Social engineering is “the art and science of the psychological tricks to get the desired results from human beings and to make them comply accordingly for unauthorized operations.” It may seem innocent and harmless. It could be phishing email or website that asks for your account number and PIN. Or it could be a hacker posing as a phone engineer, asking for your voice mail password. Or it could even be someone posing as a marketer, asking simple survey questions, hoping to get your private information so he can sell it to call centers.
Unlike viruses and Windows vulnerabilities, there is no technical solution to social engineering attacks. No amount of patches, anti-virus tools, spyware blockers, or firewalls can prevent social engineering attacks. The best defense is consumer awareness and education, whether you are an ordinary consumer or a company that treasures the confidentiality of its data.
Do not presume that the person is who he says he is. If someone calls you and says he is from PLDT and is doing a routine check, do not assume that he is telling the truth. If you can’t positively verify his identity, then don’t transact or communicate with him. Just following this simple rule will secure you against many phishing attacks.
Do not unnecessarily volunteer information. Even if the information seems harmless, think of it as one more piece in the puzzle for identity thieves or hackers to launch an attack. Consider, for example, that most banks use your birthday and your mother’s maiden name as a means for secondary verification. Even giving away your home address, phone number, and email address can open yourself up to all sorts of intrusive telemarketers and spam mail. And don’t ever give your PIN or password away.
Protect sensitive information. Don’t write down your PIN or password. I know someone who wrote his ATM PIN on the back of their ATM card, and when he lost his wallet, he also lost all the cash in his bank account. Consider purchasing a shredder if you are particular about your personal information on paper documents. Get disk disposal tools that securely overwrite your hard disk. If you store private information on flash drives or other portable media, encrypt the data so that your information will not be compromised if you misplace the drive.
19 comments
great article.:)
that’s why i don’t trust nobody.
peace.
{Social engineering is “the art and science of the psychological tricks to get the desired results from human beings and to make them comply accordingly for unauthorized operations.†}
where the heck did that comefrom..?
and also..
social engineers = budol budol gang?
bloggementarist, from CISSP website
good poke at the problem!
check out this write-up i made after reading about the new VoIP phishing scams in the US. seems like phishing and pharming are now the favored way of stealing private information.
honestly i find the definition stupid.. the art and science..? like since when..? when did fooling someone becomes an art..?
your article is good mon, i just couldnt help but wonder who wrote that social engineering stuff..? falsifying a legit website and makin them appear like the real thing is not even close to engineering.. i work in sales where i subliminally make my clients agree with me but i dont call that social engineering..
I know what you mean. I too couldn’t figure out the etymology either. But the term “social engineering” is already an accepted term in computer security. At least it sounds better than “ignorance manipulation.”
“Don’t write down your PIN or password.”
There’s a good argument against this. I wrote about it awhile back here on PTB.
J. Angelo Racoma,
Read your article. No disagreement but the title of your article (Write down your password) is misleading. You don’t actually write down your password, but you write a code that represents your password. It is similar to encrypting your data instead of storing it in plaintext.
From your article:
“It’s not exactly cool to just write down your passwords on Post-Its and stick them onto your monitor. But you can write down reminders for your password combinations and stick them in your wallet, where, after all, you also keep stuff you’d prefer to be secure at all times–like your oodles of cash or stacks of credit cards… You formulate your own password mnemonic which you would then apply to each individual website. You would then append, pre-pend, or intersperse these within the characters of a “base†password, and voila! You have a password likely to be more secure than just a base.”
And if you write your PIN and keep it in your wallet and you lose your wallent, you stand to lose more than just the cash in your wallet
nice! ill post this on my friendster bulletin, would that be okey? credits will go to mon and PTB of course.;)
i just realized mon, these three pointers you gave out, hopefully americans dont get to read this, because if they did, call center in the philippines is doomed!!! doomed i say!!!
lol..
posh,
am ok. its also posted at http://www.technopinoy.com
it’s like saying, don’t trust anybody online but you yourself alone.
Selaplana,
Essentially, YES. But once the identity has been verified, then that person can be trusted. This is the whole foundation for secure email, verisign, digital signatures, etc.
It’s the same thing when you receive an anonymous phone call saying that your relative is in the hospital, or receiving an email from Nigeria asking for your account information.
have you seen the Firewall by Harrison Ford?
i think that is a great example of social engineering.
Comments duly noted, Mon.
Read the story of Kevin MItnick, one the best social engineers out there..
social engineering niloloko ka lang nyan