Social networks: beware of imitations

| | No TrackBacks
A man wearing a  mask

Social engineering in action

Social engineering was, is and will be one of the most powerful tools to make people disclose whatever is required from them. A very typical example is mentioned in a TechCentral.ie article, telling how a security expert broke into TV star's Facebook account. The scheme itself is so simple and efficient, that it is unlikely it will ever stop working.

To those unwilling to read the mentioned article: the idea is to imitate an account of someone close to the person you wish to trick. Whereas a human being nowadays might be wary against trusting a stranger, it is so obvious to trust someone you know. And if that person's personal data, including photos, bio details etc are freely available on the Net, it is possible to trick anyone into believing you are dealing with the person you might know very well.

The age of trust references

The main problem of modern Net is the massive loss of trust. People have to prove their identities, we are taught not to trust whoever we encounter in cyberspace. Personal photos, scans of documents and so on can at times be found easily, and that makes all the identity proof actions more and more unpleasant.

The problem is not to determine the identity of a person contacting you for the first time. It is a common practice to place phone calls, to ask for utility bills and so on to make sure you are dealing with exactly the person you think you are dealing with.

The problem is this sequence of identity proof actions may become a must every time you contact anyone on the net. What are the means to prove one's identity?

Physical presence is almost always impossible.

Papers and other physical documents. The only problem is they should be somehow tested for validity, and it is impossible to make use of notary services every time you need to confirm who you really are.

Digital signatures (such as GPG/PGP key pairs) are good, if the owner doesn't lose keyphrase and makes sure to revoke the key quickly if it leaks to a third party.

Biometrics data may seem very reliable, but it's very inconvenient and expensive to check that data wherever a human being identity is moot.

The loss of anonymity is an important issue, as well. We are being told the anonymity is evil, yet the reality demonstrates the problem is not in anonymity, but in incompatibility of most human society norms and laws with cyberspace.

Currently a number of means are used to check the people are actually the ones they claim to be — phone call and so on. However, if someone impersonates your close friend and you trust that person (trusting their Internet presence), the trust into the real person will be affected as well.

The primary damage of cybercrime is we are being persuaded not to trust whatever we see on our screens.

Conclusion

There always are means of conatct a person seldom or never shares with all the world. Only with most trusted people.

Also, in case a real trust is to be created, you are better to meet another human being personally. At least once.

In all other cases I can only suggest to remain wary if you are contacted by a person that claims to be a friend or relative of yours, until you contact him or her by other means (those personal mentioned above) and make sure cyber-image belongs to known physical entity.

And the rule of thumb remains the same: do not seed your personal information, unless you know what you are doing.

After all, the loss of trust could be much more grave when compared with any other consequences.

No TrackBacks

TrackBack URL: /blog/mt-tb.cgi/95

blog comments powered by Disqus

About this Entry

This page contains a single entry by Konstantin Boyandin published on March 22, 2010 5:29 PM.

Blogging on: watch your blogs heartbeat was the previous entry in this blog.

Intentional insecurity, or They deliberately open links in spam is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.