There are five ways I could take your password: The rise of CyberPsychology
Hacking. The pastime of ‘LulzSec’ and ‘Anonymous’. Computer-oriented. Lines,
lines,
lines
of code. Dark rooms with multiple screens. And people with little in the way of social skills.
Anyone who has seen films like Jurassic Park and James Bond will have this view of cybercrime. But the truth is more surprising. It takes hackers a lot of effort and expense to create Trojan viruses and infiltrate company computers or networks. Instead, cyberpunks are more frequently using psychology to carry out their goals. And the computer they are hacking is you.
Efforts have moved on from distant Nigerian Princes and their financial troubles. Approaches have become more sophisticated. More science-based.
Here are five ways a hacker could attempt to exploit you through psychology:
1. By giving you chocolate
The University of Luxembourg created a large-scale experiment involving 1,208 people investigating how small gifts can motivate people to give up their password. Researchers asked randomly selected passers-by about their attitude towards computer security, before asking them to share their password. The interviewers carried University of Luxembourg bags, but were otherwise unknown to participants.
Chocolate was given to participants either before or after the interview. 29.8% of participants gave out their password when they received chocolate at the end, compared to 43.5% when they received it at the beginning.
This phenomenon is more than just a study.
Belgium, 2007.
ABN Amro Bank.
An unknown man — still at large — steals 120,000 carats worth of diamonds and jewels. He came in during regular business hours, made it through the Bank’s security measures, and walked out with €21m without using technology.
According to a spokesperson for the Diamond High Council, “he used one weapon — and that is his charm — to gain confidence. He bought chocolates for the personnel, he was a nice guy, he charmed them, for the original of keys to make copies and got information on where the diamonds were.”
Beware of charming strangers bearing gifts. Especially if they give you chocolate and ask you for keys or passwords.
2. By getting to know you
What’s the name of your first pet?
It’s well established how irrational human beings are. Which explains the ‘password paradox’: we recognise passwords should be robust, but it requires too much effort to make and remember them. So we don’t do it. Instead, we take things that are close to us/our identity (e.g. pet’s name, our favourite book, film or drink) and stick 123 on the end. (Those who become more frustrated with their machines may simply use the tried and tested ‘letmein123’).
Research has also shown that people tend to use the same standard of password across devices and accounts. Which means a hacker might get to know you better by building a relationship with you or exploring your social media, before trying out some different passwords on less important websites. Once they’ve figured it out, they move onto email, corporate and banking systems.
So, I’ll ask again. What’s the name of your first pet?
(You don’t need to answer, I already found it on Facebook)
3. By pretending to be your CEO
During something called a ‘whaling scam’, employees (those in finance are often targeted) receive an email set up to look like it’s coming from the CEO or CFO. The email urgently requests a transfer of funds, building a sense of urgency and consequences if this isn’t carried out.
This works because of the urgency and authority involved. The simple solution is to double-check the email address. For instance, to ensure that the email did not come from a ‘.org’ address instead of ‘.co.uk’.
4. By seeming like you
We more quickly trust those who are like us.
A security consultant created a fictitious online presence, called Robin Sage. This made-up character had accounts on LinkedIn, Twitter and Facebook, all of which showed the person to be a cyber threat analyst for the U.S. Department of Defense. This online presence was used to reach out to other security professionals, creating a network of potential targets. Most of Robin’s new connections worked for the U.S. military, government or affiliated organisations.
There was no hard evidence of Robin’s existence.
Despite this, Robin’s new contacts shared information that revealed their email addresses, bank accounts, and even the location of secret military units. Robin was sent documents to review and offered speaking slots at conferences.
5. I could tell you, but I don’t want to give you all my tricks.
These methods all use psychology to build a sense of trust. We can’t go without trust in life or at work, but we can be more critical about who, what and how we trust. On that note… You might want to think twice before plugging in that USB stick you found in the carpark.
Want to discover more?
Here’s a great Ted Talk by Lorrie Cranor: https://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd
Find out more about how trust can be exploited: https://faculty.wharton.upenn.edu/wp-content/uploads/2015/12/Yip---Schweitzer-2015.pdf
Share your thoughts. When have you been duped?
