Sana Qadar: Chris Hadnagy’s job is to break into banks, but he’s not after money, gold or jewels, he’s hunting for information. And he doesn’t use weapons or threats of violence to get past security and into vaults, he uses a smile and a few tricks from his tool bag of psychology and social engineering techniques. This is one example of how it works.
Chris Hadnagy: If somebody gives you a compliment, you usually compliment them back, if someone gives you a gift, you want to re-gift and give them a gift back. When we give somebody something, they feel indebted to us, and that feeling of indebtedness makes them want to give us something.
Sana Qadar: It’s hard to believe you can simply slip past some of the toughest security on the planet. Banks, energy facilities, multinational corporations. But for Chris and others in his industry, social engineering, it’s part of everyday life, not that it doesn’t come with some confronting complications.
Chris Hadnagy: The parking lots were being secured by armed guards on dirt-bikes. So these guys are on dirt-bikes in a full body armour with sawn-off shotguns at the side of their dirt-bike.
Sana Qadar: You’re listening to All in the Mind, I’m Sana Qadar. Today, an episode from our archives. Producer James Bullen dives into the world of social engineering and finds out which psychology principles it builds upon, and which personality traits can make you easier to engineer.
James Bullen: Chris Hadnagy always had a knack for influencing people.
Chris Hadnagy: When I was younger…and I didn’t know what it was, but I always found myself in these crazy circumstances, like one of the big things…getting jobs that I had no right getting. I remember becoming a chef by literally walking into a restaurant that had a help wanted sign for a chef and I became an assistant chef by walking up to the guy and saying, ‘Let me cook you something,’ and he’s like, ‘What credentials do you have?’ And I’m like, ‘You don’t need credentials when you can cook good.’ And he kind of laughed and he said, ‘Go ahead,’ and I cooked him a dish and he hired me.
James Bullen: Simple, right? But then Chris had to actually cook. He had a trick up his sleeve though, something that has come in handy quite a few times since.
Chris Hadnagy: And I remember the first time he said to me, ‘Hey, I want you to julienne these carrots,’ I was sweating bullets because I had no clue what ‘julienne’ meant. So I said, ‘Hey, listen Bob, everybody juliennes things different and I want to make sure I get it to your perfection, just show me one and then I’ll do it your way, I’ll mimic you.’ And he showed me, and I did that every time he mentioned something that I didn’t know, I would say, ‘Hey, Bob, just show me how to do this your way,’ and that’s the way I learned how to become a chef.
So later on in life when I started doing this, I looked back at all those experiences and realised, yeah, I’ve kind of always been a social engineer but just didn’t know what I was doing, I didn’t understand it, I didn’t understand the science and psychology behind it until much later in my life.
James Bullen: After a series of odd jobs, Chris’s knack for computing landed him in the world of hackers and a burgeoning industry of testing both the digital and physical security of companies. The way it worked was the security employed by a business would hire Chris to try and break into their building or talk his way past security in order to see what holes they had and how they could patch them up.
Chris Hadnagy: It felt very much like the wild west. There was just no real framework or rules, if I could say, we were kind of figuring it out as we went. Those days were fascinating. At the same time, it became more well-known to practice social engineering and to try these type of things, so I did, and I could not believe how easy it was then. I think part of it is that we didn’t talk about it a lot. So people didn’t know what phishing was or vishing was, they didn’t understand that someone would actually try to do this to get in the company, so it made it easier for me to perform these type of tests and audits when somebody wasn’t aware that they even existed.
James Bullen: Phishing is where someone sends a fake email that aims to get the receiver to reveal some piece of sensitive information. Maybe it’s a password or user name or even something more innocuous like your date of birth. And vishing is voice phishing, the same techniques but using voice calls. The hacker can then use that information to attack you or try and break into your systems. The information that is discovered might also be used to build what’s called a pretext.
Chris Hadnagy: One of the best definitions that ever heard of pretexting, is pretexting is the story where you are the smallest detail. So nobody cares about Chris Hadnagy in a pretext and neither do I want you to. What I want you to focus on is the reason that I’m telling you I’m there, and that’s the pretext.
James Bullen: A good pretext is the basis of how Chris came to break into a bank, with the help of his colleague Ryan.
Chris Hadnagy: That was an interesting one because we got hired by a company in the country of Jamaica and they asked us to come and do the break in because they didn’t have the internal team to do it. We decided to fly down there and do it, and we did some OSINT and we found that the bank had just went through a PCI audit.
James Bullen: OSINT is short for Open Source Intelligence, things you can find freely without subterfuge, like news clips or company reports. And PCI stands for Payment Card Industry. PCI audits are pretty routine in banking and finance.
Chris Hadnagy: So we thought we would use the company that did their audit as part of our pretext. So I had shirts made that had the company name, business cards, all of that stuff. And we were all prepared for this beautiful pretext, and than the first day we roll up on the first bank and park across the street, just to kind of scope it out, and one thing that no one told us and we didn’t find through OSINT was that the parking lots were being secured by armed guards on dirt-bikes. So these guys are on dirt-bikes in full body armour with sawn-off shotguns at the side of their dirt-bike, and this was their security. So there was a little moment of pause where you’re like, okay, are we still going to do this, is this still the plan, what’s going to happen here? And we decided to go ahead with it.
And then the next part of the pretext was I hired a local guy, just a guy, I said, ‘Hey, I need you to go into this building, here’s $20, and I need you to ask the security guards about how you get a job there, I just need you to go in and have a conversation.’ And he’s like, ‘Really? For $20?’ I’m like, ‘Yep’. Bam, done, he’s in there having a conversation with the security guards and we walk in and I put my phone up to my ear and I say, ‘Jim, we’re here, we’re going to come upstairs and finish the audit, no worries, we’re walking up the steps now.’ And security didn’t even bat an eye. They heard me on the phone, they’re talking to that young guy, and we were in the building.
Now we walk upstairs and we round the corner, and on my right is a door that says ‘ATM Testing Centre’. So a woman is walking right in front of us and she scans her badge and walks in the room and we follow her in, and she is startled, she turns around and she’s like, ‘Excuse me,’ and I’m like, ‘Oh, I’m sorry, we were sent up here to finish the PCI audit.’ And she goes, ‘Oh, okay.’ And she just turns around and walks away. So Ryan and I are crawling inside ATMs, taking pictures, hacking the place. We spent about 25, 30 minutes in that room and then we’re like, okay, we’ve got to go before we get caught.
We walked out, walked down the hallway and we see the call centre through these glass doors. And the glass doors are locked with an RFID badge scanner. So I start slowing down as I walk towards the door and trying to figure out what I’m going to do, and just the luck of the draw, this woman starts coming out from the inside out there and I rush over to the door and hold it open for her, ‘Oh, let me get that for you,’ and I hold the door open for her, let her out, and then, bam, we both go in.
James Bullen: In the call centre they get a woman to put her password into a computer, still under the pretext that they are conducting an audit, and hack that too.
Chris Hadnagy: Finally a manager came up to us and said, hey, ‘Who’s your contact and what are you doing here?’ And I said, ‘I can’t remember his name,’ we tried to talk our way out of it, and she goes, ‘No, no, you’re coming with me to security.’ So we go down to the security desk that we just walked past, and she said to the security guy, ‘Look, I caught these two guys, they don’t know who their contact is, they are not supposed to be here.’ But the security guy goes, ‘I saw you come in,’ and I’m like, ‘Yeah, we’re here, I can’t remember, but let me call my guy and he can talk to you.’
James Bullen: Of course the person Chris calls isn’t a real contact, it’s another accomplice, a local guy helping out on the job.
Chris Hadnagy: And I said, ‘Hey, look, this is Paul over at the bank, we are doing that audit you asked us to come and do, your security guard here needs your approval,’ and I’m just saying this hoping that he’ll catch on, and he’s like, ‘Yes, please, put him on the phone.’ So he gets on the phone and he mentions the name of the lead guy there, and he says to the security guard, ‘Yes, they’re supposed to be there, please let them go.’ So the security guard hangs up and goes, ‘Okay, I got your approval. Come with me,’ he unlocks the door, bam, done, we hacked the whole bank.
James Bullen: It almost seems too easy, but Christopher Hadnagy says that’s the power of a good pretext.
Chris Hadnagy: If I walked in and I said, ‘Hey, I’m here to do a PCI audit’ but they did not just have one or they did not just complete it or they weren’t in the midst of it, they may have looked at me and went, well why, we didn’t hire anyone to do that, why are you here? And that makes a bad pretext. So although PCI and banking is a good pretext, in that case it would have been bad because they weren’t expecting it. But knowing that they just were completing their PCI audit, knowing the name of the company that they used for the audit, and then being able to come as that company and saying we were there to finish it up, allowed for our story to be the detail that they focused on not us.
So they don’t care that it’s Chris and Ryan, they care about the detail being the audit and that we were there to finish it. So that means they can ignore who we are. Our faces become irrelevant. And this was important because we were in Jamaica which is predominantly a black community and we were two white guys standing out, so it was important that our appearance would be the smallest detail and that we can explain it away; we’re here from America finishing the PCI audit. A good pretext, what it does is it explains the reason for your existence in that location at that moment, and when you can explain that right, the person’s brain can say; I accept this and I let you in.
Sana Qadar: You’re listening to All in the Mind on RN, I’m Sana Qadar. Today, hacking humans, the psychology of social engineering and how the power of influence can be used for good and bad. Here’s producer James Bullen again.
James Bullen: After decades in the industry, Chris wrote a book, pulling together the different social engineering techniques he has used in his line of work, drawing from psychology research and principles. It’s called Human Hacking: Win Friends, Influence People and Leave Them Better Off for Having Met You.
One area he focuses on is the psychology of influence, how you might grease the wheels of social interaction in your favour.
Chris Hadnagy: Dr Robert Cialdini, he is an amazing author and an amazing social psychologist, he wrote a book called Influence where he defined scientifically six parts of the way we influence other people. And understanding these, it helps us to really be able to picture how psychology is used every day when we communicate with others. So let’s talk about reciprocity. The simplest way to imagine that is you and I don’t know each other, we are both walking into the same building, and there is a set of doors and I hold the door open for you. More than likely, I would be doubtful if this would not happen, that you will open up the next set of doors for me.
If somebody gives you a compliment, you usually compliment them back. If someone gives you a gift, you want to regift. The example of reciprocity helps us see that when we give somebody something, they feel indebted to us and that feeling of indebtedness makes them want to give us something. So it could be a compliment, it could be a physical gift, it could be just a thought. Whatever it is, if we give it to a person, they feel warm and fuzzy about us and they want to give it back.
James Bullen: Chris says the chemicals in our brain are part of the process here too.
Chris Hadnagy: Oxytocin is just a wonderful part of our chemistry, our brain chemistry, and what it does is it makes us feel rapport and trust with others. And it is released when someone makes you feel trusted. So it’s not when you trust someone else. If you feel that I trust you, if I say to you, James, I want to tell you a secret, I’m going to give you something I haven’t told anyone else, we’re going to announce it on your radio show, here it is, and I tell you, and you prove that it’s true, that I’m not lying to you, I’m not just manipulating you, I actually gave you a secret, your brain releases oxytocin and I am your deliverer.
So now a couple of hours later you are sitting at your desk and you’re looking through LinkedIn and you see my profile, your brain releases that oxytocin, I know that guy, I like him, he trusted me. And unless I do something to completely screw up the trust relationship we have, you will continually release that molecule in relation to me, and that means that every time you see me or people talk about me, maybe down the road you are sitting somewhere and someone goes, ‘Hey, I met this guy named Chris Hadnagy,’ ‘I know him, I met him, he gave me this secret on my show,’ and you’re going to tell this great story about me.
James Bullen: These techniques came together in a job Chris was on, another attempt to get past security, but this time with an angry boss in the mix.
Chris Hadnagy: This was actually one of my earlier jobs when I was new in the industry. You always get nervous going in but this time what I would do normally is park pretty far away from the front door, so that way I can walk up to the front door and take some time to catch my breath, get my mental energy ready. As I’m walking up to the front door, this guy in this little BMW is sitting there and I can see he’s kind of frantically talking on his cell phone. As I pass by I can just hear one statement, he says something like, ‘I don’t want to do this today, it’s going to hurt a lot of people.’ I don’t know what that meant but he sounded angry, he sounded upset. So I walk in the front door with the goal of…the pretext I was going to have was I have a meeting with HR, I’m late for the meeting, I need to go meet the HR lady, and just try to get her to buzz me in and let me through so I can hack the company.
As I walk in the front door, I can see the gatekeeper’s screen, and she’s playing a videogame. Now, this was not part of the pretext at all. I just for a moment felt very empathetic for her and I said, man, this guy is outside and he’s kind of ticked off, and in my head I’m saying this, if he walks in and sees her playing a videogame she’s going to get yelled at, she’s going to be embarrassed in front of me, my pretext isn’t going to work. I go through all these thoughts in my head. She turns to me and goes, ‘How can I help you?’ I said, ‘Look, you don’t know me, but your boss, he’s outside, he’s upset right now, if he walks in and sees a game on your screen, he may be really not happy.’
So she leans over, clicks the X on the game, shuts it off, and she turns to me and she goes, ‘Okay, how can I help you?’ And I start telling her my pretext, you know, HR, and the boss walks in the door and he goes, ‘Beth, in my office.’ So, she leaves goes in the office and I turn around to look at her and as she is closing the door she mouths to me the words ‘thank you’, so she doesn’t say it but she says it with her lips, you know, quietly, ‘thank you’. And I thought, that’s it, I’m in, I saved her, she’s appreciative, that’s reciprocity, I gave her a gift, she has to return it.
James Bullen: Chris waits for the woman to return to the front desk.
Chris Hadnagy: So Beth comes out six, seven, eight, nine minutes later and she’s like, ‘You’re still here?’ And I said, ‘Yeah, nobody came to help me, I figured you were coming back.’ And she is like, ‘Well, where were we?’ And I look at her and I say, ‘You were just buzzing me in because I’m late for my meeting in HR,’ and she stops and stares at me for a full five, six seconds, she stares at me and in her face I can see her face just saying, that’s not right, that’s not true. And I’m like, oh man, don’t call me out, don’t call me out. And I kind of just looked down at my watch and was like, I’m late. And she is like, ‘Oh yeah, okay, I forgot, I’m sorry,’ and she hits the buzzer and lets me in, and we hack the company.
So I remember after that I said I’d like to have a report meeting and I’d like Beth to be there. And I asked her, plain out, ‘I need to understand, why did you let me in?’ She said, ‘You saved me from embarrassment and I was embarrassed, I would have been embarrassed. I got yelled at for playing games before but I get so bored, and you saved me. And I thought this nice guy can’t be bad because he’s such a nice guy,’ and she let me in because of that.
James Bullen: These techniques of influence don’t just work in the physical world, they can also be used to target you online. Edwin Frauenstein is a lecturer in the Department of Information Technology at Walter Sisulu University in South Africa. His particular focus is behavioural and social engineering research.
Edwin Frauenstein: Most security literature is focused out, that people are the main cause for information security incidents, and so they often cite them as being the weakest link. So it’s been reported that it’s far easier to get information directly from people instead of the effort and technical expertise needed to hack information systems. So I’m fascinated by the psychological aspects as well as the particular environments and contexts affecting human behaviour. So I think it’s necessary to better understand the interplay of these psychological aspects which cause users to behave in a certain way.
James Bullen: Like Chris Hadnagy mentioned, Dr Robert Cialdini is a foundational researcher in this area and his principles of influence are used by social engineers every day.
Edwin Frauenstein: So, let me make an example. If one likes deals, competitions, discounts, or you like to gamble, social engineers could exploit this by creating a message involving a voucher or prize and incorporating a scarcity aspect, and scarcity is one of Cialdini’s persuasion principles. So the scarcity aspect is there to create urgency, there is a time pressure, perhaps a voucher or competition could say valid until the next few days, so it just puts a bit of urgency.
If we look at another technique of Cialdini, which is reciprocity, a message could be made to appear helpful, and so the user will feel obligated to do something in return. So, for example, your friend shares a message warning you that there is a possibility of their Facebook account being hacked, please share this message to others. So naturally this human tendency to want to help others is also being taken advantage of by the social engineers and the phishers. So the strength of these techniques lies really in the use of these persuasion strategies, combined with impersonation. Importantly it’s the timing and the opportunity that plays well into the social engineers’ hands, and social media is just a playground for these principles to be launched.
James Bullen: Edwin says some evidence suggests that our individual personality traits might affect how vulnerable we are to social engineering attempts.
Edwin Frauenstein: So, the widely popular big-five traits which some of your subscribers might not know, or may know, is openness, conscientiousness, extraversion, agreeableness and neuroticism. So those are your big five traits, it’s widely popular and used across many psychological studies and information security studies. OCEAN is an acronym for short, if you want to just say OCEAN.
James Bullen: You can test your own levels of the big five OCEAN personality traits online. We’ll put a link on the All in the Mind website.
Edwin Frauenstein: Each of these traits have their strengths and weaknesses. An individual who is open, to have an openness trait, tends to seek new experiences which makes them more open to risky behaviour. It’s expected that a conscientious person would be less at risk because they are more cautious and thorough, but they are also trustworthy which can be taken advantage of. Extroverts enjoy socialising, they are impulsive, so there is also an expectation that they would click on links.
James Bullen: The one personality trait that does seem to be protective against a social engineering attack is conscientiousness.
Edwin Frauenstein: All in all, conscientiousness is shown to be the least at risk. So, as expected, be more thorough and cautious, but I think every trait has a vulnerability somewhere, definitely. For example, I came across a study that has even shown the conscientious trait was even vulnerable. What they did was the phisher gave out a quiz or a spelling error quiz or something like that, and the conscientious person, being so thorough and cautious, they wanted to correct the spelling errors on this quiz, it ended up being a phishing attack. But I would say conscientiousness still remains as the least vulnerable. And there are many studies that show extroverts are more at risk. Your extroverts and your openness at that level are more vulnerable to phishing attacks, just due to the characteristics that make up a trait, being open to new experiences and wanting to socialise and things like that.
James Bullen: And Edwin Frauenstein says it’s not just personality that influences our vulnerability, it’s also how in the moment you are, what sort of thought process you’re in when a phishing attempt arrives.
Edwin Frauenstein: So in terms of cognitive processing, we can process information heuristically or systematically, and if you are processing heuristically it means that you are using a more efficient shallower form of processing where we use our limited cognitive resources, we rely on superficial cues and simple decision rules.
So the point of heuristic is we kind of scan on the surface level, and it’s necessary because of all the information that we get, we can’t spend too much time on something, we do tend to read quickly and things like that. So your social media users could be at risk of information overload because they receive a large number of messages from their friends or those that they follow. So as a result, to reduce this information overload, social medias would typically resort to using a heuristic approach.
You can imagine when you go through Facebook, for example, you’ll be just scrolling through the timeline and looking at whatever catches your eye that is very interesting to read. On the other hand, systematic processing requires more effort, also motivation, because it’s analytically oriented. So in this mode you would scrutinise a message or compare and relate different arguments, which is quite a bit of an effort. So ideally systematic processing would be the preferred method of choice when users are presented with persuasive stimuli or phishing or social engineering on both email and social media. As mentioned, it would require more time and effort and cognitive resources to make a judgement.
James Bullen: Chris Hadnagy says some social engineers will actively try to push someone into a heuristic mode of processing so they can better attack or exploit the target. But there are steps you can take to protect yourself.
Chris Hadnagy: Part of the aspects of malicious influence is when we feel emotional, our brains shut down logic centres and then we tend to make decisions based on emotion. So this is easier said than done, but this is the answer, is that whenever we get a request for something, whether it’s email, phone, in person, and it raises our emotional level, we feel angry, sad, happy, whatever, lustful about it, it’s a good time for us to pause, take a break before the decision is made. That small pause and allowing you to critically think through it could help you to not be a victim of malicious influence or manipulation.
James Bullen: The COVID-19 pandemic has heightened that fear environment though, making it trickier to process things systematically.
Chris Hadnagy: Any type of emotional feelings will shut down critical thinking. So think about the last two years. People have had to work from home. Maybe they didn’t have a huge home before and now they have mom, dad and both kids all needing to find places to do school and work at home. We’ve had the quarantine, which means that we are not seeing our friends and family. The same four walls can get very tiring and get depressing. You’re reading the news which is just filled with stories of people dying of Covid, ransomware ruining another huge thing, terrorist attacks, whatever it is. All of this inundates our minds with negative emotions and it creates stress.
And now you put on top of that that you are lacking sleep, and we lack sleep because we get ourselves stressed, we work more because we are working from home and that environment creates a higher stress level in our brains. And lack of sleep, higher stress with all those other emotions, it’s the (I hate to say it) perfect storm for us to make horrible decisions. So the world scene right now with the pandemic is definitely poised for bad decision-making because it does shut down peoples’ ability to be critical in their thoughts.
James Bullen: And though some of these techniques may be used maliciously by bad actors, Chris Hadnagy has been foundational in setting up a code of ethics for people in his industry, social engineers who have legitimate uses for these methods.
Chris Hadnagy: What hit me was your intention is what makes the difference. And if I’m using this because I want to be a better communicator, my intention is saying I’m going to use these skills in order to help others and to help myself, but to help others and communicating the best way I can, and that’s important. But now if I say I’m going to use these skills just to get what I want, and it doesn’t matter how you feel about it. So I want to get something from you, James, and I’m going to get it, and I don’t care about the results at the end. So if you are hurt, sad, depressed but I got what I want, that doesn’t matter, that’s malicious use of it, and that’s kind of where I draw the line, is that from a personal standpoint, if you’re going to use these things in everyday life, the ends don’t justify the means.
From a professional standpoint, if you are using this as a career, you still have to think through, yes, you have to be an adversarial simulator, that is what I call myself, which means I have to simulate what the adversaries do. But the adversaries do a lot of bad things. Adversaries will kidnap your kids and torture them, adversaries will steal your nude photos and humiliate you. Do I have to do all those things to simulate an adversary? I hope not because that’s well beyond my morals and ethics.
Sana Qadar: That’s Chris Hadnagy, author of Human Hacking: Win Friends, Influence People and Leave Them Better Off for Having Met You. And before him you heard from Edwin Frauenstein, a lecturer in the Department of Information Technology at Walter Sisulu University, South Africa.
This episode from producer James Bullen, our sound engineer was Jerome Comisari. I’m Sana Qadar, thanks for listening, catch you next time.