Social Engineering : Why You are at Risk

by Damiru Siriwardana 20 Aug, 2019

In a world where cyber threats are increasing at an alarming rate, users tend to distrust electronic mails asking for bank credentials and surprisingly convenient promotions being showcased on various platforms, because at a certain point, you realize you didn’t actually win that iPhone X. Similarly, a burden falls upon companies to protect and secure your sensitive information from falling into the wrong hands.

And you tend to trust these conglomerates from being able to do this, being the more resourceful party. However, at the 27th Annual DefCon, the world’s oldest and largest hacker convention, held earlier this month, security professional Cat Murdock brought to light how confidential financial material can be stolen through information provided through online subscription services.

Subscription services generate monthly or yearly recurring revenue by selling a product or service and web-based applications utilize this business model to access thousands of consumers globally.

Yes, online subscription services such as your Apple Music, Spotify and Netflix accounts are vulnerable targets that can be used to clean out your entire online wallet while you are completely oblivious to it. It may be a thrifty process that requires time and effort but extremely effective, nevertheless. And here’s how.

The question is how much initial information an individual needs to kick start his attempt to steal your information. In an exclusive interview, Murdock revealed that, while 60% of the US adult population has at least one subscription in their name, 30% of the remaining 40% are using the login credentials of the 60%.

This alarming statistic goes to prove exactly how much more available our login information is than we choose to assume. Besides, you don’t need to go far into your social media feed to see a couple or more people who’ve recently posted, ‘Hey, I just got a new Netflix subscription’.

Figure 1: Social engineering involves using tactics that are more difficult to predict compared to conventional hacking and theft.

In her presentation “Black Mirror: You Are Your Own Privacy Nightmare – The Hidden Threat of Paying for Subscription Services”, Murdock used the case study of Netflix to explain her case.

Most financial firms follow policies when users forget their account numbers and these very policies have loopholes that can be exploited. By taking several phone calls to the same institution asking for different pieces of information every time, the attacker gradually builds up all the details he needs to access your financials.

And all the attacker needs to start with is ‘Hey, I’m traveling and I’m having problems with my utilities payment – could you please confirm the account number because I don’t have it memorized’ to offer your Netflix subscription information as valid proof of identity and anyone who researches the vendor can figure out the characteristic fixed rate of the subscribed service.

Attacks of this nature, where sensitive information can be divulged and used for fraud through deceiving and manipulating individuals, are categorized as ‘social engineering’ and have become increasingly more prevalent considering the vast amount of personal information available online.

Admittedly, Murdock insists that attacks of this level are usually carried out by entire organisations and not individuals. But with people becoming more and more public about their personal lives under the influence of social media, attackers have enough and more material to effectively choose their targets.




Right off the bat, keep your personal information personal. As difficult as it is in an era of social media, revealing the wrong bit of information just once could end up being dangerous.

Additionally, you can also request your phone company or bank to set a verbal password or 6 digit PIN that must be known by anyone calling for that particular account. This would guarantee your ability to keep your financials inaccessible, regardless of the questions asked by the attacker.

Finally, an extra barrier such as a simple multi-factor authentication would go a long way in keeping you safe. A tokenized method such as Google Authenticator will prove much more secure than an SMS text message that could be spoofed or intercepted.

Figure 1: Bankalararası Kart Merkezi – Sosyal Mühendislik Yöntemleri