Social Engineering 101: Focus On Informal Conversations
from the just-don't-promise-to-protect-the-info dept
In the past, we’ve covered plenty of stories about social engineering to get people to admit stuff they shouldn’t — suggesting you really just need to ask people to give up personal info and they will (sometimes giving them a gift helps, but just asking alone will often do the trick). The latest study does go a little deeper, however, suggesting that the more informal the setting, the more likely people are to cough up info. For example, it found that when those asked for confidential information were promised that it wouldn’t be misused they were less likely to hand over the info. Instead, if there were no promises about what would be done with the info at all, people felt that it was more informal and were more willing to give up the info. Another experiment asked people to reveal “bad” activities to a website. In one test, the website was made to look like a university website, and in another an informal site with the title “How BAD are U??” Not surprisingly, the latter got a lot more people to cough up the details of bad behavior. In that case, I’d even wonder if the “competitive” nature of the question (suggesting that you should want to be “badder” than others) also helped contribute to the openness of individuals.
Filed Under: information gathering, security, social engineering
Comments on “Social Engineering 101: Focus On Informal Conversations”
Bad old putty tat!
How BAD are U??
Is your comment better than THIS one?
Re: How BAD are U??
“””In that case, I’d even wonder if the “competitive” nature of the question (suggesting that you should want to be “badder” than others) also helped contribute to the openness of individuals.”””
Unless “openness == exaggerations or outright lies”, I suspect the How BAD site was no more accurate than the clean-looking site, which is to say “not very accurate at all.”
A better experiment
This was an interesting experiment but it seems there were too many variables to derive meaningful conclusions, aside from the fact that informality gets people to reveal more about themselves.
Heavens! Is that something I didn’t know already?
A better experiment (granted I didn’t read the original study) would be to keep the language formal while having an informal looking website, and to have a formal looking website while asking an informal question. This would indicate whether it is the wording or the website’s appearance that is driving the decision about how much to reveal.
Anybody remember those Budweiser ads (involving frogs and lizards) of 90’s? I don’t mind watching them everyday!
All you have to do is just ask nicely :)
If my bank asks for SSN I would run a inquiry before giving it to them. But if somebody in my “friends” list asks me nicely on facebook I would give them without worrying too much 🙂
Well, I’ve done more than my share of social engineering(enough to have been able to write an appendix or two in Kevin Mitnick’s awesome book on the subject) and while an informal conversation might be good for some types of information while hanging out on, say, a website, it doesn’t help much if you’re trying to gain access to *real* information. For those you play on fear, compassion and greed, and little else. Everything else from that is a game of leap frog.