent your accounts are the more widespread the damage a security breach can cause you—e.g., if you use your Gmail address for every service’s password recovery.
- Use different logins for each service and secure your passwords: In a similar vein, never use the same password more than once. And make sure your passwords are strong.
- Use two-factor authentication: This makes it harder for thieves to get into your account, even if your username and password are compromised
- Get creative with security questions: The additional security questions websites ask you to fill in are supposed to be another line of defense, but often these questions are easily guessed or discoverable (e.g., where you were born). You can shift the letters in your answer or use your own special coding system to make sure only you know those security answers.
- Use credit cards wisely: Credit cards are the safest way to pay online (better than debit cards or online payment systems like PayPal), because of their strong protections. If you use a debit card and a hacker gets access to the number, your entire bank account could be drained. You can further secure your credit card by not storing card numbers on websites or using disposable or virtual card numbers (offered by Citibank, Bank of America, and Discover).
- Frequently monitor your accounts and personal data: To be on the lookout for both identity theft and credit card fraud, check in with your account balances and credit score regularly. Several services offer free ID theft monitoring, credit monitoring, and questionable credit charges. You can even use Google Alerts as an identity theft watchdog.
- Remove your info from public information databases: Sites like Zabasearch and PeopleFinders publish our private information (like address and date of birth) online for all to see. Remove yourself from these lists with this resource.
- Regularly back up! No explanation necessary, right?
These steps won’t prevent your account from being compromised if a service provider falls for a social engineering hack and hands your account over to the attacker, but they may at least minimize the damage possible and also give you more peace of mind that you’re doing as much as you can to protect yourself.
P.S. Have anything to add? Post it below for all to see.
Have a question or suggestion for Ask Lifehacker? Send it to firstname.lastname@example.org.