Pretexting in the Digital Age - A Glimpse into the World of Social Engineering

Pretexting is the act of getting personal information from an unsuspecting person by convincing them you are someone you are not. Pretexting is a subset of social engineering, which is the act of manipulating people into giving you information you want and/or giving you privileges you are not authorized to have. To better define the subtle difference between these two, consider the following:

If you were to call up a fancy restaurant and manipulate someone into giving you the name of a party who had reservations for a certain time and a certain date, you would be performing a pretexting attack. If you were then to call back, convince them you were a member of that party and proceed to have the restaurant worker change the party name for you (to your own real name), you would then be performing a social engineering attack, for you managed to not only get information (pretexting), but also got the worker to perform a function for you. You could then show up at this fancy restaurant and enjoy your hijacked reservation. This is an example of basic social engineering.

The overwhelming majority of information attacks coordinated through a computer system begin as social engineering attacks. In fact the most famous of all hackers, Kevin Mitnick, considered himself less of a hacker, and more of a "pretexter" or social engineer. Most times, Mitnick would rarely have to use a computer to get what he wanted.

Do you want to hear some real pretexting/social engineering in action? Check out this link:

http://download.2600.com/mediadownload/h2k2.hope.net/media/social.mp3

It is a recording from a social engineering segment at a hacker's conference that took place a few years ago. The recording is of a group of hackers talking about social engineering. They tell stories of attacks they have done in the past. They also make a few practice calls and practice their social engineering skills over a speakerphone. They manage to get a credit card number, and hijack a restaurant reservation (and then give it back). They do this by pretending to be a phone company employee, a wireless network repairman, an author with an unusual penname, and a health inspector. They attack AT&T, Starbucks, and The Russian Tea Room. From this recording, you can really get an idea of how easy it is for social engineers to get information from unsuspecting people. You can also see how important it is NOT to give up information without first verifying who you are speaking to.

"I am a social engineering specialist, for there is no patch for human stupidity."
-Anonymous hacker I met on the streets of Oregon

There is only one way to avoid being a victim of pretexting or social engineering such as those in the audio have and that is to stay smart. Never assume the person you are dealing with on the other end of the line is who they say they are. Always verify their identity first. Failing to do this is what allows identity thieves and social engineers to have a field day at you (or your companies) expense. Also, remember that some information is simply not safe to give over the telephone. Credit card numbers are one such kind of information. Personal information about anyone besides yourself is another example of information that simply shouldn't be shared over the phone.

It is unfortunate that we people in the digital age must be so suspicious of voices on the other end of the wire, but it is a fact. Becoming a victim of pretexting can mean disastrous things for you. You could go broke, have your credit ruined, or your named smeared. Your company could lose thousands of dollars due to theft of services. Being security conscious is a must for everyone these days, especially if you are being entrusted by a large organization. In closing, please remember that loose lips can still sink ships. To keep your identity safe and mind headache-free, think before you speak - especially over the phone.