 |
| Image from Pixabay |
Last
week, as you could read in the previous Security (b)log, I stood in front of a
group of girls from high school. This week I was invited by the next
generation: the Tax and Customs Administration’s Young IT Auditors, whose annual
YIA day was themed cybersecurity. The “young” turned out not to refer so much
to the age of the participants, but to how long they have been in the auditor
profession. And let me put it this way: this audience was still familiar with
Facebook. Fortunately, I had not tailored my presentation to an overly young
audience (-;
In
this Utrecht conference room I talked about current developments, among other
things. Lately I have been reading more and more worrying stories from the US
about sickening criminal activities. Like this story. A woman receives a call
from her son, who tells her that he has had a traffic accident and that he will
hand over the phone to a police officer, who will tell her more. The officer tells
her that her son caused the accident, which injured a pregnant woman, and that
he is taken into custody. He announces that a lawyer will call her to discuss
further proceedings.
A
little later the lawyer calls. The son is in deep trouble, but it is possible
to get him released on bail. If the mother gives $15,000 in cash to a courier arranged
by the lawyer, her boy will not have to spend the night in jail. And she
shouldn't tell the bank what the money is for, because then they would ask questions.
No sooner said than done.
In
reality, that mother did not receive a call from her son at all. It was a deepfake,
in which artificial intelligence was used to create a new text with the same
voice based on an existing sound recording (thanks to social media). So the
mother did hear her son's voice, but he had never spoken those words himself.
It was necessary to quickly hand over the phone to the officer to prevent a
conversation between mother and son. And that lawyer, who called a little
later, was of course not a lawyer at all, but just as much of a criminal as the
fake cop.
In
the above story we see a number of elements from the theories of Robert Cialdini
and Ian Mann*. Cialdini says people obey authorities. Now I wonder to what
extent this is true in the Netherlands, but in many countries people will
indeed quickly believe that they are really dealing with an authority figure,
even if it is only on the telephone. It’s just a matter of striking the right
tone. Mann tells us that people are gullible. That can work both ways. On the
one hand you would like to receive the reward that an African prince promises
you if you help him free up a particularly well-filled bank account, on the
other hand you naturally become stressed if it your child seems to be in
trouble and you eagerly believe what all kinds of people tell you. Moreover,
Mann says, being consciously incompetent also makes you docile: if you know
that you have no knowledge of certain matters (such as an arrest), you will
easily follow someone who at least radiates that he is an expert in that area.
In
another story, someone received a call from the FBI saying she had been a
victim of identity theft. Because fraud had been committed under her name, her
bank assets would be frozen. To ensure that she could move on for a while, the
helpful officer offered to put a large part of her savings in a safe bank account
that would remain outside the confiscation. That money also had to be delivered
in cash and you guessed it right: the money disappeared. And there was no case
of identity theft whatsoever.
IT
played no role at all in this case, but the criminal did act as if that was the
source of the misery, because that’s how identity goes. The following case also
had no IT background, but that could easily have been the case: an 81-year-old
American was extorted, and when the Uber ordered by the criminal drove up to
pick up “a package” (with the money), he shot the driver dead, under the
assumption that she was part of the plot.
If
you ever find yourself in such an unreal situation, try not to act on your
emotions. Ignore instructions not to involve anyone, but ask someone you trust
for help. Be alert if it suddenly becomes about money; try calling your son
first to check whether he really has had an accident. Some may find it a bit
scary, but in our family we can, by mutual consent, see where everyone is in an
app. That would be of great help in such a scary situation.
* Robert
Cialdini, Influence: The psychology of Persuasion, 1984; Ian Mann, Hacking
the human: Social Engineering Techniques and Security Countermeasures,
2008
And in the big bad world...
This section contains a selection of news articles I came across in the
past week. Because the original version of this blog post is aimed at readers
in the Netherlands, it contains some links to articles in Dutch. Where no
language is indicated, the article is in English.
- deepfake detection tools do not always work accurately.
- criminals threaten to publish a database containing criminals.
- the Russians attack Western infrastructure.
- of course you have to choose the right target.
- Traffic lights also infringe on your privacy. [DUTCH]
- Telecom employees are offered money to participate in SIM swapping.
- a British computer divorced the wrong couple.
- a Dutch ID wallet is being developed. [DUTCH]
No comments:
Post a Comment