A recent large-scale study of 1,208 people by the Université du Luxembourg has revealed how the potency of social engineering attacks can be increased with the help of a little chocolate.
Social engineering is the art of tricking people into doing things for you, such as handing over confidential information. It’s popular with criminals because for all the wizardry of stealing, cracking, sniffing, phishing and logging, the easiest way to get somebody’s password is sometimes just to ask for it, nicely.
The study was co-authored by Dr André Melzer who describes in the paper how criminals can increase the potency of social engineering attacks by using the sense of obligation we feel after receiving a small gift:
When someone does something nice for us, we automatically feel obliged to return the favour. This principle is universal and important for the way we function as a society. However, this internal pressure can also be exploited to achieve certain purposes, such as encouraging someone to divulge a password.
During the experiment, undercover researchers carrying University of Luxembourg bags asked passers-by about their attitude towards computer security, but also asked them for their password.
During the interview the researchers gave the interviewees gifts, and the effect of one gift, chocolate, was pronounced.
The research showed that this small gift greatly increased the likelihood of participants giving away their password. If the chocolate was only given out afterwards, 29.8 per cent of participants revealed their passwords. However, if the chocolate was received generally beforehand, a total of 43.5% of the respondents shared their password with the interviewer
It also seems that the more closely associated the gift and the question are then the more our sense of obligation ratchets up; in cases where users were offered chocolate immediately before being asked for their passwords the number goes up to 48%.
Unsophisticated thieves who turn up empty-handed needn’t give up hope though – 30% of the experiment’s control group (who only received chocolate after being asked for their passwords) still handed over their passwords.
What we don’t know (and this is where you should apply your salt pinch) is how many of the passwords were real.
As somebody who regularly has to ask for access to small companies’ computer systems, my personal experience is that insecure, oversharing of passwords is more the rule than the exception (one of 4 password mistakes small companies make in fact).
Our personal passwords are the keys to our digital lives, and our work passwords can be a gateway to both our employer’s confidential information and the personal, private data of their customers.
If somebody asks for your password, ask yourself if you’d be willing to hand over your house keys or the code for the company alarm system too. If you aren’t then you probably shouldn’t be handing over your password.