Social Engineering, Or The Benefits Of Not Having Friends

Friends are great. Without them, your parties lack a certain vibrancy, drinks rarely appear without request when you’re at the pub and your social calendar tends to sync more with your cat than other humans (my cats and I are watching Broadchurch together at the moment). On the other hand, without friends, you’ve fewer weddings to worry about going to, buying a round is pretty cheap and fewer people inadvertently try to help steal your money.

“How dare you call my friends thieves” I hear you cry aggrieved (well I would, if I had any friends). Well, you have the joys of the Internet to thank for it, and more specifically, Facebook. Facebook bridges a great chasm where our increasingly hectic professional lives are in conflict with our growing social lives. Often, we don’t have the time to catch up face to face with friends so we link up with them on Facebook and post pictures of the kids growing up or the new cat or whatever. It’s a wonderful tool for keeping alive those social bonds that might otherwise wither through neglect.

Facebook (FB going forward for ease), however, comes with a wide range of associated threats. Let’s gloss over the notion of not setting your privacy tight enough to stop pictures of your home being visible to all and sundry (oh, look at that lovely 60” TV and those iPads just laying around), although it is a serious concern in its own right, and let’s look at these threats from your friends.

Stealing stuff can be risky (*citation needed). More accurately, stealing electronically can take time, and the greater the time, the greater the risk of being caught. So those engaged in cybercrime would have it a lot easier if you just gave them the keys to your sensitive data. Our money, our online accounts and an ever-increasing range of services are protected by layers of security. For example, if you want to call your bank as you may have lost access to your online banking facility, you may need to provide a secret piece of information specific to you. This applies to anyone posing as you, pretending to have lost their (your) login details. And this is where social engineering comes in.

Social engineering is the act of intentionally making people give you this sensitive information or just scouring the web for it based on various social profiles. If you have both a FB account and a social circle on there, you may well have seen some of examples of social engineering without realising it. Just the other day, a friend reposted a link on FB with an old-style photo and the text within the image “Who can remember the name of the street they grew up on?”. Under the post were replies in their thousands from all the previous recipients of the post, including my friend. Now, I’ve a lot of online accounts on different sites and one of the most common security questions is “What is the name of the street you grew up on?”. Based on the previous responses, there are a lot of people out there, responding to posts like this one, giving away answers to security questions. Other common ones I’ve seen with almost identically styled photo included questions such as “Who can remember their first phone number?”, “Who can remember their first pet?” and “Who can remember their first teacher?”. These are all commonly used security questions for accounts.

The other method of socially engineering access to data is to trawl through the myriad of online profiles many people have these days. FB and Instagram will give people an insight to your private life, your family, your interests. They can easily glean what your favourite football team is, or where you live or what expensive stuff you’ve got at home. LinkedIn will show your employment history, what you do, where you do it and all these things come together to build up a picture of you, of your life. From this mosaic, they can start to make educated guesses at security questions on private accounts, but there is another aspect too. If you are clearly an avid Arsenal supporter (I hear some people are quite keen on football), you may be more responsive to a targeted phishing email (one trying to get you to respond with key information or to click on a dodgy link) or to open a virus infected attachment if the email claims to be from the Arsenal Supporters Club or similar. Or maybe your Morris Minor is the love of your life, plain for all to see, and you’ve even named it Molly. There is a very good chance if someone were to try guessing passwords for your account that they would start with Molly or some variant of it.

So what can you do to mitigate this risk? To sever ties with all your friends (they only make rounds at the bar more expensive anyway) and delete all online traces of yourself and live off the grid in a forest eating pine cones is certainly one option. But if you still want to retain a life involving other humans, maybe spend some time going through the security settings of your profiles to see who is able to view what about you. Investigate if your posts are visible only to your friends, or to a wider audience. Also consider who is your friend or link on these sites. Is it someone you know well, or is it someone you worked with for 2 months over 10 years ago and actually, you’ve no idea what they are like outside of work? And if you happen to see a post from a friend on FB asking you to post something special to you, before you reply, think for two seconds, “Would I tell a stranger on the street information like that?”.

Disclaimer – Social engineering, and by extension friends as a threat, was not invented by geeks like me as an excuse for why we don’t get invited to the best parties. Probably.