Social Engineering

The human mind has always been influenced from the outside. As groups formed in order to improve the chance of survival, different positions emerged. A ranking was established, from the lowest tier up to the alpha male and female. Each position contained more and more responsibilities, as well as benefits. We can still see this behaviour in the animal kingdom, as it provides enough benefits to guarantee the survival of the group. At the very beginning, the strongest were in the leading positions. This has always lead to a struggle for power. Some obtained  power through pure strength; later others used their wits to manipulate others to gain some sort of advantage over them. I want to take a closer look at how precisely others can be manipulated in the computational era into doing what someone wants. Hereby, the following definition from webopedia is going to provide a guideline to what is considered to be Social Engineering.

„In the realm of computers, the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information. Social engineering is successful because its victims innately want to trust other people and are naturally helpful.“



Everybody who has an email account and is active on the Internet, be it as a regular online shopper using PayPal or Internet Banking, a businessman, or as a gamer playing World of Warcraft, has received a phishing email. But what is Phishing?

The word sound s really familiar. Just like fishing, you but bait on your hook, throw it into the water and then wait for something – or in our case, somebody – to take the bait. The only difference is that a phisher has to do a lot of more work to get to his goal.

The plan behind a phishing attack is the following: You know that a lot of people, some of them hopefully unsuspicious and gullible, use online services. Common knowledge says that these people need to log into said services in order to use them. Therefore, they have to provide a password and username. Phishers are highly interested in those. But they can’t simply hack into the database to steal them. If one could joyfully waltz through the server security, one would just to so. That’s why hackers have created a smart way to get the victims to give their personal information to them. To successfully do so, all they need is a list of email addresses, which can be easily bought at certain places, and a duplicated login site of their targeted website. Over the last years, these copies have become top-notch. On the first glance, you can tell no difference at all. They are so sophisticated that you need the original website right beside the copy in order to tell the difference. But who suspects such a thing and always compares every website they log into? Hackers believe in the trust that users have in their websites. Especially in websites using HTTPS. However, these sites are no longer safe from phishing attacks as well, as this graph implies.

As phishing emails can be sent out to thousands, even millions of users at the same time, it is highly efficient, provided the setup is convincing. A good example is the following picture.

Modern phishing sites have achieved a nearly identical look compared to the original website. Can you spot the difference?


The majority of phishing attempts are taking place in Russia, the USA, India,  and Germany. Depending on the location, hackers can tailor emails to better fit their targets. Kaspersky has released an interesting report containing information about where the attacks have been hosted, by how much they have increased and who was targeted, using their anti-virus software. It implies that the situation is not getting better, and that more and more people are victims of phishing.

We might think that phishing is a side effect of our modern age. However, it has been around for centuries. Most people have heard about the Nigerian Prince, who, poor soul, has just too much money on his hand. He needs your bank account info in order to transfer some of that money to you. A similar scam has been tricking people around 1900, called to „Spanish Prisoner“. It was a finely crafted letter, which tried to trick people just like our phishing websites into giving them their money under false pretenses.



This term is tightly connected to phishing. It stands for Voice Phishing. In this case however, no emails are sent out. It is a more tedious approach to collect the wanted data from a target. The Social Engineer  calls the person who holds the wanted information, and tries to manipulate him or her into handing it over. This can be done by pretending to be somebody else, usually someone from a credit card company, or even the telephone company they have a contract with. They act as if something has to be confirmed, and get the target to reveal their password or credit card information.

In Europe, especially in Germany, there is a huge Vishing ring, focusing solely on the elderly. They use the so-called „Grandchild fraud“. They call random numbers, wait to hear who answers and determined whether the person fits their pattern or not. Afterwards they talk to them, pretending to be a grandchild who is in financial trouble and in need of some money. It sounds rather conspicuous, but it is shocking how easily people give the information away. A simple

Often elderly fall for the so called „Grandchild Fraud“ where someone pretends to be their grandchild, who is in dire need of some money.

„Hi Grandma Gretel, it’s me, your grandson.“

„Oh, is that you Klaus?“

is enough information for them to start their ruse. After they know that there is a grandson named Klaus, they start building up their trust. Once they are regarded as someone familiar, which doesn’t take too long considering the advanced psychological skills the Social Engineers possesses, they start asking for money. Often, grandparents only want the best for their family, and agree to it. Then they set a date to meet up. Shortly before the meeting, Klaus suddenly can’t make it, but will send somebody else to pick up the money. And once the money is gone, there is no getting it back. The scale of this fraud is unbelievable and can not be precisely estimated, as a lot of the victims are either to ashamed to have fallen for it, or are simply no longer in the mental condition to go to the police. And as the scam is still going on, there is no way of knowing how many more people will fall for it. The caused damage up to now goes into the millions. In 2008/2009 alone, the tricksters collected over 5 million SFr in Switzerland.



Shoulder Surfing

A very important warning label

We all see the „Protect your PIN“ signs whenever we go to the ATM. And shoulder surfing is the reason for that. If somebody wishes to get information from you, the easiest way is to simply observe it while you type or fill it in. Especially in crowded places, shoulder surfing is a big problem. But not only PINs are a target. Social Security Numbers, access codes, locker codes, basically any type of code is valuable. But shoulder surfing has been around for much longer. Especially in school, when you forgot you homework and didn’t want to get in trouble, just copying it from the person in front of you has always been an attractive alternative.

Another more or less direct form of shoulder surfing is outright interfering in another person’s business. These two gentleman are a good representation for this method. While standing in front of an ATM, person A approaches the victim. He distracts the woman, who has just entered her PIN to withdraw money. Partner-in-crime B uses the distraction to hastily grab the card, or the dispensed money, from the cash machine.



Never plug-in a USB device of unknown origin. It could contain malicious software, which will infect your network at home, or at work.

This form of Social Engineering relies on human curiosity. An item used to store data is left at a location where people will definitely see it, and pick it up. For example , in the staff lounge of a big office building, someone leaves a USB-Stick which has written “John”  on top of it. As there is a high chance that people know somebody named John, they will either return it directly to him, or take a look at the content first. Either way, the stick will be plugged into a corporate computer, as nobody wants to endure the suspense of not knowing. As soon as it gets plugged in, a virus, malware, Trojan , or worm spreads out into the whole corporate network. These are sometimes disguised as photos or files people would be interested in. This allows the hackers to bypass firewalls and security points in a network. Thanks to that, they can steal important corporate secrets, or install a live feed inside meeting rooms by activating microphones and cameras on laptops or security cameras. It has been tested by many security companies, and a significant number of tests showed that the curiosity of the human mind outweighed its sense of possible danger. The famous worm Stuxnet was spread this way. That’s why the US government did some testing on the effectiveness of baiting as well. And the findings of that test prove that a random data storage device was inserted 60% of the time, and even 90% of the time if it had a company logo on it.



This term has been borrowed from traffic. Instead of tailgating (following someone extremely close without keeping a safety distance) a car, you tailgate a person . This is especially effective if you need to get into a restricted area in a hospital, office building, or even university. Simply stick to a person when they enter a room. Common courtesy usually makes them hold the door for you. And if they don’t, just wait for another person, mumble something about forgotten keys and put on a sad face . The desire to help and appeal to another person gets you that door open.



This is the most elaborate, and final form of Social Engineering. To create an authentic pretext, one must gather enough information about a company or person. Depending on the goal, more information is needed. It combines various forms of Social Engineering in order to convince the victim to release the desired information. A good pretexters does his sufficient research to achieve this. This includes: The website of the company, employers and employees, costumers, personal information about employees, security structures, locations, possible governmental affiliations or institution the company deals with, etc. The following video shows however, that sometimes, you just need one person to hack into a system.

At the annual hacker convention DefCon in 2010, a contest was held. The goal of this contest was to use Social Engineering in order to infiltrate various companies, including big players like Microsoft, Apple, Google, Cisco, and many more. There was no sensitive information hacked, like financial reports, IDs or passwords. In fact, such information was strictly off-limits. The targets, called flags, were schedules, browser versions, or getting employees to open certain URLs. And it is important to know,  that the majority of the participants were not experts on the field. Two weeks before the event, each contestant was given a company name. They were allowed to use these two weeks to prepare for the contest. Gathering information about the company was the main activity during that time. During the contest, each participant had 30 minutes. 5 minutes were used to explain their strategy, and the rest to capture as many flags as possible. They all approached the goal in a different way, but as long as there was a human interaction over the phone, flags were captured.



After all that scary manipulation and hacking, one can hopefully understand that it’ll make every person administering computers the happiest person in the world  by following the three magic words they love so much: Don’t trust anybody. Ever. Always ask yourself why somebody would need that information. If your grandmother calls you because she has gone into debt and needs some money wired via PayPal, just laugh and hang up. Because you know that your granny still thinks that emails need 2-3 days to get delivered by the mailman.

Social Engineers can be dangerous and harmful if they have the wrong intentions. We cannot fix the problem of Social Engineering. No matter how refined a software is, no matter how outstanding the security, at the end of the day, a company relies on its employees. And since there has been a way of communication, people have been lying to get what they want. We can only protect ourselves through education.


Ethical Aspects of RFID

Technology has advanced at an unbelievable speed in the last century. One important rule in its advancements of processing power is called Moore’s Law. The law states, that approximately every two years the processing power of computer chips doubles. A good example for this is the size and cost of the computer used to guide the moon landing of Apollo compared to a pocket-sized smartphone. One of the technologies that scientists were able to discover, apply, and enhance because of the available processing capacites,  is RFID (Radio-Frequency Identification), as well as NFC (Near Field Communication). The line between these two is not completely defined, as both are built upon the same ideas and technology. You could say that NFC is, as the name implies, a short-range version of RFID. Therefore, RFID is the more important technology I will focus on.

Short History of RFID

For many it is hard to believe, but RFID is no new technology. By far not. It has been discovered in WW II, when scientists worked together with the military to develop new ways to identify aircrafts with radar. After all, they couldn’t just shoot down every unidentifiable airplane without knowing if it was theirs own or not.

Since then, non-military companies have discovered the handiness of RFID for themselves. The 80s was a big decade for RFID, as it was becoming much more popular in the fields of identification, tracking, manufacturing, and transportation. Since then, it has been an essential enhancement for businesses, the public as well as private sector, manufacturing and the military.

This graph shows, how much businesses in the U.S. were spending on RFID technology between 2005 and 2008. You can see a big jump in the implementation and usage of the technology. It proves how important the small chips have become to us in our daily lives.

Now, it may raise the question:


How does it work?

RFID is using radio frequencies, hence the name. It requires only two things to work: A so-called ‚Tag‘, and a ‚Reader‘, which is either connected to, or a computer itself. The Tag is equipped with an Antenna, so it can receive the order to activate the Transponder, which is the heart of the Tag. On the Transponder, different data can be stored. E.g. the bar code number for books, of the information if the commodity has been payed for. If it has not been payed, and somebody tries to steal it, the RFID Tag will alarm the security gates, as soon as it gets close to them. The biggest advantage of these chips is, that they do not rely on physical contact. This speeds the usage up tremendously. Another notable thing is, that there are different types of Tags, each suited best for a certain field.


Economic Implications

RFID Tags are a wonderful blessing for the economy. As there are different types of Tags, they can cover almost every imaginable area in a company. Why am I writing about the economy, some might wonder? Because the economy is having one hell of an impact on our private and public lives. I assume most have heard about Supply and Demand. New technologies are developed solely to produce smarter, cheaper, and plainly more. Money is a powerful motive. For example the iPhone. There have been smartphones before the Apple product. In fact, the first smartphone is already 20 years old. But Apple saw a market to be conquered, and now smartphones have influenced our lives in a way nobody could have predicted. Also, NFC is now standard in smartphones. And thanks to NFC, we have a nice transition back to RFID chips.

In the Office, the chips are used for:

  • Identification: Employees are provided with their own personalized ID card, which gives them access to certain areas within the company.
  • Location Management: Managers know when an employee has checked in, and depending on their company police, they can monitor their employees by tracking them as they use their ID card.
  • Security:  Most companies don’t want the new intern to have access to some old file rooms, or other high security areas. The easiest way to prevent them from getting in is by simply not providing them with the authorization on their card

In a store, they can

  • give costumers information about a product, like it’s size, price, expiration date, origin, etc.
  • be used as a security measure in combination with security gates.

Some bad tongues also say that they might be used to track a customers behaviour in a store. And they are right. A supermarket chain started a project about tracking its customers, where they went, and how much time they spent in certain locations. Everything for the sake of a better product layout, of course. A happy customer is a customer in a cheerful buying mood.

  But not only offices and stores profit from the chips. Manufacturing, Logistics and Supply Chain Departments benefit by far the most from it. Since the introduction of RFID tags, they have become much more efficient, because now they have the capability to supervise the entire production chain. From big machines to a small hammer. With the help of tags, nothing can get lost. Exponent and Age Steel is a company who has run a trial to prove this. They have provided 1.000 packages with tags, and the same amount without. During the trial period, they have known precisely where every tagged package was at all times. Whereas they had temporarily lost 300 untagged ones. This boosts productivity enormously, especially within companies handling a lot of packages, containers, or commodities.

Social Implications and Ethical Aspects

One of the biggest concerns about RFID tags and chips is security. Which also includes the security of ones privacy. Example: Nowadays, every new german personal ID card has a chip in it. The idea behind it might have been a good one: Making the information on it easier accessable for the government, official institutions, or certified Internet shops. But that turned out to become the problem: A lot of very private data, including one’s fingerprints, date of birth, etc. is saved on the chip. The new ID’s have been issued since 2010. The ‚Chaos Computer Club‘, – a very well-known and respected organization of hackers, with the goal to inform people, organisations, and the government about security issues-  hacked the new ID shortly after its release. And this happened with a government issued and supervised ID card.

Let me approach the topic of ethical aspects of RFID from different angles, meaning ethical theories.


Immanuel Kant was the philosopher who created this ethical theory in the 18th century. He believed, that there are universal, moral guidelines, which are also rational. That people should never be treated as the means to an end, but rather as the ends in themselves, as well as equals.

Let’s take a closer look at those statements, especially with the focus on privacy.

  • Is RFID usage universal?

The technology RFID is based on is, in fact, universal. However, depending on the desired effect, it differs. Other frequencies are used, different kinds of data is stored. There is no such thing as >the< universal RFID chip. Otherwise we’d use the same chip in our car keys and in the books we lend from the library. However, if we take a look at the different kinds of chips, and then decide if they are universal, we come to a different conclusion. The RFID chips in all credit cards are the same, it’s just the stored data that’s different. The same goes for chips in ID’s, library books, packages, etc. And as the chips can only be used for its intended purpose, they are universal.

  • Is RFID usage rational?

A clear yes to that. RFID is used to improve certain procedures, like vehicle returns, ticket verification, or in the medical field. The whole developement of it was based on rational thoughts, because the military surely wouldn’t have spent a lot of resources to develop it, just to hoax the German army. The same goes for its usage nowadays. If the chips are not needed, they are not implanted.

  • How do we treat people? Especially their data?

In general, RFID is used to treat people and goods as the mean to an end.  When a factory implements RFID, it does so to become more efficient, to save money. When a shop implements RFID as a security system, it does so to prevent theft, and therefore save money.  When a library implements it, it does so to prevent theft and speed up the processing time at the counters. Some might have noticed a pattern here. And the pattern behind the implementation of RFID is: To save money. Or make more money.

There are more than enough examples focusing of people as the mean to an end. Shops are starting to collect, and use the data about shopping habits of their customers, in order to improve their selection and layout. This is clearly a wrongful act in Kantianism.

If we take the above points into consideration, then it would be ethically correct to use RFID. But alas, the last point contradicts the theory. Therefore, the overall use is morally right. The way that data is collected and used, is wrong.

Social Contract Theory


“Morality consists in the set of rules, governing how people are to treat one
another, that rational people will agree to accept, for their mutual benefit,
on the condition that others follow those rules as well”

A very important word in this definition, is the word accept. When we enter a Social Contract as a society, we agree to accept what’s happening to us, our family and friends, simply everybody. But how do we know what’s really happening when we use RFID? Can somebody guarantee us that absolutely nothing happens, if we did not agree to it before? That is the tricky part about this technology. The RFID tags themselves can only hold a specific, fixed data, and on demand, share it. The morally wrong part is therefore not the tag. The tag can not spy on our shopping habits, ID, or credit cards. It lacks the software and capability to do more than it was designed to do. The problem lies elsewhere. Whenever an employee uses the ID card to enter a building, or room, the Reader has to connect to an in-, or external server and complete an identity and right of access check. Who says that the company doesn’t keep track of its employees? As I have mentioned above, stores are already tracking their customers. Most of them do so without the knowledge of their customers: The shoppers did not agree to it, and if they knew, would most likely decline to be spied on.

RFID is a very handy technology. It makes our daily life more comfortable, and helps us save time we can then spend with more important things: Friends, family, hobbies. Or as a student, studying and napping. On the one hand, it does save a lot of money, and shields us from a lot of inconveniences. Or can somebody imagine carrying dozens of keys around for all the doors on campus? The university ID cards do provide a nice service. As a society, we are inclined to go the easiest way when possible. If something helps us improve our quality of life, we gladly accept it with open arms. But because of the fact that chips can be hacked from 3 feet away, and that we do not know what ultimately happens with our data,  we are becoming more aware of these problems. We could argue that RFID is a very software-dependent technology, and can therefore never be completely secure. And that argument is right. As long as there have been encodings, there have been people trying to crack those.

As a result, the usage of RFID is ethically right, as long as the privacy of the user is not breached, and a certain level of security is given. Under these terms, a society can accept using RFID without any concerns.

Rule Utilitarianism


„Rule utilitarianism is the ethical theory that holds that we ought to adopt those
moral rules which, if followed by everyone, will lead to the greatest increase in total
happiness. Hence, a rule utilitarian applies the Principle of Utility to moral rules, while
an act utilitarian applies the Principle of Utility to individual moral actions.“

Getting to an ethical conclusion with the above quote in mind is rather simple. Rule Utilitarianism concerns the majority of a society. If something makes the whole society happier than it was before, it is ethically right. As stated above, RFID is a pretty neat thing. It does make us happier. At least the majority. Of course, there are always people against a new technology, who trouble themselves with security and privacy issues. But they are a very small minority. And the average citizen doesn’t think about privacy issues that much anyway. If we take all that into account, we have happy citizens, a happy economy, and a happy government. By applying the rules of this ethical theory, we also do not have to bother every time we use RFID and ask ourselves if it is ethically right, or wrong, to use it. Because it is ethically right to use it.