Social Engineering has been on the front burner of security issues for a while. It has been discussed extensively by industry experts. Yet, not many fully realize the potential danger it poses and how very dangerous it can be.
For hackers, Social Engineering is probably the easiest most efficient way for cracking security protocols. The rise of the internet gave us very powerful capabilities by interconnecting devices without the barrier of distance. Giving us advancement in communication and interconnection, this, however, introduced loopholes leading to a breach of personal information and privacy.
Since, the earliest, pre-technology times, humans have been encoding and securing information. A popularly known method from ancient times is the Caeser Cipher where messages are encoded by shifting the places in the list of alphabets. e.g., “hello world” if shifted by 1 place could be written as “ifmmp xpsmf”, the decoder reading the message “ifmmp xpsmf” will have to shift the letters one place backward in the alphabets list to understand the message.
As simple as this encoding technique was, it stood for nearly 2000 years!
Today we have more advanced and robust systems of security developed, yet security is a challenge.
It is important to note that there are a vast number of techniques deployed by hackers to obtain vital information. We shall briefly look at some of these techniques to understand why social engineering is such a big deal.
Brute Force & Dictionary attacks
A brute force hack involves a hacker with an advanced set of tools built to penetrate a security system using a calculated password by getting all possible character combinations. A dictionary attack involves the attacker running a list of words (from the dictionary), hoping to find a match with the user’s password.
A brute force attack nowadays, although very potent, seems less likely to occur due to the nature of current security algorithms. To put things in perspective, if the password on my account is ‘[email protected]!!!’, a total sum of characters is 22; hence, it will take 22 factorial, for a computer to calculate all possible combinations. That’s a lot.
More so, there are hashing algorithms that take that password and convert it to a hash to make it even more difficult for a brute-forcing system to guess. E.g. the earlier written password can be hashed to d734516b1518646398c1e2eefa2dfe99. This adds even a more serious layer of security to the password. We shall look at security techniques in more detail later on.
Distributed Denial of Service attacks occurs when a user is blocked for accessing legitimate internet resources. This could be on the user side or on the service the user is trying to access.
A DDoS usually results in a loss in revenue or user base. For an attack such as this to be possible, a hacker can take control of multiple computers all over the internet that can be used a part of a ‘BotNet’ to destabilize the network or in some cases flood the network traffic with non-useful packets of information resulting in overuse and hence, breakdown of network resources and nodes.
This is a form of hacking where the attacker tries to steal user credentials by making fake substitutes of login pages. Typical, the attacker sends a malicious email to a user acting as a trusted source such as a bank or a social media website usually, with a link for the user to enter their credentials. The links are typically made to look like legitimate websites, but a closer look reveals they are wrong.
For instance, A phishing link once used paypai.com to scam Paypal users into giving up their login details.
A Typical Phishing email format.
We have noticed suspicious activity on your account. Click here to change your password now to avoid your account being blocked.”
There’s a 50% chance that you have been phished at once. No? Have you ever logged into a website and then after clicking sign-in / Login, it still takes you back to the login page, Yes? You have been successfully phished.
How is Social Engineering done?
Even as encryption algorithms get even tougher to break and more secure, social engineering hacks are still as potent as ever.
A social engineer typically gathers information about you so as to able to access your online accounts and other protected resources. Usually, an attacker gets the victim to divulge personal information through psychological manipulation willingly. A scary part of this is that this information doesn’t necessarily need to come from you, just someone who knows.
Commonly, the target isn’t the one who gets social engineered.
For instance, a popular telecom company in Canada was in the news early this year for a social engineering hack on its customer, in which the customer service personnel was social engineered into revealing the target’s details in a massive sim swap hack leading to $30,000 loss of money.
Social engineers play on peoples’ insecurities, negligence, and ignorance to get them to divulge vital information. In an age where remote support is widely used, organizations have found themselves in many more cases of hacks such as these due to the inevitability of human error.
Anyone can be a victim of social engineering, what’s even scarier is that you could be getting hacked without even knowing!
How to Protect Yourself from Social Engineering?
- Avoid using personal information such as date of birth, pet’s name, child’s name, etc. as login passwords
- Don’t use the weak password. If you can’t remember the complex one, then use a password manager.
- Look for the obvious lies. A social engineer doesn’t really know enough to hack you at once; they give the wrong information hoping you would provide the right one, and then they move on to request for more. Don’t fall for it!
- Verify the authenticity of the sender and domain before taking action from email messages.
- Consult with your bank immediately you notice suspicious activity on your account.
- When you suddenly lose signal reception on your mobile phone, check-in with your network provider immediately. It might be a sim swap hack.
- Enable 2 Factor Authentication (2-FA) on services that support it.
These steps are not a direct remedy to social engineering hacks, but they help you make it difficult for a hacker to get you.