This talk is about deception, social engineering, scamming and human hacking.

Ian: “when I was 16, a friend invited me to his house, and said there’s a guy who I should meet who is a millionaire – he was offering to show us how to be a millionaire”. It was a pyramid scheme! As the guy was talking, he clocked very quickly that Ian could see through the scheme, and so he cleverly talked around Ian, talking directly to his friends and excluding Ian. This was Ian’s introduction to influence, persuasion and social engineering: human hacking.

What’s interesting is that it’s not about computers or technology – it’s about the human element. Kevin Mitnick: The Art of Deception. Every example he has is how to hack and find out information about big corporates through human engineering. Humans are the weakest link in your security chain!

White hat hackers sell their skills to companies in order to improve their security. Grey hats walk up to the line and maybe push it a bit but won’t transcend the law too much. Black hats are all about “how much money can we make” – by whatever means. Documentary: H*Commerce. About hacking for profit. This is a massive business. The amount of money made globally through spam, phishing, spear-phishing, 419 scams etc is equivalent to a top 20 GDP country!

Spear phishing: select a very small number of targets, find out personal information about them, and then con them. Tech for this is becoming more affordable.

People are not being tought hacking and social engineering – they’re finding it out for themselves. If you teach hacking, people become aware of how to defend themselves against scams and phishing, as well as the minority who may use the skills for illegal means.

Q: does this happen more with the older or younger generations. Seems like older people would be less switched on, but younger generation lives online to a greater extent.

Recruiters, journalists, advertisers all use these skills in their daily work!

In terms of defences against social engineering: outside common sense advice, such as “don’t give out your password”, there are thousands of ways to die just in this room – it’s an impossible task to defend against everything! However we’re at the point now where people are better off scamming online than by robbing people in the street! Risk is now higher online?!

Maybe we need to encourage the youth who are committing violent crime to switch to social engineering hacks to make our streets safer!

Big companies don’t help themselves: unsolicited calls from banks that demand your security details; verified by visa where you have to type in all the details from your bank card into a website that’s neither your bank’s nore the merchants; PINs are now distributed on indestructable pieces of plastic that criminals can dumpster dive for.

At the moment there’s no education going on – people need to learn how to protect themselves – needs to be instinctive like protecting physical property in a public place is.

The internet wasn’t made for online banking – security is weak – yet banks have jumped straight in anyway. Some banks have implemented two-factor authentication but there are still weaknesses.

Interesting trend towards counter-hacking the hackers: 419eaters.com et al.

Identity theft is actually really damaging – consequences are severe and risk factor is high.

Security gets improved when the people best placed to improve it are incentivised to do so: credit card companies are liable for fraud losses so they have become very good at spotting fraudulent activity. But banks are constantly trying to offload liability onto either their customers or merchants. Sometimes regulation is required to correct this tendency.

Appearance of authority is really easy to conjure – put on a fluorescent jacket and nobody questions your actions!

Greed blinds people to the risk indicators – and the scammers can reach so many people through the Internet – they only need to fool one in ten-million to make a sizable profit.

Ian summing up: realised that social engineering and scamming has moved from a handful of clever but isolated people to major organised crime and an entire criminal industry.

Where are the Internet police?! They briefly existed but were disbanded again. Now banks have discretion over whether a fraud on your account is reported to the police.

Software designers periodically make mistakes that expose personal data online. Passing authentication credentials in the clear in URLs etc.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.