Biz Vision: Social Engineering Prevention

Mask Social engineering is the act of manipulating people into performing actions or divulging confidential information. It is usually committed using technology.

Unlike hacking, which only uses technology to seek the weak points in a system, social engineering uses both technology and people. The belief is that people are the weak points in a system. And in many cases, that assertion is correct.

Two common examples of social engineering are phishing (the use of fraudulent emails or websites to acquire private information such as passwords or credit card details) and the Facebook Western Union scam (where someone chats you via Facebook saying they are in London and asks you to wire them some money).

Last year, Thomas Ryan, co-founder of Provide Security, was able to get a fair bit of sensitive information from information security, military and intelligence personnel using a fake profile of an attractive & flirty young woman named Robin Sage. Although a few people realized her profiles (on Facebook, LinkedIn and Twitter) were fake, there was no central place for them to warn others.

More recently, the hacker group Anonymous made headlines by breaking into the HBGary Federal website and (now former) CEO Aaron Barr’s email account. They did this using a combination of social engineering and hacking. Despite HBGary’s high profile in the security industry, they were undermined by fairly basic psychological and technical exploits. If a professional security firm had such leaks, imagine how many security vulnerabilities exist with the average Internet user.

In this age of social media, I can only imagine this kind of social engineering occurring more and more frequently. Anyone armed with Robert Cialdini’s book Influence, an Internet connection, a little ingenuity, a lot of time, and an insidious motive could craft a social media scam nowadays. People are falling for them all the time.

This tells me the need for social engineering prevention is going to emerge and grow. How such prevention will take place, I don’t know. Here are some preliminary ideas:

  • Formal classes held at schools and education centers
  • A central website (Snopes for social media, perhaps?)
  • A new breed of social media security consultants
  • Social media security software that verifies websites & people to you

The last option could be turned into a viable business too (wink wink), if implemented reliably. That’s perhaps easier written than done though.

There’s no question that social media is becoming more pervasive. In such an open society, there will certainly be people who will try to take advantage of others. And hopefully, there will be organizations (for- and not-for-profit) that will protect the people from such predators.

Photo by: Ben Fredericson

Biz Vision: Phone Numbers are Archaic

I’m surprised more people haven’t seen the insight in Nikhyl Singhal’s post. Back in August of 2010, he wrote the controversial post “Phone Numbers Are Dead, They Just Don’t Know It Yet” on TechCrunch. I say “controversial” because most of the commenters attacked his article. Not that TechCrunch’s comments are really that intelligent; sometimes far from it. The overwhelming criticism was still startling though.

In his article, Singhal asserts that phone numbers will go away because of these facts:

  1. No control. Anyone can dial your 10 digits, including your ex-girlfriend, a political campaign worker, or a solicitor. Unlisted numbers, Caller ID and do-not-call lists all tried to solve this problem, but these solutions still don’t prevent unwanted calls.
  2. Phone numbers are tied to a device, not to you. Everyone has multiple numbers, yet your home line is shared, leaving callers guessing the best way to reach you.
  3. User experience is very limited. The phone was designed as a utility—dial a number, have a conversation. It’s remained this way since its inception. It’s not optimized for other experiences, which is why voicemail and conference calls are tedious, and why checking flight status is worse than a root canal.

He sees them being replaced with social networks such as Facebook. “If given a choice between Ma Bell and Zuckerbell as our operator, we should choose Zuck,” he writes.

Perhaps he came across too “sensationalistic” as one commenter criticized. Though I agree with Singhal’s prediction, I would frame it differently. Here is the core reason why I believe phone numbers will lose their utility:

Phone numbers are a poor unique identifier

This seemingly random string of numbers is meant to represent you – or specifically, one of your devices, as Singhal points out. It is a holdover from the telecommunications industry and is a viable solution if you:

  1. only need to call a handful of people often
  2. those people don’t change their numbers often

The cognitive load of a handful of numbers is adequate for some people. However, many people need to be in contact with a wider number. And many change their numbers several times in their lifetime.

If you’ve ever kept a manual phonebook, you’ll know what I’m talking about. Ever try calling an old friend, only to discover their number has been disconnected? That’s what I mean.

I don’t know if Facebook is the appropriate solution, but conceptually, there is a definite need for a way to uniquely identify a person, so he/she can be contacted by friends easily. What are some other ways to uniquely identify a person?

Unique identifier alternatives

There are quite a few ways to uniquely identify a person:

  • Real name
  • Username
  • Email address
  • OpenID
  • Social security number
  • Driver’s license
  • Passport
  • License plate number
  • Fingerprints
  • DNA

Real name

A name is the simplest real-world identifier. That’s how you identify your friends & family in a crowded room. There’s more here too, which I’ll get to after I go over the others.

Username & email address

Usernames & email addresses are both are common in the Internet. They are used on social media sites, community forums, instant messengers, etc. They are not a great solution, however, because they have limited namespaces.

For instance, there can only be one person who uses the username “mikelee.” This leads to usernames like “mikelee13” and “mikelee2010.” The meaningfulness of “mikelee12345” is small. Did you mean to contact “mikelee12345” or “mikelee12346?” Same goes for email addresses too.

And, for phone numbers as well. New area codes are created all the time to address the growing population, but conceivably, we will run out of available numbers one day. That’s a huge, obvious problem, if you ask me.

Usernames & email addresses have the benefit of nearly unlimited lengths, while phone numbers are limited. That’s a slight advantage with the former two, but because it’s easier to remember shorter identifiers, namespace conflicts still exist. Long identifiers aren’t just more difficult to remember, they are more difficult to display too. Imagine trying to display “mikelee-from-newyork-now-in-sanfrancisco” on your communications device. Jeepers.

OpenID

OpenID is a technical protocol that is used in user authentication. It’s more for an individual to log into a website, than for you to contact and connect with that individual. So it wouldn’t help in this context.

Social security number

This number is a little too important to be used casually. As a government-issued unique identifier, it can lead to identity fraud if used maliciously.

It’s arguably a poor unique identifier as well. I would love to see the government use a different one. But there are few viable alternatives for them. Facebook sure wouldn’t work. Maybe something biological? I don’t know. That’s a tougher problem to solve.

Driver’s license & passport

Being physical items, it would be difficult to use these in a communications context. Their numbers – which are really alphanumeric – are more portable than the physical items themselves. Being of a limited length, these numbers suffer from namespace issues as well, though the use of alphabetic characters extends them a bit.

But who’s realistically going to memorize or write down their friends’ driver’s license and/or passport numbers? They aren’t even as good as usernames and email addresses. People can select their own usernames & email addresses; driver’s license & passport numbers are issued seemingly at random.

License plate number

I included this one just to highlight its absurdity. A license plate number is a unique identifier for a vehicle, not a person. It’s about as helpful as a phone number, which is really a unique identifier for a mobile device, not a person. The only difference is portability; it’s easier to bring a mobile device with you than, well, a vehicle.

Fingerprints & DNA

There are a whole host of biometric unique identifiers, from physiological (fingerprints, DNA, retinal patterns) to behavioral (voice, gait, typing rhythm). Sure, these can uniquely identify a friend, but how would you realistically use a friend’s retinal pattern to send them a message? Keep a copy of your friend’s eyeball on your keychain? Gross.

Ideal unique identification traits

Obviously, most of the unique identifiers listed above wouldn’t work in a communication context. What would work? The perfect identifier would be:

  • Unique
  • Meaningful
  • Scalable
  • Portable

It’s got to be unique, of course.

It should also be meaningful. “mikelee12345” isn’t terribly meaningful, but it’s possible to achieve some kind of meaning in such an alphanumeric string. “mikelee-from-newyork” perhaps? Long and unwieldy, but more meaningful.

It should be scalable. Limited-length strings have a, you know, limit. The only way to scale those is to increase the limit – which has its pitfalls (the constraints of limits, I mean). Think Y2K. Someday, we’ll have a Y10K problem.

It should be portable. Some unique identifiers, like physical items and biometrics, aren’t portable. That’s why alphanumeric strings have been used in the past. It’s easy to store such an identifier in a communications device.

With these limitations, it’s easy to see why phone numbers and usernames have been in use. But is there a better way?

Contextual real-world unique identification

I briefly touched on how real names are the simplest real-world identifier. In a crowded room, you can use a person’s first name to identify him/her. For a common name like “Mike,” a last name is necessary. And for a common name like “Mike Lee,” you need to add an extra layer of context, because by themselves, real names aren’t unique enough.

What is a useful layer of context? There are several kinds. You can say, “Mike Lee from New York,” “Mike Lee, who used to work at Yahoo,” or “Mike Lee, that hairy Chinese American guy.” Current location and hometown are common contextual items. Vocation and employment is another, especially in the US. A physical or personality-based description is another.

Some social networks realize this. LinkedIn uses a real name, photo, current employment, and a self-chosen tagline. Facebook uses a real name, photo and a network. On a mobile device, both default to the simplest pair: a real name & a photo.

That, to me, is the key. A real name & a photo. The real name is a natural identifier, and the photo adds context. Together, these are unique, meaningful, scalable (a photo is rich visual representation with a nearly infinite set of pixel combinations), and portal (a photo image file is also small enough to be stored on a mobile device).

Phone numbers vs real names & photos

I consider myself a humanistic technologist. I believe that technology should be centered around the interests, needs, and behavior of human beings. Technology is a tool and shouldn’t be a hinderance, as it often is.

This is what Singhal was trying to convey. Phone numbers surface technical constraints. They are an unnatural way to reach your friends. We’ve put up with it because realistic alternatives haven’t existed. The advent of social networks and mobile devices may finally be offering a viable solution.

Within the code of a LinkedIn or Facebook account, each individual is represented by a numeric (or perhaps alphanumeric) unique identifier. And that’s okay. That’s how programming languages can most efficiently handle a unique entity. But the presentation of that information should not reflect technology’s constraints. It should reflect your actual mental mode of that individual. Such as a real name & a photo.

Biz Vision: Mobile Will Have Social 4D Awareness

Mobile Phones in Tokyo's Subways Raise your hand if you carry your mobile phone with you everywhere you go.

Wow, look at all those hands. Not a big surprise though. On a planet with 6.8B people, it is estimated that there will be 5B mobile phone subscriptions by the end of 2010. That’s more than 70% of the world’s population.

Most even carry their phones everywhere they go. It’s not just a virtual connection to friends & family, but an entertainment center and lifesaving device. I’ll bet most people even find it hard to imagine a time before mobile phones.

Essentially, mobile phones have become anytime, anywhere devices.

And not just a simple mobile phone. A smartphone. As computing power increases and technology costs decrease, smartphones will become commodities. Someday soon, everyone will have a one. That means everyone will be carrying a lot of computing power in their pockets.

Sure, there will be hardware advances such as finger recognition, improved resolutions, brain wave controls, etc. But the basic features of smartphones, the features that make a smartphone what it is today (mobile operating system, keyboard, ability to install third-party apps) will be commoditized and ubiquitous.

What will this mean? Lots of things, though there’s one I want to focus on today:

Social 4D Awareness

Mobile devices will offer a social 4D view of a person.

With a mobile device, we already know:

  • Where they are in 3D space (latitude, longitude, and altitude)
  • When they were there in time

With mobile software, we also know:

  • Who they communicate with in their social network
  • How they are connected to each person in their social network
  • How frequently they interact with each connection

Knowing a person’s latitude, longitude and altitude gives us a 3D view of their location. Adding time to this equation gives us a 4D view of their travels. We can tell where a person is and has been, much as Google Latitude’s Location History (GOOG) currently offers.

Every person has several stores of social graphs: their email’s address book, their mobile phone’s address book, their social networks, and their connections on other social media sites. The one device that could harness all of those stores is a mobile device, especially a smartphone that offers email and third-party app capabilities.

This has many applications:

Velocity

If we watch a person’s location over time, we can determine that person’s velocity. Plot that movement against a street and public transit map and it will be possible to determine the mode of transportation, be it by walking, car, bus, train, or boat. It wouldn’t make sense to get a notification of a nearby sale if you’re on a train, right?

History

A history of visited locations can offer a detailed view of your preferences and behaviors. Also, how long you’ve been at someplace is just as, if not more important than where you’ve been. Will you be dining at your favorite restaurant? Or just picking up some take-out? Were you at an event (assuming we can get event data), or just using the bathroom at a convention center? An always-on location tracking service doesn’t have the benefit of a conscious check-in, so determining a location’s relevance may be a factor of time.

True Social Network

A utility that is aware of who you email, call, text, and interact with on various social media sites – and how often – would have a vary accurate model of your true social network. Couple that with who you interact with offline, judging by who is in your same location for some length of time, and the accuracy improves significantly.

Proximity

There may be times when you want to run into friends and acquaintances, such as at a concert, during an industry conference, when you’re traveling, etc. A mobile device that is location-aware and socially-aware can offer this, as evident in the large number of services already doing this. The same could be done for a customer’s favorite locations or chains too, of course.

Personalization

People are too complexed and nuanced for a one-size-fits-all model. Products that are customizable are generally preferred. However, not everyone will take the time or know how to customize a product. That’s where products with intelligent automatic personalization will win, provided they offer the ability to adjust, refine, and opt-out. Having a social 4D awareness of a person will equip a product with the intelligence for such features.

Suggestions

Having this depth of knowledge means preferences can be inferred. If you travel to a new city that has your favorite restaurant, we can suggest it to you. Or if friends with similar tastes have frequented a restaurant in that new city, we can suggest that too. Same goes for movies, hotels, products, etc. In addition to external suggestions, internal suggestions of features within a product or service can also be made.

Predictions

This depth of knowledge doesn’t only offer preference inferences, but behavioral predictions as well. If you tend to attend sci-fi movie premieres, we can offer a range of related activities based on that predictive inference, such as upcoming sci-fi movies, nearby restaurants, nearby friends with similar interests, etc. Or a nearby landmark that was used in the movie, if you’ve visited landmark sights in the past.

Privacy

As you can imagine, any device or business entity holding this much intimate data about a person raises serious privacy concerns. Can you trust that entity to treat this data with respect? Will they offer reliable ways to opt-out and erase this data if you so choose?

Although some companies have mismanaged their privacy controls, I believe there is tremendous value to be had with predictive features. This assumes we handle your data with respect, offer total transparency, maintain crystal-clear communications, provide opt-out and deletion controls, and follow the Bill of Privacy Rights for Social Network Users.

P.S. The scientific side of me knows the label 4D isn’t entirely accurate because time isn’t considered the 4th dimension anymore. The marketing side of me realizes that most people don’t know this and still consider the 4th dimension as time, however. So for ease of understanding, I opted for the older definition of 4D.