Social
engineering is a common term common with two diverse and distinct classes
of thought; one of them being the art, where it is described as ability to
influence a large group of people or population, their thinking and response(this
is majorly noticed in the political world) , and a science especially in
security where it refers to a process of obtaining confidential information by
manipulating or deceiving the person into divulging the crucial information.
Following the article that futured on daily
nation on 3rd June 2014, I am compelled by technical expertise in penetration
testing to bring this to be public domain an educate us on some of the way this
can be achieved with respect to the above writers scenario.
The first thing that happens before the actual
attack is reconnaissance and information gathering and I will put myself in this
attackers shoes to try and bring out the hypothetical process he might have
presumably followed.
1. He collected information from the M-pesa agent
by accessing his phone where he could have gotten the phone number.
Secondly he got to see the M-pesa balance, the
business name, Some of the transaction IDs, make of the phone and the most
important of all is the physical location, and the name of the agent.
All these will not be used in any technical attack
but to help manipulate your thinking and in the process you will be divulging
the information that should be confidential. The process may be as sequential
as follows.
i.
Attacker: Hallo
John!, How is your day?
ii. Victim: Am
calling from Safaricom and we are trying to help you move to our new secure M-pesa
platform, Are you still located along Langata road in Nairobi? (Remember these
guys have your physical location.)
iii.
Attcker: Are
you still using Nokia 1100? They have that information too.(These might be
asked so that he gains your trust)
iv.
Victim: Yes.
v.
Attcker: Okay
now, I want you to go to the M-pesa menu and ....................(He or she
will keep conversing and building trust until either disclose your PIN Number
or personally transfer that money into their account).
However there are several ways that can be
employed to put these bad guys at bay, some of which includes the following;
i.
DONT give any confidential information unless you are
completely sure that whoever is asking for it should have it. Eg giving your
password is a big no.
ii.
DONT send confidential information over insecure
net(check and ensure that you are accessing a legitimate website e.g confirm
the url name of the website and ensure you are using a https://...
protocol)
iii.
Be suspicious of expected or unknown phone calls,
visits, or email messages from individuals asking about employees or other
internal information. If an unknown individual claims to be from a legitimate
organization, try to verify his or her identity directly with the company.
iv.
DONT share your devices with stranger and this is very
common with those who are security unaware.
Have a
secured time!
