Combating Social Engineering: Recommended Practices

Healthy-Paranoia
2SV Passphrase Password PIN
Page content

TL;DR

Request passcodes/PINs be added to every account that offers it, be vigilant about what you share on social media, and don’t use real answers to password recovery questions. Choose random usernames and never reuse them with one exception: it’s ok to reuse social media usernames when you’re managing an online presence or brand and want to make it easier to be found and establish that it really is you.

Terms & Tech

Social Engineering is an attack vector in which someone hacks people for personal information. The target is your information and the methods may or may not include contacting you directly. A first-line customer service representative with access to your personal information may be easier to compromise. Attackers use a variety of creative tactics such as pretending to be you or someone you know and/or might plead for help in a way that exposes something about you.

Recommendations

  1. Some organizations provide an option for you to supply a verbal passcode or personal identification number (PIN) before they’ll allow an employee to discuss your account or invoke a password reset. This type of 2 Step Verification (2SV) protects you by gatekeeping your information until your identity is validated. Not all organizations offer this and if they do, it probably has to be requested. Choose something that isn’t obvious and can’t be reverse engineered, and store it in your password manager so you won’t lock yourself out if you forget it. You can put numbers in a verbal passcode, like ‘much 905 security’ to make it even more secure and still easy to say to a customer service representative. It’s not necessary to replace letters with numbers and may make it harder for the representative if they have to type the code into their system.
  2. Don’t freely give away personal information and be wary of what you disclose on social media. What was your first car? Who’s your favorite superhero? Which of these foods will you not eat? Score one point for every crazy thing you did as a teenager and compare scores with your friends! These surveys collect data about you that can be used to reverse engineer information you might use as password recovery questions. Ignore these surveys.
  3. Don’t use real answers for password recovery questions. An attacker can guess them. Use a website or tool to select random terms and consider these as important as passwords. These will probably never be spoken to a customer service representative and are most likely to be pasted into a text field on a website. Examples: Q. What was your first car? A. classRoom@strikebreaker4$Fabricationist. Who’s your favorite superhero? A. mailBoxer+jawbone6*committee. Which of these foods will you not eat? A. airPort8^unpredictability#atlantanite. These use a mix of upper and lower case letters, numbers, special characters, and words you won’t find in a dictionary. They’d be impossible to reverse engineer using any information about you. And at 20+ characters, they’d take unfeasibly long to brute-force guess, yet they’re phonetically readable enough if you had to type them manually. Store the question and answer pairs in your password manager.
  4. Carefully consider all your usernames when creating online accounts. Create unique usernames for anything that isn’t based on your identity and/or social media accounts where your identity may be part of your online brand. For example, don’t use the same username for a social media account and your bank, then comment publicly about your bank, because you’re offering a valuable puzzle piece. A password manager makes remembering the username unnecessary and a good password manager can help you discover usernames you’ve used more than once.
  5. Never speak with a customer representative that calls you. Call back using their published number.