Thursday, April 1, 2010

Misusing Kuramoto's Equation to Develop Social Engineering Strategies for Identity Theft

I say this several times throughout this post, but I'll emphasize it here: don't try this at home.

Identity theft is on the rise, and social engineering tactics are being used to promote it. If you're unfamiliar with the term, "social engineering" is not a variant on social media (or perhaps it is). Here's how the U.S. Department of Homeland Security defines the term "social engineering":

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

Note that you can have the best technical security solutions out there, but they can be easily defeated by the human part of the security solution. If someone claiming to be your boss' boss tells you to give him or her the password RIGHT NOW or you will be fired, there are some people who will obey the command.

So if you want to engage in identity theft (needless to say, I do not advocate this), how are you able to identify a good strategy?

My answer for this is based upon a misapplication of something I read in a March AppsLab post. In that post, Jake Kuramoto was musing about what could make a game application, or a regular application, or something else attractive. He postulated a formula:

Take simplicity + purpose + incentive and you’re on to something.

When you lose a balance among them or take one as implied, you begin to expect too much from people.

Try it yourself. In my head, I visualize it as an equilateral triangle, which makes the effect of changing the length of one side obvious.

For example:

Work is mostly simple + purpose + incentive, but if one goes the wrong way, you’ll have to balance by increasing one or both of the others.

Facebook used to be simple, but as it’s become increasingly complex, they have relied on increases in the other areas, i.e. stronger incentive and purpose. You first joined to be connected to people, and that purpose only gets stronger as more people join. Plus, you’ve been posting photos and adding social artifacts for so long that quitting becomes a big disincentive.

Can this equation be misapplied to social engineering/identity theft strategies? Read this crime report, and note the date of the crime - right before U.S. Census reports were due, an event that has been talked about constantly.

On Saturday, March 27, 2010 at approximately 1330 hours an unknown white male adult made contact with the victim at her residence. The subject identified himself as an employee with the United States Census Bureau and wore the appropriate identification cards around his neck.

The subject asked the victim personal questions such as her name, date of birth and social security number. The subject told the victim that she was required by Title 12 of the federal government to provide him with that information and that it was against the law to refuse to provide such information.

The subject left her a census form and questionnare to fill out, however, did not give her instructions as to what she should do with the form. The victim contacted the census bureau and was told that the form she was given was a fictitious document.

Census officials say the census forms do not ask for any personal identifying information, such as social security numbers or bank account information, and that a census form will never ask for a signature.

Let's put this into Kuramoto's Equation. The strategy is certainly simple - the "census worker" shows up at your door and makes the whole process easy. The purpose - to complete the census - is obvious. And there is a clear incentive - if you cooperate with the "census worker," then you will be complying with the so-called Title 12 legal requirements.

Lather, rinse, and repeat:

If the low-level employee provides the password so that the executive can read his/her email, then the low-level employee gets to keep his/her job.

If you provide your bank account information and a small payment to the brother in law of the deceased Minister of Finance in a remote African country, then you will receive millions of dollars.

Obviously these examples are very different from the "if you check in to this location and tell your friends where you are, then you'll get a free mocha" example to which Kuramoto's Equation was originally applied. But by understanding how the bad people operate, we are better equipped to scrutinize a seemingly plausible story that promises incentives in return for a simple favor.

As to the question of whether social media itself is just a big social engineering experiment, we'll leave that question for another day. Although you may want to see this relevant post that casts "social engineering" in a positive light.

P.S. If you are interested in the POSITIVE uses of the simplicity + purpose + incentive equation, I strongly encourage you to visit Jake Kuramoto's post.
blog comments powered by Disqus