Hackers are con artists: The perils of social engineering

Hackers are con artists: The perils of social engineering

Portrayals of hackers in popular culture are inaccurate. We imagine individuals bent over computers, rapidly typing in a mortal battle with opposing hackers. The struggle goes back and forth, until finally, one side wins — breaching their opponent’s encryption, downloading terabytes of secrets, and stealing away triumphant.

This might make for good television, but it’s also far-removed from real hacking. As dramatic as it might be to force your way past security and into enemy lairs, the best hacks are the most subtle ones. Humans, not computers, are usually the weakest link.

More often than not, hacking is a con job — not a break-in. And the most versatile tool in a hacker’s arsenal is a technique called social engineering.

The importance of subtlety

There are many reasons that subtle hacks are the best, especially in espionage. Simply put: if your target isn’t aware that you’re scamming them, then you can continue ripping them off.

If you are a hacker, you have a few goals. First, you must retrieve your objective, be it corporate secrets or user passwords. At the same time, you can’t be compromised. To be exposed means that companies and governments are wise to your intrusion, and can protect themselves. Once a hack is discovered, your target will rush to change passwords, delete or backup vital data, and remove any loopholes. For those hackers aiming to steal sensitive information, this can render their gains useless.

But it also makes sense to play the long game as well, as it can be more profitable. There is a real value to remaining in a target system, undetected, for long periods of time. As the recent Kaspersky intrusion shows, hackers can (and have) snuck into networks and simply waited there, watching their opponent’s every move and vacuuming up sensitive data.

Passwords and resets

Even as our technology improves exponentially, it’s limited by one important factor: the human brain. Not only are our brains easily manipulated (implanting false memories is much easier than you think), but they have glaring weaknesses that skilled hackers will take advantage of. Remember that a chain is only as strong as its weakest link. Even strong network security can be compromised by not factoring in the human element.

Smart hackers will target people, not their systems.

Look at passwords. If the Internet is a collection of locked doors, then passwords are the keys. Unfortunately, many people default to very simple, unsophisticated passwords that are easy to remember — and easy to guess. Lists of the worst passwords feature repeat offenders like “password,” “football,” “123456,” or “princess.”

Moreover, many common password rules are flat-out wrong. Even the man who invented them, Bill Burr, has called his previous work a mistake. For instance, Burr’s rule about “special characters” (such as $, @, or !) encourages people to substitute these for letters: “A” becomes @, “S” becomes $, and so forth. Unfortunately, this makes passwords much easier to crack, as hackers can simply guess these common substitutions.

Further, to simplify their daily routines, most users rely on a single, master password for all of our apps and programs. This is a terrible idea, as a leak means that thieves can access all your accounts with a single password. Instead, if you have difficulty remembering different passwords, try turning to a password manager.

These programs can automatically store, generate, and track your various accounts; they’ll create complex, unique passwords for you, and fill them in when you log into websites. Best of all, you only have to remember a single password: your login for the password manager itself.

Barring the advent of authentication processes that incorporate biometrics, password managers are the safest choice.

Phishing

Additionally, thanks to the quirks of our human brains, remembering a highly complex password for each account is very difficult, if not impossible. As a result, password retrieval is now a key feature of any program that requires a login. However, password retrieval is also a major vulnerability.

In fact, this is where the best, most subtle hackers strike. Consider John Podesta, Hillary Clinton’s campaign manager. In 2016, Podesta was hacked, or more accurately, conned out of his email password and credentials. Hackers posed as Google’s password reset service, soliciting Podesta’s assistant to click on a link, where he logged in with Podesta’s password — and allowed the thieves in. The damage was swift: the stolen emails were leaked online and caused widespread damage to the Democratic Party.

This is a textbook spear-phishing campaign: the mark (Podesta’s assistant) is solicited by a seemingly official notice. This phishing email ironically warned of an illegitimate intrusion, and promised to take users to reset their password. Secrecy was vital; the fact that the hack stayed undetected for several months allowed hackers to penetrate the system thoroughly, and to reap a greater haul of information (and thus, do more damage).

Instead of memorizing unique passwords (and relying on password reset links), consider multi-factor authentication. Users type their password and receive a second code in the form of a text message or a smartphone prompt. To enter their email, they must input both password and code, adding an extra layer of security that hackers must contend with.

Social engineering

Like con jobs, the best hacks use high-level social engineering: leveraging human nature through social cues and trust to penetrate restricted systems. Think of a scam artist posing as an authority figure (a policeman or repair technician) to infiltrate a secure place and steal important information.

The best example of this is Kaspersky. Essentially, hackers relied on the company’s reputation as a globally established software producer to insert backdoors. That Kaspersky’s program is an antivirus is perfect; these programs are trusted with scanning countless files on databases to check for infection — which means that they can access everything.

Though it’s unclear whether Kaspersky cooperated with Russian intelligence to insert backdoors, the effects are clear: files were stolen, secrets compromised, and finally, Kaspersky lost its contracts with US government entities.

Ultimately, the greatest security threat facing us today isn’t a virus like Stuxnet or a botnet like Mirai. While dangerous in their own way, these programs pale in comparison to the damage a well-executed social engineering campaign can cause; just ask Hillary Clinton. Human nature is the weak link: with our inability to create and remember passwords, as well as susceptibility to social hierarchies, cybersecurity will continue to be an issue for years to come.

Read next: How to build your customer happiness chatbot — according to people who do this every day