So, having covered the ‘Human’ side of Social Engineering, let’s take a look at the electronic methods.
The fist type, I guess the most obvious.. or is it? Phishing/fake emails.
If you’ve had an email account for more than five minutes, chances are you have the emails such as – share the wealth of an estate of some one whose just died, Tax rebate, emails from the bank and such like.
If in doubt, always go direct to the company’s or government’s website(s) and not via the ‘click here’ in the email i.e. in the web browser of your choice type http://www.hmrc.gov.uk to get to HMS Revenue & Customs. On the real HMRC they have some examples of phishing, Click here. Mostly the banks will NOT send emails, and most have fraud reporting if you go to their website, where you can contact them to report phishing.
Next, there are those too good to be true Pop-Ups….
You’ve no doubt seen these, ‘Congratulations… you’re the n’th visitor to the site and have won ……..Click here to claim your prize’, or the ‘Warning …… found on your computer’ type. Now call me a cynic, but just how dumb are these guys. It takes only a couple of lines of code to check your operating system, yet the pop-up warns of some xxxx virus/malware .exe file yet the computer I’m running is running not on Windows it’s on Linux, OS X or whatever else – D’oh.
Fake Websites are normally at the end of the ‘click here’ in the phishing emails and the object of the exercise for them is to get your personal information and/or get you to download malicious programs such as spyware, Trojans or key-loggers.
It’s disappointing, that even the legitimate sites of many companies have poor security, and only single factor “strong authentication” is employed. Even then the use of strong passwords is not allowed by some; and passwords may be case insensitive and not allow the use of special characters such as $ % & , . and so on.
Soliciting multiple answers to challenge questions may be considered strong authentication – for example my bank asks for a user id and password and then on the next screen three random characters from a second password/or pass phrase. Multi-factor authentication requires the use of two or more of the three authentication factors. The factors are identified in the standards and regulations for access to U.S. Federal Government systems. These factors are:
- Something only the user knows (e.g., password, PIN, pattern);
- Something only the user has (e.g., ATM card, smart card, mobile phone); and
- Something only the user is (e.g., biometric characteristic, such as a fingerprint).
Google and Paypal offer Multi-factor authentication (Google will SMS text you a temporary code) and Paypal offer a Security Key or key fob, which auto-generates a 6-digit code, yet LLoyds, TSB and Barclays to name a few UK banks do not! If they deployed Multi-factor authentication it would reduce the potential of these fraudulent site to gather enough information to access your account. For example, the secure card/key fob number is only valid for a few seconds before a new one is required.
As crime and hacking ‘keeps up with the times’, there are also fake/phishing SMS text messages now to get information from you and/or your mobile phone. Given the computing power of the average smart phone now exceeds the power of the PC of some 5 to 10 years ago, yet has more personal information than the average PC, this is not surprising.
Most people with a smart phone store at the least all their contact details, and diary. Some people store user-ids, passwords, and such like on their phones. In addition, most smartphones have Global Positioning System (GPS) built-in to allow people to track your movement. I must admit, whilst I have been a supporter of the smart phone from the early examples running Symbian and onwards, I used to always just take a basic Ericsson R290 GSM/satellite phone on holidays. When biking it’s always a ‘comfort’ to know you can reach help as long as I had either a GSM signal or line of sight to the sky for satellite coverage, but these days some countries have banned their use, as they are ‘worried’ about terrorist use! It was so useful for emergency use in the middle of nowhere, when stuck without a mobile signal and broken down or injured.
Then there are the Instant chat/messenger scams.
These tend to target the young, and are less about hacking and social engineering and more about ‘other’ things far less savoury.
I talked to someone from Kent Police the other week about computer fraud/phishing etc., and was told the whole department to cover Kent was under half a dozen people!
However, there is a national based service to contact about on-line fraud, and phishing scams at the Action Fraud website, as well as the ‘Safe from Scams‘ website which I would recommend looking at as well.