Software vulnerabilities receive a great deal of attention when hackers and crackers pop up inside someone else’s system. But reports this month from the Treasury Department’s inspector general for tax administration and a survey reported by the BBC provide fresh reminders that addressing human vulnerability is just as critical as plugging holes in software to maintain adequate security safeguards.
The Associated Press reported that 35 percent of IRS personnel gave their computer login name to inspectors posing as computer technicians. Worse, those IRS employees also changed their password to a word suggested by the impostors.
The inspectors made the contacts by phone and simply told the targeted employees that they were calling from the department’s help desk and were trying to correct a network problem.
Bad as those numbers were, they were a significant improvement from a similar test four years earlier when 71 percent of employees cooperated.
The BBC reported this week that 92 percent of Britons taking part in a fake survey of theater-going habits were willing to reveal details such as their mother’s maiden name and birth dates, information often used in Britain to establish new financial accounts. According to the BBC, by the end of the survey the researchers had all they needed to open credit card accounts in the names of the persons surveyed.
What did it take to entice those people to cough up the information? A chance to win theater tickets.
Social engineering takes advantage of human expectations and lowers a person’s defenses. It has long been used by con artists and has more recently been adopted by spammers, phishers, hackers and others.
The Better Business Bureau’s Identity Fraud Survey Report earlier this year estimates that in the previous 12 months 9.3 million Americans were victims of identity theft. Methods of acquiring the information vary widely, but the report states that on the whole it is a $52.6 billion problem in the United States.
The risk management program for any company maintaining sensitive information should include employee training in security standards and the social engineering techniques used to persuade people to give up private information.