Michael de Laine

We can be tricked into giving away our personal information

By Michael de Laine, Copenhagen, 25^th January 2009

Human beings don’t always act as they should and organizations are poorly prepared for IT security attacks that target human weaknesses. Providing training about how to behave securely is of little help.

We human beings don’t always do as we have been taught, and organizations are poorly prepared for IT security attacks that target human weaknesses. Since it is difficult to change people’s behaviour, it doesn’t help to provide training about how to behave securely.

This is shown by Marcus Nohlberg in his recently published dissertation (Securing Information Assets — Understanding, Measuring and Protecting against Social Engineering Attacks) at Stockholm University in Sweden.

Nohlberg studied attacks that are called social engineering in IT contexts.

The concept of social engineering refers to the art of using social codes and knowledge of human behaviour to get us to provide information or do things we should not do.

Nohlberg cites a recent topical example from Sweden, where people received calls from a person who purported to represent the IT office at their bank and asked them to identify themselves using their personal bank encoders. The attacker then used these codes to steal money from the victims’ accounts.

“I predicted a couple of years ago that this kind of attack would become common, especially account fraud,” Nohlberg says.

Despite the serious consequences, with many successful fraud attempts, this technique has received little attention among researchers.

Nohlberg’s research has led to enhanced knowledge about what methods attackers use and what it is that makes people and organizations so vulnerable.

Nohlberg’s research shows that information and training do not work as well as we think.

“There will always be a small group of people who do not do as they were taught,” he says. “What’s more, it’s all too seldom that people undergo training in security issues in general. To change their behaviour, this is something that needs to be worked with constantly.”

He says the best thing is practical training. “It is probable that organizations will need to start running internal checks where they in fact create fictitious attacks in order to identify weaknesses,” Nohlberg says.

Social engineering as a method of fraud is costly for the attacker since it requires commitment and time. However, software and technologies already exist that can interact with other people automatically.

“You can easily imagine how serious it will be when such programs target victims via digital forums like Facebook in the future,” Nohlberg says. “When it becomes just as simple as spreading spam, this will present a major threat to social activities on the Internet.”

In his research, Nohlberg presents a description of fraud crimes from the perspectives of victims, perpetrators, and defenders, but he also offers suggested measures for preventing attacks, based on his own experiences from controlled attacks.