{"id":8480,"date":"2012-02-25T12:05:10","date_gmt":"2012-02-25T16:05:10","guid":{"rendered":"http:\/\/thesocietypages.org\/cyborgology\/?p=8480"},"modified":"2012-02-25T12:05:10","modified_gmt":"2012-02-25T16:05:10","slug":"a-social-engineers-nirvana-trusting-technology","status":"publish","type":"post","link":"https:\/\/thesocietypages.org\/cyborgology\/2012\/02\/25\/a-social-engineers-nirvana-trusting-technology\/","title":{"rendered":"A Social Engineer\u2019s Nirvana: Trusting Technology"},"content":{"rendered":"

\"\"<\/a>In my research on the Dutch banking system, it became clear that the banks are seriously worried about social engineering. These techniques, such as phishing and identity theft, have become increasingly common. No reason for concern, right? Surely, a system upgrade, some stronger passwords, or new forms of encryption and all will be well again. Wrong! When it comes to social engineering, trust in technology is deadly. The solution, in fact, cannot be technological; it must to be social.<\/p>\n

The term social engineering has been around for decades, but in the last couple of years, it has been popularized by famous social engineer Kevin Mitnick. \u00a0In the book Social Engineering: The Art of Human Hacking<\/em> by another famous social engineer, Christopher Hadnagy, social engineering is defined as \u201cthe act of manipulating a person to take an action that may or may not be in the \u2018target\u2019s\u2019 best interest.\u201d This may include obtaining information, gaining computer system access, or getting the target to take certain action. Kevin Mitnick pointed out that instead of hacking into a computer system it is easier to \u201chack the human.\u201d While cracking the code is nearly impossible, tricking someone into giving it to you is often relatively easy.<\/p>\n

Countering these social engineering techniques tends to be difficult. As a result, banks are hesitant to contact their clients. Contacting the client means using media and this usage fosters trust in these media. This trust proves devastating to the banks, but is a nirvana for social engineers. As PJ Rey states in his essay Trust and Complex Technology: The Cyborg\u2019s Modern Bargain<\/em><\/a>, \u201cit is no longer feasible to fully comprehend the inner workings of the innumerable devices that we depend on; rather, we are forced to trust<\/em> that the institutions that deliver these devices to us have designed, tested, and maintained the devices properly.\u201d Doug Hill<\/a> builds upon Rey\u2019s statements pointing out that our trust in technology applies to the people who use them as well as the people who have created them. In short, banks trust in their technology just as much as the employees and clients.<\/p>\n

It is not hard to find tons of examples in popular discourse on the faith people have in technology. Every new piece of hardware or software is better than the previous one and will solve problems and tricky situations. However this blind trust in technology results in sophisticated invented scenario\u2019s created by social engineers. An example would be pretending to be a computer helpdesk operator, randomly calling employees of a company and claiming that somebody of their department called because there is a problem with one of the computers. Chances are that at some point an employee will say yes and fall into the trap giving his or her password to the social engineer.<\/p>\n

It goes without saying that the trust people have in technology is not the only factor in the equation. However, unexamined trust seems to be the big pitfall. If banks want to counter social engineering, they need to realize that this will not be done by merely upgrading password encryptions or other technological aspects of their security system. Further trust in technology will not remedy the problems that trust in technology created. Instead, the social side needs to be taken into account. The question we\u00a0 are asking is: How can we make people more critical (i.e., less trusting) about the dangers revolving around technology, especially when it involves their own wallet?<\/p>\n

In response to a BBC article<\/a> on how hackers outwit online banking identity security systems, security technologist Bruce Schneier presents the solution of authenticating the transactions<\/a> we make (similar to credit cards). Although this sounds like a shift away from a technological solution, seeing it is more about the transaction behavior of the client, this poses other dangers. Back-end systems monitor suspicious behavior. An example would be that if a client from The Netherlands signs from, say, Bulgaria, the situation is conceived as suspicious. This situation would add points to a risk score. If the risk score gets high enough other means of authentication come into play such as a telephone call to the client.<\/p>\n

In authenticating the transaction the question needs to be answered if the transaction makes any sense with regards to the financial behavior of the client. This, as always, raises many questions on surveillance. The banks will need to know what your behavior is if they want to establish what suspicious behavior is for a specific client. Although banks probably wouldn\u2019t mind this solution, but it feels like a violation of privacy from a client\u2019s perspective. However, if we all don\u2019t start being more critical, these sorts of invasive authentication scheme may soon become a reality.<\/p>\n

Samuel Zwaan<\/em><\/a> (<\/em>@mediawetenschap<\/em><\/a>) is a teacher and student in Media Studies at Utrecht University<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

In my research on the Dutch banking system, it became clear that the banks are seriously worried about social engineering. These techniques, such as phishing and identity theft, have become increasingly common. No reason for concern, right? Surely, a system upgrade, some stronger passwords, or new forms of encryption and all will be well again. […]<\/p>\n","protected":false},"author":1159,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[9967],"tags":[880,14115,2143,12,1491],"class_list":["post-8480","post","type-post","status-publish","format-standard","hentry","category-commentary","tag-hacking","tag-social-engineering","tag-surveillance","tag-technology","tag-trust"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/thesocietypages.org\/cyborgology\/wp-json\/wp\/v2\/posts\/8480","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thesocietypages.org\/cyborgology\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thesocietypages.org\/cyborgology\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thesocietypages.org\/cyborgology\/wp-json\/wp\/v2\/users\/1159"}],"replies":[{"embeddable":true,"href":"https:\/\/thesocietypages.org\/cyborgology\/wp-json\/wp\/v2\/comments?post=8480"}],"version-history":[{"count":7,"href":"https:\/\/thesocietypages.org\/cyborgology\/wp-json\/wp\/v2\/posts\/8480\/revisions"}],"predecessor-version":[{"id":8530,"href":"https:\/\/thesocietypages.org\/cyborgology\/wp-json\/wp\/v2\/posts\/8480\/revisions\/8530"}],"wp:attachment":[{"href":"https:\/\/thesocietypages.org\/cyborgology\/wp-json\/wp\/v2\/media?parent=8480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thesocietypages.org\/cyborgology\/wp-json\/wp\/v2\/categories?post=8480"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thesocietypages.org\/cyborgology\/wp-json\/wp\/v2\/tags?post=8480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}