Social engineering is becoming a dominant form of cyberattack, and traditional data protection practices can't remotely keep up with the threat. A social engineering attack effectively works around the security controls that are typically in place in the digital world, allowing somebody to gain access to accounts with little research and a few conversations - no hacking expertise necessary.
Social Engineering: Understanding the Danger
To grasp how effective social engineering is, consider how easily an attacker could take full control of a person's assets. Let's look at a hypothetical attack:
- An attacker acquires your email address, something that is incredibly easy to do through a variety of means.
Because many email accounts have a secondary authentication of a phone number that is used to text password resets or similar details, an attacker with your email address just needs to gain access to your phone to reset your password.
- Getting phone access is easy enough. Consider how easy it is to escalate a customer support call to a manager who will do just about anything to keep a customer happy and put yourself in the shoes of an attacker. The criminal need only convince customer support that you had an emergency, purchased a new phone and need your number ported on to a new SIM card. Now, all of your calls and texts will go to the attacker's phone and your device will become unusable.
- The attacker uses your phone account to reset your email password and take control of your email account.
- With your email compromised, the attacker can go through your messages, identify the services you use, reset those passwords and take control of your life.
This entire attack happens without any sort of technical expertise. The attacker simply uses details you have made available to the public to get through defenses.
For example, maybe your bank accounts have multi-factor authentication using personal details, such as where you went to elementary school, as an authenticator. The attacker goes onto Facebook, finds your friends from your earlier years and uses that information to figure out where you went to elementary school.
Social engineering is invasive and crippling, and passwords, security questions and similar solutions don't do anything to help.
The Growing Social Engineering Threat
The New York Times reported that social engineers are increasingly using widely available information on the internet to identify valuable online accounts and take them over. In many cases, social engineers are targeting virtual currency investors, activists and government leaders. These attacks often get their start when social engineers gain control of the target's mobile phone number. Chris Burniske, a virtual currency investor hit by social engineering, told the news source that an attack got quite deep before being noticed.
"My iPad restarted, my phone restarted and my computer restarted, and that's when I got the cold sweat and was like, 'O.K., this is really serious,'" Burniske told The New York Times. It only took the attacker a few minutes to steal approximately $150,000 worth of virtual currency from Burniske. Similar attacks have been plaguing the virtual currency sector. The Federal Trade Commission under Tom Wheeler (who was appointed to CONFIRM's advisory board this past Spring) found that instances of phone jacking were on the rise in 2013 (1,038 attacks) and posed a serious cyber threat to consumers. That figure has more than doubled to 2,658 attacks as of January 2016.
Phone hijacking isn't the only social engineering attack gaining momentum. Research from Agari found that social engineering is the fastest-growing attack type in the enterprise world. For example, 69 percent of all phishing and targeted email attacks were targeting sensitive information, such as user credentials. Wired reported on an elaborate scheme in which an allegedly counterfeit social media account is being used by state-sponsored individuals in Iran to target businesses throughout the Middle East by getting social media users to give up personal information.
These types of attacks circumvent traditional security protocols, creating an environment in which organizations need better methods to verify a person's identity and ensure user credentials are not compromised. Identity management solutions are leading the charge here.
Using Identity Management to Counter Social Engineering
The problem with most cybersecurity and account management strategies is that they feature single points of failure that can be compromised. If a user loses a password, the backup is often a Social Security number, personal detail or similar bit of information that can be readily stolen. Multi-factor authentication strategies need better credentials. This is particularly true for businesses trying to protect user assets without creating cumbersome user experiences.
Multi-factor authentication holds the key to limiting social engineering.
Government-issued identity documents, such as driver's licenses, ID's and passports present strong authentication proxies due to their certifiable and non self-attesting natures. A complex identity document can't simply be created or ported over to a new device. This allows customers to assert identity with greater confidence and higher data integrity, in turn bolstering downstream authentication checks and services. It's clear that multi-factor authentication holds the key to limiting social engineering, the question organizations must now ask is: "Are we using the right credentials?"
Read More in the CONFIRM blog: