Chocolate, the secret weapon to siphon passwords

A survey by Infosecurity Europe of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. (ed : Why not try a lads' magazine for men?)

The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.

This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy.

The researchers also asked the office workers for their dates of birth to validate that they had carried out the survey here the workers were very naïve with 61% revealing their date of birth.

Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.).

“Our researchers also asked for workers names and telephone numbers so that they could be entered into a draw to go to Paris, with this incentive 60% of men and 62% of women gave us their contact information”, said Claire Sellick, Event Director, Infosecurity Europe.

As she revealed her details to our researchers one woman said, “even though I have just been to Paris for the weekend I would love to go again.”

Sellick continued, “that promise of a trip could cost you dear, as once a criminal has your date of birth, name and phone number they are well on the way to carrying out more sophisticated social engineering attacks on you, such as pretending to be from your bank or phone company and extracting more valuable information that can be used in ID theft or fraud.”

Workers were also queried about their use of passwords at work, half said that they knew their colleagues passwords and when asked if they would give their passwords to someone who phoned and said they were from the IT department, 58% said they would.

Researchers also asked workers if they thought other people in their company knew their CEO's password. 35% them thought that someone else did with Personal Assistants and IT staff being the most likely suspects.

“This research shows that it’s pretty simple for a perpetrator to gain access to information that is restricted by having a chat around the coffee machine, getting a temporary job as a PA or pretending to be from the IT department.”

Sellick continued, “This type of social engineering technique is often used by hackers targeting a specific organisation with valuable data or assets such as a government department or a bank.”

One man said, ‘I work for a government department, I would never give my password to anyone else, it could cost me my job’.

Most people used only one (31%), two (31%) or three (16%) passwords at work, but a few poor souls had to use as many as 32! It was also found that 43% of people rarely or never change their password which is very poor security practice.

After the survey was completed, each worker was told ‘We do not really want your personal information this is part of an exercise to raise awareness about information security as part of Information Security Awareness Week which runs from the 21-25 April 2008.

We will tabulate results to find out how good people are at securing their information.’ At this one man told one of our pretty researchers you look so well dressed and honest I did not think you could be a criminal, which was a sentiment echoed by many others.

Claire Sellick continued “This is precisely the problem, whether a criminal approaches you on the street or online, they will often not be who they appear to be, a criminal can often look very presentable.

Many of the social engineering techniques used by face-to-face fraudsters have been adopted by criminals to encourage people to open spam emails or visit websites that are infected with viruses, trojans or malware collectively known as crimeware.

The crimeware silently takes control of PCs and other devices then steal identities and cash or in many cases joins the PCs to a network of controlled PCs as part of a “BOTNET” to launch attacks on other people or organisations.”