Social engineering is the act of manipulating people into performing actions or divulging confidential information. It is usually committed using technology.
Unlike hacking, which only uses technology to seek the weak points in a system, social engineering uses both technology and people. The belief is that people are the weak points in a system. And in many cases, that assertion is correct.
Two common examples of social engineering are phishing (the use of fraudulent emails or websites to acquire private information such as passwords or credit card details) and the Facebook Western Union scam (where someone chats you via Facebook saying they are in London and asks you to wire them some money).
Last year, Thomas Ryan, co-founder of Provide Security, was able to get a fair bit of sensitive information from information security, military and intelligence personnel using a fake profile of an attractive & flirty young woman named Robin Sage. Although a few people realized her profiles (on Facebook, LinkedIn and Twitter) were fake, there was no central place for them to warn others.
More recently, the hacker group Anonymous made headlines by breaking into the HBGary Federal website and (now former) CEO Aaron Barr’s email account. They did this using a combination of social engineering and hacking. Despite HBGary’s high profile in the security industry, they were undermined by fairly basic psychological and technical exploits. If a professional security firm had such leaks, imagine how many security vulnerabilities exist with the average Internet user.
In this age of social media, I can only imagine this kind of social engineering occurring more and more frequently. Anyone armed with Robert Cialdini’s book Influence, an Internet connection, a little ingenuity, a lot of time, and an insidious motive could craft a social media scam nowadays. People are falling for them all the time.
This tells me the need for social engineering prevention is going to emerge and grow. How such prevention will take place, I don’t know. Here are some preliminary ideas:
- Formal classes held at schools and education centers
- A central website (Snopes for social media, perhaps?)
- A new breed of social media security consultants
- Social media security software that verifies websites & people to you
The last option could be turned into a viable business too (wink wink), if implemented reliably. That’s perhaps easier written than done though.
There’s no question that social media is becoming more pervasive. In such an open society, there will certainly be people who will try to take advantage of others. And hopefully, there will be organizations (for- and not-for-profit) that will protect the people from such predators.
Photo by: Ben Fredericson