There’s no denying that we humans make astoundingly good engineers. The internet, the International Space Station, the Burj Khalifa and the burgeoning field of quantum computing, are just a few examples of how we have solved problems in ways that were inconceivable to generations past. Yet for all our technological sophistication, when it comes to security we have a blind spot: we are social animals.
Bad actors know how to manipulate the social fabric of our interpersonal relationships to get what they want: information, access, insight. The kit-bags of these social engineers are filled with powerful and subtle tools. Act with authority, and those around you will assume you’re in charge. Confect a crisis, and people will try to help. Intimidation is a blunter tool, but no less effective— most of us will do just about anything to avoid conflict.
Some use the idea of transitive trust: Dan trusts Mohammed, Mohammed trusts Kate, so Dan may feel he can also trust Kate. But it’s bad news for Dan if Kate is compromised.
Transmission of trust is central to social networks. However, as we’ve seen, it can be a key vulnerability exploited in social engineering attacks. Recently, the eSafety Office dealt with an incident involving compromised social media accounts of some school children in Sydney. In addition to sharing intimate images, the friends were also sharing account passwords. At some point, passwords leaked beyond the circle of trust and some of the accounts were hijacked by one or more bad actors.
In this situation, these actors posed as trusted members of the group. Using that trust, and a sense of familiarity with the other members, they gained access to substantial quantities of embarrassing content. They threatened to expose the content publically if the friends did not offer up even more compromising content. While the social media service moved quickly to close the malicious accounts, nothing could be done to recover the images and videos that had been stolen.
Cultivating a healthy level of scepticism is the first line of defence against social engineering attacks. Regard unsolicited emails with suspicion, and familiarise yourself with the tactics typically employed by social engineers. If it smells fishy, it almost certainly is. Keep your passwords strong and private, and use two-factor authentication to secure your accounts. Make sure your mobile devices are protected using a PIN from the lock screen, and enable remote wiping to protect the integrity of your data if they are compromised.
Healthy scepticism and robust security habits can still be overridden by our innate social tendencies. In order to demonstrate absolute trust, we may be asked by a partner or friend to share our passwords or PINs. This can be a very bad idea. All of us—especially young people—need to understand that our passwords are ours—and ours alone.
Make sure you check out our companion blog with advice on this issue from a youth perspective.