A survey showed that commuters in London more often than not (more than 70%) would reveal their computer password in exchange for a bar of chocolate.
The survey dates from 2004, but since then, things have not necessarily improved. In fact, users still give away their passwords for even less.
For nothing, to be precise. In the survey itself, 34% of respondents offered their password when asked, without even requiring the incentive of a bar of chocolate.
All this happened in the context of a survey without malice aforethought. What would happen if a hacker was asking the questions?
The ruse during the survey to get passers-by to reveal their password for free was simple. The people doing the survey asked if the respondent’s password was connected to a pet’s or child’s name.
Over one third of the respondents concerned then spontaneously volunteered their password without any further questions. This kind of non-threatening environment is what hackers try to create, when they use this kind of social engineering tactic to get confidential information from users.
Posing as a support engineer is a classic ploy. This lends credibility to the hacker and allows users to believe they can let responsibility for the confidentiality of their password or account access information be assumed by the “support engineer”.
The highly vulnerable human element in terms of information security is the reason why a security standard like ISO 27001 insists on covering all aspects of an organization’s operations, not just the IT systems.
Indeed, as part of the ISO 27001 certification process, organizations must train employees in information security awareness.
There are few mitigating circumstances if any (life-or-death situations might qualify) for a user to reveal or share his or her password with anyone else. And certainly no excuse to hand it over simply for a bar of chocolate.