A subtle threat to be countered with "attention"!

(To Horace Danilo Russo)
31/01/22

I was reading some time ago about the increase in cases of "vishing": the theft of credentials carried out through a pretext phone call in which an impostor (or an answering machine specially set up for the illegal purpose) pretends to be the administrator of an information system, such as an online bank.

The news in itself causes a sensation because the victims, often retired and with low incomes, have found themselves with the current account drained by cheaters in possession of user codes and passwords stolen during phone calls; but it leaps further to the eyes because the same article highlighted that the Abf - theFinancial Banking Arbitrator to which one can turn to for the resolution of disputes between customers and lenders - would have agreed with the banks, who would accuse customers of being too gullible.

Undoubtedly the attacks of social engineering - defined by the US expert Christopher Hadnagy as "any act tending to influence a person, to push him to take an action that is not necessarily in his best interest" - they are a current and dangerous threat. It is favored by three aspects in particular: the diffusion of information technologies and on-line services; the state of general technological illiteracy and the lightness in sharing personal data online; and finally by the general non-inclusiveness of software user interfaces which poses serious technological barriers to the elderly, children and the disabled.

But on the other hand it must be said that these are not new threats: the scams in the homes of the elderly by self-styled ENEL officials, for example, are the result of the same manipulative techniques. And Hadnagy himself, in his book "Social Engineering: the science of human hacking", points out that they are techniques as ancient as the world, citing as the first historical source of social engineering attack the passage from Genesis 27, in which Jacob, disguising himself and impersonating his brother Esau, he deceives his blind and elderly father - Isaac - by stealing his blessing.

But let's explore two aspects of particular interest: what's new and what's old in today's social engineering attacks.

The novelty aspects are the result of the state of the art: computers, smartphones and tablets have created a parallel universe and social activities have moved into the virtual world. New attack vectors arose and offensive procedures evolved. Here then is that, in addition to the already mentioned vishing, "phishing" was born - that is the attack carried out with a scam email, aimed at the identity theft of the victim or the infection of his client with computer viruses - and "smishing", the equivalent of the first, implemented however via a text message on the victim's mobile phone.

The exploited vulnerability is old: the natural process of relaxation, of less presence to oneself, which characterizes most of the waking hours of our brain and which is physiologically implemented for reasons of economy of cognitive processes. When we are in a normal situation, which we do not consider dangerous, the mind goes into "eco-mode", automatically, and reacts to stimuli according to a pre-packaged response, the result of the experience made in similar cases: in essence, energy is saved mental for when, on the other hand, you will find yourself in an unusual situation, perceived as a danger, and in which the maximum attention and energy - "adaptive mode" - will be needed to respond to the threat according to a behavior that is not pre-packaged this time, but adapted to the specific context.

This is the art of the scammer, of the social engineer: the ability to present the victim with an information context that is not perceived as unusual, dangerous, abnormal; on the contrary, he remembers similarities with widely lived experiences or with notions acquired in the past; and on which the behavioral response can be "automatic", unconscious.

On this aspect, social psychologists have written pages of considerations and produced thousands of researches. The American psychologist Ellen Langer, in particular, presented the results of a famous laboratory - known in the bibliography as the photocopier experiment (Langer 1978) - in which she spoke of the "nonsense of reflexive actions". And he demonstrated that, in social interactions, both verbal and written, the human mind usually acts with a reflexive action completely disconnected from the substantial meaning of the request; and linked only to the formal, structural correspondence of the communicative paradigm.

More precisely, the scientist has shown that, when we are calm and absorbed in our thoughts, we respond to a request that is made by simply analyzing the formal, stylistic structure of the sentence: if this seems to us "conventional" and does not alarm us, we enter a state of acquiescence, effectively opening the doors to persuasion and, unfortunately, also to manipulation.

Now, it would be too simple and obvious to simply exclaim: "you have to pay attention" or "you must not be gullible". Those who say so are not taking into account the mental mechanisms mentioned above. What needs to be done, on the other hand, is to put in place an articulated social and security policy that moves on at least three main cornerstones.

First of all, to push the accelerator on the elimination of the "digital divide" that characterizes large sections of the population and in particular through targeted and repeated information campaigns that induce automatic behavioral security, not least education in online privacy.

Furthermore, investing in technologies and software applications that attract the user's attention in the event of elements of unreliability of the interlocutor or compromise of the devices.

Finally, to encourage the industry and the IT services market to develop more inclusive user interfaces that allow secure access to technology even for the most fragile users in social relationships.

To learn more:

https://www.repubblica.it/economia/2021/07/26/news/sembra_la_banca_ma_e_un_truffatore_occhio_al_vishing_c_e_chi_ha_perso_migliaia_di_euro-311160470/

https://www.social-engineer.org/framework/general-discussion/social-engineering-defined/

https://www.researchgate.net/publication/232505985_The_mindlessness_of_ostensibly_thoughtful_action_The_role_of_placebic_information_in_interpersonal_interaction

https://www.difesaonline.it/evidenza/cyber/diversity-inclusion-la-cyber-tutela-delle-fasce-deboli 

Slow and Fast Thoughts - Daniel Kahneman | Oscar Mondadori

Photo: web