Using a technique known as preloading, you can convince someone to think of something, even believing that they came up with the thought independently. The reality is that you purposely implanted the very idea in their memory. I can't get into extreme examples here in a blog format, but you already know that when I tell you do not think of a black cat, you will automatically think of a black cat. The phrase "think of a black cat" is there in the sentence you heard well before you received the reasons you should ignore it.
And statistically, you follow the embedded command without question. You ignore all the negative components and consequences, and only listen to the more simple command: think of a black cat. You then think of said lap pet animal, and think the person telling you all this is some kind of psychic freak.
This is a very simple example of a type of preloading used by social engineers to get the information or access they are seeing - subtle suggestions crafted to make a person to feel they have independently come up with an answer that you planned on them providing.
Earlier tonight I was with friends at a bar, and I got an opportunity to test out a few techniques. We bought raffle tickets. However, we didn't plan on staying long enough for the draw, and I decided to give the tickets to someone else. We had 3 sequentially numbered raffle tickets, with numbers ending with 2, 3 and 4. For a little fun and social engineering practice, I played a quick game with the neighbouring table, where the winners win the tickets they correctly choose, and the losers do not. Clever.
I chose to give the valid draw tickets to a group of people if they could guess the last number of the ticket I chose for them. I expected them to get each number in order. That's a 3/4 chance to win once. However I wanted all of them to win.
Here's what transpired. I will refer to F1 and M1, a male an female pair where the female is the mother of the male, and F2 and M2, where the female and male were a couple. I'll be Me. The lady I asked first (F1) said I should ask her son (M1) first.
I held out a ticket toward M1, and I said, "okay, I have 3 tickets, and there are 4 of you. So 3 of you will properly guess the last digit of each ticket, and one will not. Tell me a number from 1 to 4. The last digit of this ticket."
He said 3, and the ticket in my hand, indeed was the one with 3 as the last digit. He accepted said ticket and I then questioned his mother, F1. "You too," I said. "Choose a number".
She said "3". Well that threw me off a bit, but its obviously already taken. So, I continue: "Ah, you messed it up, that number's already been chosen. M2 what is the first number you thought of" and he said "2"
I gave him the ticket in my hand, which of course ended in 2, and said to F2, "You have a 50/50 chance. There's only 4 choices, some that have already been chosen."
She chose 4. Of course, and I handed her the final ticket, which indeed ended in a 4. They were all delighted, and were now in possession of three draw tickets they didn't have to pay for.
How did I do this so smoothly? Pay attention to the words I used to make sure I got the numbers I was expecting. Tell me a number from one, two... four. You two. There's only four...
The takeaway here? If you tell your users "Don't give your password to strangers", what is the embedded command they are more likely to have humming around in their subconscious minds? Please don't post your passwords in the comment section.
No comments:
Post a Comment