Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/27/2016
01:00 PM
Terry Sweeney
Terry Sweeney
Slideshows
Connect Directly
Facebook
Twitter
RSS
E-Mail

7 Ways To Charm Users Out of Their Passwords

While the incentives have changed over time, it still takes remarkably little to get users to give up their passwords.
3 of 8

3 of 8
Comment  | 
Print  | 
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
7/28/2016 | 8:02:00 AM
Wow...
I thought this piece would be about legitimate social engineering techniques, not outright bribery of people! I'm shocked so many would give up information for a pen.

A cookie I can understand but still...

I might be tempted by the cash, but only because I would immediately change my password after they gave it to me. 
T Sweeney
100%
0%
T Sweeney,
User Rank: Moderator
7/28/2016 | 10:21:40 AM
Re: Wow...
Ha! Thanks, Whoopty... that's a better title, actually: 7 Ways to Bribe Users! I'll admit I was surprised at how many ways there were to get users to give up the goods. Some little treat is actually a great conversational opener for a social engineer, provided they're willing to try it in person and forego the anonymity of the phone.

The other surprise: How many users will give up their passwords just by being asked... no incentive required. What's up with that?
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/28/2016 | 11:43:51 AM
Re: Wow...
Well, i hope you use unique password because many times hackers will test the password they obtain - by theft, bribe or money - against many other systems until they get into the one they want access to.  You may think you can just chnage your password as soon as revealed and all is safe but hackers are not that stupid, they usually do not ask for the password of the system they wnat access to, they want to study your passwords, test them against other corporate systems until they get their way in.  And be worried, there is always one app you forget that will let them in!
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/28/2016 | 11:48:15 AM
Your data is my data
Unfortunately until users consider corporate data - that includes corporate financials but also customers/consumers data like yours and my data- as their own, this behavior will continue.  Individuals who suffered an identity theft through the IRS breach or a healthcare fraud done under their name are less likely to sell passwords or give them away in exchange for cheap bribe.
TerryB
100%
0%
TerryB,
User Rank: Ninja
7/28/2016 | 12:51:33 PM
Re: Wow...
What I couldn't tell from article was who these people thought they were giving their password to? Was the social engineering hook (true in these cases) that this was only a test/survey? 

Surely it wasn't a cold call who told person "My name is Demitri. Would you please provide me your password and I will send you a cookie."

But even replying to what you thought was test/survey shows a real level of either stupidity or lack of caring about corp data. How would they know if real study or not?

Whoopty has good point. Many probably changed passwords after getting gift. Most, like at our our place, are probably forced to change every 90 days, enforced by system tracking last 31 changes to make sure you don't use password again. Chances are they had password like "Cutekitty8". Three guesses what their next password was? 
T Sweeney
50%
50%
T Sweeney,
User Rank: Moderator
7/28/2016 | 1:01:05 PM
Re: Wow...
Most, if not all, of the examples cited in the slideshow were in-person interactions. Most social engineers -- the malicious ones -- don't have the nerve to pull this off and don't want to risk being ID'd later.

But, yes... there is an incredible amount of unthinking behavior out there on the part of end-users. This just skims the surface.
phoenix522
100%
0%
phoenix522,
User Rank: Strategist
7/28/2016 | 4:31:03 PM
Re: Wow...
I overheard a person in a non-IT training class a while back as she was stating that the Target breach was blown way out of proportion and there's no need for change when it comes to credit card fraud. Her logic was, "How many people do YOU know who were impacted by that?"

Some people just don't get the need for security, they simply want to bury their head in the sand and let others worry about it. If you add those people who work for a company but they aren't happy there, they are even less worried about what happens to the company data.
rstoney
100%
0%
rstoney,
User Rank: Strategist
7/29/2016 | 9:03:34 AM
Re: Your data is my data
Very true;

 

  But come on - the fresh-baked cookie offering to a group of typically male IT shops is just downright rude and unfair.   Especially around morning coffee time.

 

   My preference is the soft sugar cookies with the hershey kiss in the middle.  Gawd I am hungry now for cookies.  *&&$%## !!!!
Chessie1934
100%
0%
Chessie1934,
User Rank: Apprentice
7/29/2016 | 1:59:16 PM
Re: Your data is my data
Nobody has really been put on the hook for actions that result in a breach so no one cares about truly protecting data.  Once there is a real consquence to the insider who contributes to a data breach--CFO who won't pay for updated software, dumb-ass end user who clicks a supsicious link--in some significant manner, people will start caring about the data that is under their protection.  Until then, the attitude will be they'll just provide credit monitoring to those affected by a breach.  They'd rather pay (more) later than pay (a litlle) up-front to prevent a breach.
JulietteRizkallah
100%
0%
JulietteRizkallah,
User Rank: Ninja
7/29/2016 | 2:31:45 PM
Re: Your data is my data
Well you can eitehr call me an optimistic, thinking people will come to their senses and consider that the data they compromised could be theris, or a pessimistic, thinking everyone of us at the pace we are goign with databreach will suffer an identity theft and then will chnage our behavior toward password and data.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11496
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
CVE-2020-15822
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
CVE-2020-24375
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
CVE-2020-7193
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
CVE-2020-7194
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).