Catch Me If You Can
One of my favourite books is “Catch me if you can”. This true story deals with the life of Frank Abagnale who is undoubtedly one of the most prolific social engineers of the last 40 years. Without giving the book away, Frank spent a large part of his youth manipulating people into giving him what he wanted most. He spent times impersonating airline pilots, doctors and even lawyers. Frank was arrested and incarcerated for his crimes (as that is really what they were, no matter how romantic the book makes them sound), but spent the remainder of his life devising plans to help thwart social engineering attempts at innocent people like you and I.Why is Frank Abagnale important? He exposed that people can be easily duped into providing information they ordinarily would not provide. Take a look at your corporate policy concerning passwords. It probably states that no one, under any circumstances should give out passwords, for any reason. That is fine on paper, but the reality is the human firewall. We are all thinking machines who can have our behaviour manipulated.
Survey Says
A recent survey conducted in Central London found that out of 576 random office workers, 45% of women and 10% of men were willing to give up there passwords and login credential as to surveyors pretending to be marketing researchers. The gist was that if they provided the researchers with certain information (notably their passwords), they were eligible to choose a reward such as a chocolate bar. People were literally giving away the corporate keys to the kingdom for a chocolate bar. Scary! How is this possible? These people were intelligent workers. Their only flaw was that they were human.On a more personal note, I was at a security conference last year where the local police force had set up a booth to talk about identity theft. Very interesting setup with a lot of visually appealing information. It quickly became the center of attention at the conference. Even more enticing was the prize draw they were conducting. As the conference was for government employees, all in attendance worked for some capacity for some branch of government. All members of the government are issued a government ID number which follows you around your government life and is uniquely identifiable to you...think of it as a sort of social Insurance number or a serial number for a soldier. Employees are told never to reveal it to anyone. The draw being conducted was simply a test in social engineering to see what information people would give up when pressed. The prize draw was for a trip for two to some exotic location. All the ballot required was a name, address, government section and government ID (ostensibly, so the prize givers could verify the proper winner). People flocked to the draw. What made it even more real were the two uniformed police officers guarding the ballots. Nice touch. When all were called into the conference, they police officers started talking about identity theft and how easy it was to get information, you could hear a murmur in the crowd as people started to realise they had been duped. Human Firewall
The problem again is us as humans...we tend to be trusting by nature. Having a security policy that states we cannot give out a password does not mean that when a frantic phone call comes in to the office from someone who claims to be a secretary for the president and is going to get fired because she can’t access the presentation of the CEO that the President is supposed to be giving in 10 minutes. We don’t like to be the person who says “no”. Unfortunately, this is exactly the type of ruse people fall for everyday.
Required Reading
To counter the probability of this happening to you or your company, I would do two things. Firstly, I would have quarterly security meetings with my staff and explain how people can be swindled out of their information. Secondly I would assign a two part homework assignment. I would like them to read 2 books. The first is the aforementioned “Catch me if you can”. The second is the “Art of Deception” by Kevin Mitnick – another social engineer extraordinaire. Once you can see how these guys think, it will help people so that they don’t fall into the same traps as these two were able to perpetrate.Both great reads. And if it helps your security stance at your corporation, even better.
