You are the weakest link

One of the big fears that many people have about online shopping is that some ne’er-do-well will magically nick their credit card details, and while that’s a legitimate concern – I wouldn’t give my card details to a site I didn’t trust – I think it’s been blown out of all proportion. I know a few people whose card details have been stolen (it’s happened to me, too) and in each case the guilty party wasn’t some faceless foreign hacker, but someone on the other end of a phone, or someone in a shop.

The best tool in any hacker’s armoury isn’t a bit of software or some mad card number-intercepting gadget; it’s social engineering. That’s a fancy way of describing the methods you can use to persuade people to give you confidential information. A typical example is calling someone up, pretending to be the IT department, and asking them to confirm their user name and password. A lot of people will do just that and boom! The villain’s in the system. The same principle is behind the “phishing” scams that infest the net: rather than intercept your credit card details, phishing scammers simply put up a fake page that looks like your bank and ask you to hand over your details. An alarming number of people do just that (and if you’re one of them, you’ll probably find that your bank won’t reimburse you for any dodgy spending that results).

I was reminded of social engineering the other day when I was having a cigarette break outside a PIN-protected building: as a guest, I’m not allowed to know the door code. But I got in anyway, thanks to a group of people who *were* allowed to know the code; one of them had forgotten it, asked their colleague what it was, and their colleague duly supplied the code number in a voice loud enough for me to hear. In one fell swoop the security system became redundant – although I was only there to steal everyone’s coffee, rather than to do anything sinister.

The weak link in any security system is usually a person, or people in general. Passwords are often absurdly easy to guess – the wife’s name, the person’s date of birth, the name of their dog or worst of all, the word “password” or “letmein” – and if you can’t guess it, you can usually persuade people to hand over the details by pretending to be the IT department or bribing them with a Toblerone. And if that doesn’t work, there’s always good old-fashioned stupidity, such as the offices with ultra-secure buildings and ultra-secure networks whose employees stick a couple of wireless network access points on the corporate network, forgetting that the whole point of wireless is that it works through walls. Judging by the press releases from security firms I’ve been reading recently, there are still an awful lot of firms providing free internet access to passers-by – and leaving their networks wide open to villains, ne’er-do-wells and ruffians.

Of course, it’s important to take security seriously – and there are some horrifically talented people out there who can bypass even the toughest security systems. However, you’ll find that the most common threats tend to be ridiculously simple: a fake email purporting to be from your bank; an email that claims to be a screensaver but which contains something nasty. If people were a little more paranoid and a little less trusting, the net would be a safer place.

Pedantic note:
Although I’ve used the term “hackers” in this post, some members of the hacking community would be unhappy about that. Technically a hacker is someone who takes things – hardware, software, systems – apart to find out how they work or to make improvements, while someone who uses those skills for evil reasons is a “cracker”. However, language changes and over the years, “hacker” has come to mean anyone who breaks into systems, whether they’re good or bad – hence “white hat hackers” (the good guys) and “black hat hackers” (the bad guys). Complaining about the use of the term “hackers” to describe bad guys, then, is a bit like moaning that “shambles” no longer means “slaughterhouse”.