Almost two thirds of office workers and IT professionals told a stranger their work passwords in a recent survey. The IT workers gave the information to a street surveyor who could clearly read their names and organisations from conference badges.
The survey demonstrates the strength of a hacking technique known as social engineering, when information is coaxed from people rather than found in computer systems.
A team of interviewers from the Infosecurity Europe conference conducted the research, offering participants a bar of chocolate for their participation in a fake survey designed to elicit their passwords from them. Half of the interviews were with general office workers on their daily commute, but half were conducted with IT workers attending a conference.
The person posing as a researcher asked each person what they thought the most common password was, and then what their password was. Forty per cent of commuters and 22% of IT workers immediately gave up their password.
The remainder were then asked whether the password was their child's name, a football team or a family pet, then tried guessing what it might be based on those answers. A further 22% of commuters and 42% of IT workers gave up their password under this questioning. In total, 64% of all respondents told the researcher their password.
The security lapse was particularly damaging in the case of the IT workers, and not just because they should be more aware of security policies which advise against telling anyone a password. Because they were attending a conference, their names and organisations were readable from their badges, which would make it very easy for someone to impersonate them on a company network.
"This survey shows that even those in responsible IT positions in large organisations are not as aware as they should be about information security," said Sam Jeffers, the event manager for Infosecurity Europe 2007. "What is most surprising is that even when the IT professionals became slightly wary about revealing their passwords, they were put at their ease by a smile and a bit of smooth talk."
The survey also found that workers were more trusting of the IT department than of their boss. It found that 39% of workers would give their password to someone from the IT department who claimed to need it, while just 32% would give it to their manager.
Another Infosecurity Europe survey recently found that a third of businesses do not report e-crime because they fear the adverse publicity that comes from exposure as the victim of hacking attacks.
The survey of 20 chief security officers of large businesses, fear of reputational loss stops even large firms from reporting attacks. Tony Neate, managing director of government-backed online safety body Get Safe Online, said that reporting e-crime benefits all businesses.
"In order to be effective we need to know what the scale of the problem is, this can only be measured if we report incidents when they occur," said Neate. "How and who we report to is a matter for debate, whether it is the internet service provider, bank, or local police. Without collating the scale of the e-crime problem, we will never truly be aware of the cost to society at large and the measures that need to be put in place to fight it."