Social engineering isn’t concerned with either novelty or elegance. All that matters is whether it works. ESET’s Jake Moore described a case in point for We Live Security: all someone might need to gain access to your snapchat account is look over your shoulder at the right moment, just like the kid at the next desk trying to cheat on a test back in elementary school.
“I recently looked at the top 10 free apps on the Apple App Store and decided to target one to see if I could take control of someone else’s account. These experiments are not just about highlighting how easily it can be achieved, but also about taking the opportunity to show you the prevention methods available to help secure all your accounts,” Moore wrote. “Snapchat caught my eye due to its target audience of 18-24-year-olds (although many of its users are thought to be younger). Generation Z are often thought of as “tech savvy”, having been the first generation to grow up with technology from their early years.”
That generation, however, also has a reputation for inattention to security, which Moore would seek to exploit in an experiment. Sitting near a friend (from whom he’d obtained permission to attempt an account takeover, on the condition that he promised not to do anything with the account once he’d hacked it), he entered her phone number into Snapchat, said he’d forgotten the password, and requested a password reset. Then he watched for the pop-up confirmation to arrive on the friend’s phone, saw it, reset her password, and had control of her account.
Now, this was a demonstration, but there are other ways it could have been accomplished. “Taking this one step further,” Moore wrote, “I believe this attack could even be remotely enabled should a manipulative social engineer choose to call them up and persuade them into handing over the confirmation codes over a voice call. This is something that we are seeing a gradual increase in and people need to err on the side of caution.”
The point is to remain aware of where you are, and what’s going on both in your surroundings and on your device. In this case, the test subject noticed neither the shoulder-peek nor the popup on the phone.
“Shoulder surfing as such is best thwarted by preventing anybody from covertly looking at your screen when you enter sensitive information into an app or website, especially in public places,” Moore wrote. “Better still, make sure you turn off notification previews, so that they’re hidden from prying eyes when your phone is locked. Also, be sure to actively monitor your SMS messages when using your phone or tablet around other people.”
This is one of the cases where common-sense physical situational awareness–remembering where you are, what you’re doing, and what’s going on around you–converges with sound security in cyberspace. New-school security awareness training can enable your employees to recognize this and other forms of social engineering.
We Live Security has the story.