‘Live phishing’ experiment nets consumers hook, line, and sinker

Despite the spiraling threat from identity theft, most consumers who were recently approached by complete strangers on the streets of New York freely gave up personal and sensitive data, which could be used by cyber criminals to crack account passwords or to steal identities outright.

The results of a social engineering experiment, which was conducted in Central Park on behalf of security firm RSA Security during August and September 2005, showed that most consumers gave away sensitive data after being wooed into a false sense of security by a friendly face or the promise of a cash prize.

The situation was deliberately constructed to feel official and safe, much as online phishing attacks try to convince customers of their legitimacy with real logos and industry terminology. In the experiment, which purported to be a survey about tourism in the city, pollsters aimed to uncover the type of 'innocent' information - mother's maiden name, favorite sports team, date of birth - that people commonly use as passwords but do not generally think they need to protect.

More than 70 per cent of respondents gave up their mother's maiden name, while over 90 per cent of people provided both their date and place of birth. Worrying over half explained how they devise their online passwords and nearly 85 per cent of respondents provided their full name, current street address and email address.

A small number of survey takers declined to answer a question asking how they devised their passwords, stating that this request was "too personal" or that they "don't give out that information". The same people, however, had no problem handing over their date of birth and mother's maiden name, which suggests consumers often are not aware of "back doors" into their accounts.

"A lot of personal information actually functions like a password and, as such, needs to be robustly protected," said Chris Young, vice president of consumer authentication services at RSA Security.

"Many consumers have called their credit card company to check their account and been asked for their mother's maiden name as a personal identifier. On top of this, with a bit of sleuthing, motivated phishers can guess what a New Yorker's password is just by having his address and trying combinations that assume he's a fan of the Yankees or the Knicks. Our survey reminds us that we all need to be more aware of such vulnerabilities, and take appropriate precautions."

Recent research from the Federal Trade Commission notes that damage and loss resulting from ID theft and cyber-crime among American adults have increased to nearly $50bn annually.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.