This article was taken from the May 2015 issue of WIRED magazine. Be the first to read WIRED's articles in print before they're posted online, and get your hands on loads of additional content by subscribing online.
Like conmen and magicians, hackers use knowledge of how our brains work to trick us. They use techniques targeting psychological and cognitive vulnerabilities to gain access to our systems. What they know that you do not is that it is hard to hack a system (be it your email, Facebook, etc), but what is easy is to make you make a mistake that gives them access right through the front door. One of the biggest secrets of the security world is that over 90 per cent of cyber-attacks are, in fact, not simply a hacker dismantling your system remotely, but rather someone knowing how to get you to hand over the keys, and then simply gaining access. Many famous attacks involved social engineering: the best locks were in place but someone passed along the key. To protect yourself, you need to understand the hacker's mentality, human psychology and the art of manipulation.
Finding out partial information
One trick is to call you pretending to be, say, your bank, and asking to confirm the last two letters of a password -- as if they know the remaining ones. This gives users the feeling they're not handing over too much. A future call would ask for other letters, or they may call your bank, claim to be you, and make out they've mistakenly got some detail wrong.
Attacking at vulnerable times
Our defences are higher when we are suspicious of a looming attack. But once we have stopped the attack, we lower our guards entirely. Often, hackers will intentionally launch an initial attack that will deliberately fail and will then use a second, real attack to get in.
Generating a problem with a website to mask their intentions
On certain sites, it's easy for hackers to generate problems (say, deny service via a massive attack on the throughput). Once the first attack has taken place, hackers will pretend they are there to help (they will demonstrate credibility of being inside the company by knowing of the attack that they themselves generated). Then they will attack the core of the system, as you are likely to be concerned with the initial attack.
Attacking from within the perimeters
It's often easier to hack an external terminal of a computer network (say, that of a teller in a bank, rather than the bank's mainframe). Once in, the hacker will pretend to be the teller and take advantage of the fact that a third person within the company will be more trusting of another insider. They gain access to the system from that gateway, tricking others into handing over any passwords - they're more likely to give access to someone they believe to be a teller than to a person entirely on the outside.
Putting their trust in you
We are more likely to trust someone who trusted us first. The hacker will give you her credentials to some account in asking for help to fix a problem. Then she'll either infect you as you help her, or use that false sense of safety that was generated by her trusting you to get you to play along and trust her. You'll reveal useful information or grant access.
Hackers understand just how coding can fail
This allows them to exploit coding errors. It could be creating passwords that are so long that they make the system crash; or trying to access an online bank from all the pages one-by-one (relying on the inherent laziness/confusion of an individual programmer who may have forgotten to check a more recently create page, for instance). Simply testing your content on all available systems may also make it possible for a hacker to use flaws in the systems themselves. Such extreme situations and stresses on a system, however unlikely they are to occur in daily use, are at the heart of many HUMINT (human-intelligence) cyber-attacks.
This article was originally published by WIRED UK
