Security experts have released new password recommendations however, hackers long ago realized that getting into a victim’s email or iCloud doesn’t require keyloggers, zero days, or USBs pre-loaded with malware. Nope, it’s much easier than that, it takes more charm than geek.
The world of social engineering is where those looking gain access to protected places (be they physical or digital) talk, bluff, confuse, or trick their way past the gatekeepers. Social-Engineer, Inc., a security company that specializes in helping corporations prepare for this sort of attack, defines the technique as “any act that influences a person to take an action that may or may not be in their best interest.”
Say, just for example, a stranger calls up your cell provider — pretending to be you — and convinces the call center worker to reset your SIM card. That’s not in the employee’s interest, nor yours. And, as Black Lives Matter activist DeRay Mckesson found out in 2016, the consequences can be rough
It however wasn’t the first time someone talked their way past a public figure’s digital security. In 2012, a hacker tricked Apple into giving up access to tech reporter Mat Honan’s iCloud account. Through that, the attacker was able to get into both Honan’s Gmail and Twitter accounts — remotely wiping his iPhone, iPad, and MacBook Air for good measure.
“I know how it was done now,” Honan explained on his blog at the time. “Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.”
Basically, all the maliciously inclined need to socially engineer their way in is the right talking points and a little luck. AND for those in need of some help, there are even web forums dedicated to sharing tricks of the trade.
It’s almost too easy, and no five-word passphrase can do anything to prevent it.
That being the case, shouldn’t the companies that protect our data be on the lookout for this sort of thing? Thankfully, many now are. However, they are essentially forever fighting a losing battle. Social engineering relies on exploiting human nature, and last time we checked human nature is something that doesn’t change all that easily.
So what can you do? Well, besides making sure you don’t give out any information that could later be used to impersonate you, a simple bit of protection is to enable two-factor authentication on everything and use authenticator apps wherever possible. Also, definitely go ahead and get a PIN/customer care password for your cellphone account.