Today’s computer security threats are not frequently what people think they are. Often times, viruses or so called trojan horses keep people faithfully updating their security software giving them a comfortable sense of security. But the most common security threats today are no longer cousins of the infamous “I love you” attachment, but rather, human deceit. This new form of security threat is a combination of technology and physiology, techniques now known as  social engineering. They apply trickery to get people to divulge confidential information.

Kevin Mitnick, one of the most famous security criminals (who served five years in prison—eight of them in solitary confinement—and now runs Mitnick Security Consulting, a computer security consultancy) coined the term “social engineering.” Mitnick points out that that it’s much easier to trick someone into giving you his or her password for a system than to spend the effort to hack in.

Criminal hackers (a.k.a. crackers) simply apply cognitive bias techniques that can people into giving up their personal data, deceived by false information. One of these practices is pretexting, where the criminal creates an invented scenario (the pretext) often posing as an authority, or a trusted source, to trick a person into disclosing their information. The most common expression of these security threats is phishing where a cracker can spoof the authenticity of a website by copying the logo and format of a familiar site, and getting a user to submit their personal information. Unbeknownst to the user, instead of the information being sent to the authentic company’s website, the data is neatly stored by the information thief.

Common phishing techniques target banking institutions where an email might contain an urgent request, such as a request to change a pin number. See, for example a common social engineering attempt to steal your Citibank account information below. This is a real email sent by a so-called Riley Buckner, “Head of Citi© Identity Theft Solutions”:

Recently there have been a large number of identity theft attempts targeting Citibank customers. In order to safeguard your account, we require that you update your Citibank ATM/Debit card PIN.

This update is requested of you as a precautionary measure against fraud. Please note that we have no particular indications that your details have been compromised in any way.

This process is mandatory, and if not completed within the nearest time your account may be subject to temporary suspension. To securely update your Citibank ATM/Debit card PIN please go to:

https://www.citibank.com/signin/citifi/scripts/login2/update_pin.jsp

Please note that this update applies to your  Citibank ATM/Debit card - which is linked directly to your checking account, not Citibank credit cards.Thank you for your prompt attention to this matter and thank you for using Citibank!

Regards,

Riley Buckner
Head of Citi® Identity Theft Solutions

Notice that the address in the email seems legitimate; however, the thief has coded the address to go to the page you see below. You will notice that the phisher has actually opened the genuine Citibank website, under the pop-up where they display a page, hosted on their servers, where your personal information is being requested.

If you are concerned about security, be careful not to believe that the best way to protect yourself is with an antivirus software or firewall. Keep in mind that modern security threats attempt to play with your mind, not with your computer. And the only antidote to this virus, is you.

Have you been deceived by social engineering?  If so, why don’t you leave us a comment and tell us about your experience?