Jalaj P. Jha Technical & Miscellaneous Ramblings

Social Engineering

I got a mail from one of my friends regarding change of his email address with a footnote "Don't mail me on my old address as I can no longer access it". It was a long time since I had heard his voice (thanks to emails) so thought I should call him.

I minute of talk about how's and where's and then I came to the point, "What happened to your old email account?"

"Don't know but yesterday it did not accept the password, I tried recovering it with Security question but couldn't. Then I mailed the support but haven't heard back. Instead of waiting long I thought it better to get another account, after all it's a free."

Although I had guessed what would be his answer, still I asked him "How many different passwords do you maintain?"

Answer was what I had expected "I normally use a single password for all accounts unless specifically if the site denies the password for length or mix of alphanumeric characters. I normally tend to forget such passwords and have to use Forgot Password link to mail me the password."

"Is your Internet Banking Password also the same general password?" I asked him.

A deep silence gave me the answer. The phone disconnected after his parting words "I will call you later".

Is your email an important thing for you? Or is something that you can let anyone to get away with it? If it's the former then make sure that you have a unique password for it, a password that you don't use anywhere else. The same applies for your Internet Banking accounts. The fact that you are told not to write your password where someone else can find it doesn't mean that you should go on using same password for your email and bank accounts as well as every Tom Dick and Harry site. You may write down the password for future reference ensuring that this thing where you wrote it kept secured from anybody's access.

Let's move to how my friend lost his email account and what's about this "Social Engineering" in the title. Here is the smallest definition that tells it all.

"Social Engineering is the practice of obtaining confidential information by manipulation..."

Believe my words Social Engineering is the easiest way by which a person can get away with your email credentials. We will just open up a well designed anonymous site that can interest you or any other person in the world, get you/him to signup for an account. The site will either ask for email as the login ID or as any other field where a password/link would be sent before you can access the site's services.

Now if you have a mail account that is accessible from the web and the password is what you use for every other signup, you have given way for the site maintainer to get into your email account. If he is careful enough he will just access your mails and will not trigger your suspicion by closing the mail access for you. So if you can still access the mails it doesn't mean that you are the only one who is accessing it.

Now my words above doesn't mean that every site asking you for mail address and password is looking forward to hack into your mails, that's why added word "anonymous". Such a site owner tries to give no or false information. Instead of trying to verify each site's integrity you should just make sure that you don't use critical passwords for signups.

To get more info on Social Engineering I suggest you to follow this link