The dangers of the theft of personal data over the Internet are well known. But how do Luxembourgers react to strangers, i.e. potential cyber criminals, who address them at a personal level? A survey shows that one in five people are willing to communicate their password to strangers. And if a bar of chocolate is on offer, the number increases to one in four. A total of two out of three are willing to communicate indirect hints on their password. These are the results of a mock social engineering attack carried out in October 2008.
CASES (the information security portal of the Luxembourg Ministry of the Economy and Foreign Trade), in cooperation with INSIDE (a research group of the University of Luxembourg), the Post Office, City of Luxembourg, the company Luxexpo and the organisers of the security conference hack.lu, has carried out a study on behaviour related to data privacy in Luxembourg.
This study involved recreating the conditions of a “social engineering attack”. The human factor is central to this type of attack. Cyber criminals use this to forge a relationship of trust with their potential victims. Normally, a simple conversation is enough to achieve this aim. The pirates then use the victim’s trust to acquire information on passwords, password tips, dates of birth, telephone numbers and other data, which is subsequently used for criminal purposes.
During the study, 1,040 people were subjected to the mock social engineering attack. A total of 20.6% of those questioned freely communicated their password to a stranger, and if a bar of chocolate was on offer, the number increased to 26.1%. Only 13% of those questioned made no concessions and gave no information on their password.
The results showed that one in five people were willing to communicate their password to the IT department at their workplace, while one in four had already given their password to colleagues.
The study also revealed that more than a third of those questioned had one password only. Two in three never or very rarely changed their password. Almost one in three used the same password for several applications.
Even though the victims were informed at the beginning of the attack that the survey was anonymous, 89.1% were willing to communicate their date of birth, 79.5% their name and 57.8% their telephone number.
The study illustrates just how easy it is to obtain extensive personal data. The CASES information security portal and the research group led by Professor Dr Georges Steffgen of the University of Luxembourg therefore consider it essential to further reinforce measures to improve IT users’ behaviour in terms of information security.
 |
Pour en savoir plus ...
|
 |
|
