Several years ago one of the most well-known hackers Kevin Mitnick (see below) wrote a book on the art of deception, as the easiest way to get access to data and computer systems. Kevin Mitnick knows all there is to know about ways to breach into computer systems with hacker tools. Still he claims that hackers prefer the easy way of contacting the company they want to hack! As he quotes it in his book: “The Art of Deception” :
“Why should an attacker spend hours trying to break in, when he can do it instead with a simple phonecall” His book has numerous examples of how hackers misuse peoples will and interest in helping other people, and in particular colleagues. So if you as a hacker can impersonate a colleague you can get a lot of help – even the password to the person you have impersonated!
If you want to secure your systems against deceptive attacks, you have to make your authentication process independent of normal human helpfulness and let an IT-based process conduct the authentication. Additionally you will even have a log of the process afterwards!
FastPass Facilitated Password Reset (FPR) is such a workflow, adding unique authentication steps to the process, where dynamic and contextual information is included. More information on FPR here https://www.fastpasscorp.com/facilitated-password-reset/
On Kevin Mitnick from Wiley:
The world’s most infamous hacker offers an insider’s view into the low-tech threats to high-tech security
Kevin Mitnick’s exploits as a cyber-desperado and fugitive form one of the most exhaustive FBI manhunts in history and have spawned dozens of articles, books, films, and documentaries. Since his release from federal prison, in 1998, Kevin Mitnick has turned his life around and established himself as one of the most accepted computer security experts worldwide. Now, in “The Art of Deception”, the world’s most notorious hacker gives new meaning to the old adage, “”It takes a thief to catch a thief.””
Focusing on the human factors involved with information security, Kevin Mitnick explains why the firewalls and encryption protocols in the world will never be enough to stop a savvy grifter intent on rifling a corporate database or an irate employee determined to crash a system. With the help of many fascinating true stories of successful attacks on businesses and governments, he illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent. Narrating from the points of view of both the attacker and the victims, he explains why each attack was so successful and how it could have been prevented in an engaging and highly readable style reminiscent of a true-crime novel. And, perhaps most importantly, Kevin Mitnick offers advice for preventing these types of social engineering hacks through security protocols, training programs, and manuals that address the human element of security.