“Where did you grow up?”
“I love dogs. Oh, you have a dog? What’s its name?”
“My friends used to call me Spiderman. How about you, did you have a childhood nickname?”
You answer these questions and your new friend laughs with you about your silly nickname. Your new friend then plugs your information into a program they have on their computer, which generates millions of password combinations. They attempt to hack into your email account. They succeed.
Mr. Robot is the latest show to introduce us to the world of hacking. The show features protagonist Elliot, a security engineer at the cybersecurity company AllSafe. Mr. Robot focuses on Elliot’s attempt to hack into E Corp, the largest conglomerate in the world (and AllSafe’s client) and eliminate all debt.
Most importantly, Mr. Robot features social engineering—an incredibly fascinating, and scary, type of hacking. It involves minimal use of a computer.
According to Lifehacker, social engineering is “the art of manipulating people into doing things, particularly security-related—such as giving away computer access of revealing confidential information. Rather than breaking into computer networks or systems, social engineers use psychological tricks on humans.”
Because, as spies discovered in WW2, humans are the weakest link in any information system. For the most part, we’re not suspicious, and we get ridiculed for being paranoid. We don’t believe the worst will happen to us until it’s too late. It’s the also the reason why many homeowners don’t buy home insurance.
That same factor plays into our cyber security. We don’t think these elaborate schemes devised to elicit our information will happen to us. Our blissful ignorance makes us easy targets for hackers. It doesn’t help that companies want to hide vulnerabilities from hackers, so they also keep the information from the public (a ridiculed practice known in the industry as, “Security through obscurity”).
Some people use social engineering for fun. There’s a whole subreddit dedicated to people sharing urban exploration or stories of times they got access to places they shouldn’t have.
Here’s how a social engineering hack could look:
*Spoiler alert* In Mr. Robot, the main character—a proficient hacker named Elliot—called a man, Michael, pretending to be from Michael’s bank’s fraud department. This disguising technique is known as pretexting.
Elliot confirmed Michael’s address and asked him security questions to verify his account: His favorite baseball team, and his pet’s name. Using this information, Elliot tries passwords with these combinations of these words, and hacks into Michael’s account.
Here’s how it looks:
- Here’s how it works: Elliot has a program that tries out millions of passwords per seconds and sees if they are correct. Since many people include names or dates in their password, the more Elliot knows about his target, the more accurate his guesses, and the better his program works.
- Elliot calls Michael, pretending to be from the bank’s fraud department.
- Elliot says Michael’s account has been compromised and before he can answer any questions, he has to verify some information.
Elliot: Are you still at 306 Hawthorne Avenue?
Michael: “Yes, apartment 2C” *Elliot adds 2C into the program*
Elliot: Question: favorite baseball team?
Michael: “Yankees” * Elliot adds into Yankees into the program* (Michael gets suspicious).
Elliot: Lastly, pet’s name.
Michael: “Flipper” *Elliot adds Flipper into program*
Elliot *hangs up.*
Voiceover: “With these details and a dictionary ‘Brute Force Attack,’ it’ll take maybe 2 minutes to crack the password.”
We see a word count going up from 0 to 9875794 – the number of variations
The program doesn’t find a match. Elliot believes that Michael’s too old to have a complicated password. It had to be a combination of these things (pet, address and favorite baseball team).
Elliot knows that he’s missing something. Elliot learns that Michael was using a fake name (Michael Hansen). Lenny Shannon is his real name.
But you’re just a regular person. Maybe you don’t have affairs to hide. And you’re not rich. You’re not famous. Why would a hacker want to your information?
Why would a hacker want to target you (of all people)?
1. They can make money (even if you don’t have a lot of it).
Hackers can take your identity and use it to commit crimes that make them money.
Even if you have the money not to worry about it, there’s a ton of headaches and inconvenience here. Your reputation could also be at stake, if the hacker commits some darker crimes with your identity.
As a simple example, a hacker could open bank accounts in your name and use them for money laundering. Or, they could apply for credit cards and run you into debt. This is a big topic, and that’s just the tip of the iceberg.
2. They could steal your company’s data.
Here’s what happened in Mr. Robot. Hackers tricked one of AllSafe’s workers into thinking the CD contained hip-hop tracks, and guilt trip the worker into listening to it. When the worker inserted the CD in their computer at home, the hacker gained access to the worker’s computer. The hacker found some compromising personal information on the worker. The hacker blackmailed the worker into putting the CD into an AllSafe computer to hack into the company.
This isn’t as farfetched as it sounds. A version of social engineering could have assaulted Wal-Mart. Here’s what happened:
A social engineer, “Gary Darnell,” called a Wal-Mart store manager in Canada, pretending to be from the Wal-Mart head office with an opportunity to win a major government contract. Darnell asked about the logistics of the store: janitorial contractor, food-services provider, employee pay cycle, and staff shift schedules. The Wal-Mart store manager co-operated and provided the information.
Fortunately for Wal-Mart, this phone call was just a part of a competition at a Defcon social engineering event. You can bet that it happens in real life as well. It’s easy to exploit the human weakness in system security when the person thinks money is involved.
3. They could steal your personal data.
This is more of a privacy cost than a monetary cost. As the Washington Post reports, it’s pretty easy to hack into someone’s iCloud account. When requesting a forgotten password, Apple asks for the person’s Apple ID (which is often the person’s email), birth date (found easily on social media), city where their parents met (probably where the person was born or can be found on social media) and childhood nickname (can find it on social media). Anyone who knows you or has known you could easily get this information.
That’s not a problem until the hacker starts going through your contacts and potentially using the information you have to target your friends and family.
Private data is valuable. Blackmail is one of the most common crimes on the internet. For example, the victim gets undressed, not realizing that a hacker is capturing the video through their computer’s webcam. This could also happen on mobile.
Your information belongs to you, not anyone else.
5 common forms of social engineering and how you can protect yourself:
Here are five simple techniques that social engineers use on their potential targets to get the information they need.
Christopher Hadnagy, who wrote a book entitled Social Engineering, defines elicitation as “the term applied to subtle extraction of information during an apparently normal and innocent conversation. It is a conversation with a purpose, to collect information about your work or to collect assessment information about you or your colleagues.”
Elicitation appears to be a normal conversation. You should beware of fast friends. If a conversation with someone you just met shifts randomly into sensitive information or security, you should probably tell them it was good meeting them and leave the conversation. Obviously most people aren’t trying to hack you, but it doesn’t hurt to stay vigilant. U.S. Homeland Security has a brochure with examples of elicitation.
Hadnagy defines pretexting as “the practice of presenting oneself as someone else in order to obtain private information. It’s more than just creating a lie, in some cases it can be creating a whole new identity.”
In Mr. Robot, an example of pretexting is Elliot calling Michael saying he’s from the bank.
A healthy level of skepticism is important for resisting pretexting.
Don’t give sensitive information over the phone. Be critical of the information that this random person shares with you. Pretexting is only effective when the social engineer gains your trust through a believable story and credibility.
3. How Social Engineers Read You: Microexpressions
Social engineers are masters at reading people. They do this through studying people’s microexpressions. For example, social engineers exploit these types of behaviors:
- Contradiction (e.g., If a stranger calls you and asks you for your time, and you say, “I’m not available,” and you still continue to stay on the phone, then you contradict yourself.)
- Hesitation (e.g., This gives them the impression that you’re evaluating whether you want to answer truthfully. Or you’re trying to remember something.)
- Changes in Behavior (e.g., change in expression or the way you sit)
- Hand Gestures (e.g., when you get nervous you touch your face)
4. Weak Passwords
Don’t make these common mistakes with your passwords. The Defense Advanced Research Projects Agency (DARPA) released a study that showed the most common patterns for passwords:
- One uppercase, five lowercase and three digits (Example: Expres123)
- One uppercase, six lowercase and two digits (Example: Express12)
- One uppercase, three lowercase and five digits (Example: Evpn12345)
Don’t use the same password for everything. It just makes it easier for the hackers. Here are some good guidelines for a strong password:
- Random collection of letters (upper and lowercase), numbers and symbols
- 8+ characters. Any password shorter than 8 characters can be easily cracked by a computer, if the system that allows for unlimited attempts per second.
- Use a unique password for every account
Any password shorter than 8 characters can be easily cracked by a computer, especially if your login system allows for unlimited attempts per second. When in doubt, use a password manager like LastPass or KeePass.
5. Keep Your Greed and Curiosity in Check
Social engineers prey on human nature. We tend to be greedy, and our curiosity always gets the best of us. For decades, con men have been effective because they make use of people’s greed and our preference for shortcuts. Don’t fall victim to these types of bait:
- If there’s a mysterious USB or CD, take it to your security team or IT specialist. Have them scan it for malware. Don’t plug it into your computer, because there could be malware on it. If you don’t have a team, ask your colleagues if anyone lost a USB drive, and warn them that they shouldn’t check it out of curiosity. Don’t plug it in yourself..
- If there’s a really enticing headline in an email, don’t click through. Text the person who sent it to you, because it could be a phishing scam.
- If there’s a really great offer (don’t miss out!), ignore it. If it sounds too good to be true, it probably is.
Steve Comisar, an ex-con man ranked in the top ten by the FBI (second only to Frank Abignale, who was featured in the film Catch Me If You Can), says if it sounds too good to be true, it probably is a scam.
Most of Comisar’s scams were conducted over the phone. He would really get to know the person, and let the person know he really liked them. After a certain level of comfort, it was easy to get the person to hand over the money.
Social engineering is scary.
The most fascinating, and also the scariest, part of Mr. Robot isn’t the technical aspect of hacking. It’s the human element. It’s how such devastating things can happen through low-tech methods like pretexting, or simply opening a disguised email. Because of this, I’ve started applying a healthy dose of skepticism to every communication I receive, and you should too.
It’s one thing if a hacker relentlessly targets you. At that point, you have to take a different strategy to protect yourself.
But don’t make the hacker’s job easier by indirectly giving them your information. Some quick tips:
- Make your password strong.
- Don’t give information over the phone.
- Be suspicious of greed-inducing or curiosity-provoking emails.
- Make your password random to make it less vulnerable.
Protect yourself as much as you can.
Arthur Baxter is an Operations Network Analyst at ExpressVPN, a leading privacy advocate whose core mission is to make it easy for everyone to use the Internet with security, privacy, and freedom. They offer 100+ VPN server locations in 78 countries.