Social Engineering 101: Focus On Informal Conversations

from the just-don't-promise-to-protect-the-info dept

Thu, Jul 3rd 2008 2:15am — Mike Masnick

In the past, we've covered plenty of stories about social engineering to get people to admit stuff they shouldn't -- suggesting you really just need to ask people to give up personal info and they will (sometimes giving them a gift helps, but just asking alone will often do the trick). The latest study does go a little deeper, however, suggesting that the more informal the setting, the more likely people are to cough up info. For example, it found that when those asked for confidential information were promised that it wouldn't be misused they were less likely to hand over the info. Instead, if there were no promises about what would be done with the info at all, people felt that it was more informal and were more willing to give up the info. Another experiment asked people to reveal "bad" activities to a website. In one test, the website was made to look like a university website, and in another an informal site with the title "How BAD are U??" Not surprisingly, the latter got a lot more people to cough up the details of bad behavior. In that case, I'd even wonder if the "competitive" nature of the question (suggesting that you should want to be "badder" than others) also helped contribute to the openness of individuals.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: information gathering, security, social engineering

7 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Cassius Seeley, 3 Jul 2008 @ 5:10am

LOL
Bad old putty tat!
[ link to this | view in chronology ]
Solburn, 3 Jul 2008 @ 6:06am

How BAD are U??
Is your comment better than THIS one?
[ link to this | view in chronology ]
- Anonymous, 3 Jul 2008 @ 12:54pm
  
  Re: How BAD are U??
  """In that case, I'd even wonder if the "competitive" nature of the question (suggesting that you should want to be "badder" than others) also helped contribute to the openness of individuals."""
  
  Unless "openness == exaggerations or outright lies", I suspect the How BAD site was no more accurate than the clean-looking site, which is to say "not very accurate at all."
  [ link to this | view in chronology ]
Roger, 3 Jul 2008 @ 6:13am

A better experiment
This was an interesting experiment but it seems there were too many variables to derive meaningful conclusions, aside from the fact that informality gets people to reveal more about themselves.

Heavens! Is that something I didn't know already?

A better experiment (granted I didn't read the original study) would be to keep the language formal while having an informal looking website, and to have a formal looking website while asking an informal question. This would indicate whether it is the wording or the website's appearance that is driving the decision about how much to reveal.
[ link to this | view in chronology ]
mastmaker, 3 Jul 2008 @ 6:46am

Anybody remember those Budweiser ads (involving frogs and lizards) of 90's? I don't mind watching them everyday!
[ link to this | view in chronology ]
Fool Fool Fool, 3 Jul 2008 @ 7:51am

All you have to do is just ask nicely :)
If my bank asks for SSN I would run a inquiry before giving it to them. But if somebody in my "friends" list asks me nicely on facebook I would give them without worrying too much :)
[ link to this | view in chronology ]
ehrichweiss, 3 Jul 2008 @ 9:49am

hmm...
Well, I've done more than my share of social engineering(enough to have been able to write an appendix or two in Kevin Mitnick's awesome book on the subject) and while an informal conversation might be good for some types of information while hanging out on, say, a website, it doesn't help much if you're trying to gain access to *real* information. For those you play on fear, compassion and greed, and little else. Everything else from that is a game of leap frog.
[ link to this | view in chronology ]