As a former hacker (I hacked purely out as an academic exercise), I find it interesting how the domain has evolved. Number theory and various algorithms have come about as to (almost) eliminate brute force attacks. Keep in mind I’m talking about specific target penetration, not DDoS attacks. Does that mean all our data is secure now? Most definitely not.

Hacking has come out of the dark back room and evolved into a social game. What exactly does that entail? Imagine your bank account’s online access. If you forget your password, they can reset it and send it to your email. But what if your email is not working? Most sites have a link to reset it online, as long as you can answer some personal questions (which you setup). Sounds pretty good, until you read about how Sarah Palin was hacked back in 2008. The answers to the challenge questions were found on Wikipedia (high school and birth date). What are your challenge questions? How many of your Facebook “friends” could know what your favorite food is? What city were you born in? What’s your pet’s name?

How can you avoid this? Easy – switch your answers. What’s your favorite food? Red. Favorite color? Pizza. The computer doesn’t care about your answer, it just wants it to match what it has in the database.

This is social engineering. Looking up biographical data and/or tricking the person into giving up their information. Potential hackers can easily call you up to “verify” information. Typical scenario:

“Hello, this is Chuck from the Security Dept. of (your credit card company here). We need to verify some charges on your account. First we need to verify your information.” Then they rattle off some information about you. Name, address, DOB, and many other things are publicly available.

“Please verify that you have the CC in your possession. Please tell me the full CC number. This is the CC with the last 4 digits ending in XXXX.” At this point the hacker is using the statement you threw away in the trash. Most people would completely go ahead and give the guy everything at this point. After all, he already seems to be genuine. But, let’s say you’re still undecided. Make up a CC number and see what happens:

“I’m sorry but that number is not valid, can you read it again?” How did he know? There are many ways to tell. The easiest is to run it through an authorization OR run a check digit calculation (http://www.merriampark.com/anatomycc.htm).

Easy way around this? Call them back. Call the number on the CC and ask for the security department. If there were no flags on your account, then you better tell them about the call you just got. Get them involved – they will be more than happy to help. Fraud is costing the CC companies millions, and they like to hold onto their cash.

Other examples of social engineering can be found all around the ‘net. I suggest starting with http://en.wikipedia.org/wiki/Internet_fraud. It’s a good read and covers the basics.