You login to Facebook, expecting to see pictures of your friends’ growing babies, cute things dogs are doing, and maybe a kindergarten picture that has you in it that an old friend just found and posted. Instead, you see a post that says “Please don’t click on links in any e-mails from me, my account was hacked!” The word hack is thrown around left and right when it comes to privacy and security issues. Content is leaked, someone’s identity is stolen, and somehow all of your e-mail contacts receive an e-mail that you didn’t send and potentially more. What many people don’t realize is that these are not frequently the result of a hack.
Crimes are an element of opportunity
Recent studies have shown that as many as 30% of home burglaries involve a window or door being left unlocked. If you are planning to rob someone’s home, would you rather pick a lock/break a window, or just simply walk right through the front door? The answer is pretty clear… Similarly, if we assume someone does intend to pick a lock, are they going to try and pick the Medeco? Medeco is widely considered to make some of the most secure deadbolts in the world. While nothing is guaranteed, it just isn’t a good use of time for someone to try and break through a Medeco, unless the person is a focused target.
This same concept traverses into the virtual world. The path of least resistance is not for a true hacker to break into Gmail’s servers by finding some technical weak point so that they can steal your digital life, identity or send some spam to your friends, but rather to either phish the information, or socially engineer it. NOTE: While phishing can be categorized as a type of social engineering, I’ve split them up here to illustrate two concepts.
Let’s define both of those terms, talk about how the attacks are executed and, most importantly, how you can protect yourself.
Phishing
The act of defrauding an individual by posing to be a legitimate organization.
This generally entails sending an e-mail to someone, masking the “from” address and creating a fake website to mimic the legitimate organization. Over the years, these have gotten better and more convincing. Here is an example: You receive an e-mail from Bank of America indicating that your account has fraudulent activity, and they need you to login to verify your account and release the hold. Right away, this is preying on the emotion of fear – no one wants to hear this, and will be eager to clear it up. The e-mail probably looks exactly the way a real Bank of America e-mail would look. Kind of ironic, but the people trying to defraud you are using fraud to scare you…
Anyway, so the e-mail tells you to login and provides a link. When you click this link, you are at a web page which, just like the e-mail, looks exactly like Bank of America. You enter your credentials and login – but nothing happens. The most sophisticated of these attacks may even redirect you to the real site, right after they captured your username and password. Let’s analyze the attack:
- A large list of e-mail addresses was probably aggregated from somewhere. Depending on how much effort was put in, many of the people may not even have Bank of America – but they know many will.
- Whoever sent this e-mail out grabbed Bank of America’s *.CSS and *.HTML files, which is how they made the e-mails and website look authentic.
- When you enter your credentials into the fake website, they are transmitted to them in plain text.
Social Engineering
Psychological manipulation of people into performing actions or divulging confidential information. We are seeing more and more of this today. Let’s look at a few physical-world scenarios:
- Your grandmother receives a call from someone on a static-filled connection claiming to be her grandson or granddaughter. They don’t even have to know the name of this grandchild. They just start by saying “Grandma, it’s your favorite grandson!” in an enthused but mildly-scared voice. Most people would respond with “Jimmy?” (Assuming that is one of her grandsons’ names of course). This person convinces grandma that they are in some sort of sticky situation such as jail, unusable car, cancelled flights, etc. and immediately ask if you can help them with some cash because they are too nervous to ask their parents. This person is preying on fear, love and an extreme sense of urgency.
- Two people walk into a large retail establishment in maintenance outfits. They are aware of their surroundings and maybe see some pictures on the wall or business cards indicating the names of managers. They walk up to the front desk and ask “What managers are here today?” and the nice person tells them. Now they can immediately say “Ok, well I spoke to {insert manager’s name here} and heard there was an urgent issue with your {insert utility here} and I was asked to rush right over. I didn’t have time to print the work order or anything.” This may sound like no one would ever go for it, but the people perpetrating this are good. These people will ultimately gain access to the facilities and are likely there to take expensive supplies/equipment.
Similar things happen in the virtual-world. They combine the free and vast amount of information on an individual and use it against them. How easy would it be for someone to convince you that they went to school with you at one point, or crossed paths, based on pictures, life and job history, etc.? Most questions that are supposed to enhance security on an account ask for things like Mother’s maiden name or First elementary school – all easy information to find. The skill and “charm” of the attackers in many cases combined with the amount of information they can find on you, lead to them being able to guess your password, call your bank or an online retailer, pretending to be you and begin to infiltrate your digital life. There are thousands of variations to social engineering attacks, so what can you do to secure your virtual world?
Secure Your Virtual World
Strong Passwords
Start by using strong passwords. Yep, that means your first dog’s name is out. So is the street you grew up on and your child’s middle name. Passwords should be longer than 8 characters and have a mix of letters and numbers. Another good strategy is to type a very long password that you can remember as a phrase. Both of these styles provide at least some levels of protection.
Vary Your Passwords
Use different passwords for each site. This one is huge! “Don’t put all of your eggs in one basket!” If someone gains access to one password, either via a true technical breach or by coercion, all of your accounts are in jeopardy.
Password Manager
For the ultimate levels of password protection, use a password manager which generates random and secure passwords for you – and logs you in automatically. There are many options for a password manager, some operate locally on your computer, others in the cloud.
Have a Dose of Healthy Skepticism
Force yourself to practice “healthy skepticism”. That doesn’t mean accuse everyone of trying to defraud you, but it does mean stepping back, analyzing a situation, asking questions and being cautious. Try and resist the urge to react emotionally. What is the first thing you are supposed to do in a fire? Don’t panic!
Here is a great example of that:
We had an account with a vendor and the person whose name was on the account is no longer with us. When someone else asked that vendor to reset the password because the original person was no longer with us, that vendor politely insisted on calling our HR department to verify. This is great, and more companies should do this.
Two-Factor Authentication
Use two-factor authentication where available. This is an awesome security feature that many banks, e-mail providers, etc. have implemented. There are three possible ways to authenticate with a system:
- Something you know – like a password.
- Something you have – like a cell phone.
- Something you are – like your fingerprint or a retina scan.
Two factor authentication requires, as you guessed, two of these. Most commonly in the internet world today, that is going to mean A and B. This works by the service requiring you to enter a code, only good for a short period of time, received either by text message or an app into the website after your password.
Don’t worry – you only do this the first time you log on with a new device (save for clearing your browser cookies). This may be a minor inconvenience but it means, for the most part, even if someone has your password, they can’t gain access to your account. One caveat to this is that should you lose your device, you may have some trouble getting into your account. To help with this, many services offer printable backup codes or a backup person – such as a spouse – who can validate you are who you say you are. If you use printable backup codes, don’t leave them taped to your wall! Put them somewhere safe!
At MCFTech, we take security very seriously. We have a comprehensive security and confidentiality policy and training routine which covers many of these topics and more. For more details on how we protect our client data, please contact us.