We humans are funny creatures. We’re intelligent, good-looking, sociable, and we’ve got a brain more complex than any machine built so far. It governs our sleep, our breathing, our reactions to the outside world – and to the interior – and behaviours like how to take turns in conversations.
Behaviours. We develop them from the moment we’re born, and they usually get more complex and nuanced, as we grow older. How do we keep up with all of them? The answer to that is simple: we form habits and become “simplistic”. Locking the house door and not remembering, leaving the car keys in the same place only to forget when they are placed somewhere else, entering the password of a social media account and not remembering it afterwards, the list of habits goes on and on.
For these every-day mundane tasks, the truth is you don’t pay nearly the same attention as when you’re doing something that breaks your routine. When you go on holidays and stay in a hotel, don’t you find yourself asking, where did I put the room key yesterday or where is the coffee machine, the bread and the butter?
Habits are little things that help us through the day triggered by a variety of cues from places, people and others’ behaviours. They bring familiarity, a sense of security and comfort, and they help our risk-averse mind too. Habits connect to memory and consumer behaviour, resulting in a lower attention effort.
During your usual work day, most things are scheduled and organised in some way. The time you get up, the morning coffee break, lunchtime, the time to leave the office (hopefully!). Similarly, as part of this always-connected world, you know that remembering passwords, the social media ones for example, can be a challenge. The fear of forgetting the correct password leads you to use the same, repeatedly. To make it even easier, our habit-driven brain thinks of passwords that are based on our tastes and preferences or personal relationships. If you crave football, it can be the name of your favourite club; if you are an I-love-my-family person, you could choose the first name of your sister or your son, for instance. We look for cues that help create patterns or brain automations.
While these habits are good for our memory and automated habits, they are also a trap: they make us predictable; they are the keys to opening the doors to a number of possible threats to our online identity and reputation. An always-connected society using ubiquitous and increasingly sophisticated devices invites cyber-gangs to become even more skilful. In this context, cybersecurity continues to grow in importance and the number of cybercrimes grows with it. Amidst more and more news about data breaches, we ask ourselves what’s cooking in the mind of a hacker, and how our habits make their sinister goals easier to accomplish.
Grab your pirate mask. This article is a trip to a hacker’s brain.
Psychology in the cyber world
(or How our online behaviours and patterns can negatively influence our security online)
Whether it’s an email, a credit card, social media or private servers, hacking has become an unavoidable burden of our digital lives, even when we put it in the back of our heads. Our need for psychological safety and regular habits give hackers the magic wand to damage our online reputation, our job’s digital security and sometimes our wallet.
Technology-related behavioural change is an under-explored field. While improvements to digital protection are necessary, it’s people’s awareness and how they protect themselves that will turn the tide in cybersecurity. The challenge is to make security part of our automated habits because, as we mentioned before, they stick with us. How can we achieve this?
“Nudging” in the cyber world
(How our online behaviours and patterns can positively influence our online security)
Over the past decades, there have been significant developments in how researchers study and understand consumer behaviour. One of the most interesting ones is the Nudge theory, a concept in behavioural science, proposing that positive reinforcement or indirect suggestions influence behaviour and decision-making. Marketers use the Nudge theory quite often. For example, in video games, the “game over” sign is commonly accompanied by the highest scores other players have achieved. By revealing them, you’re being nudged to challenge the highest ones. In a retail website, “popular” or “trendy” items have a dedicated, prime section. The website is nudging consumers to choose specific products because others have chosen them before, so why shouldn’t you?
Influencing behaviours and not changing them seems to be a more effective weapon for cybersecurity to fight better equipped hackers. However, even if this approach may be the light at the end of the tunnel, it’s yet to be tested and proven.
Inside the mind of a hacker
Hackers might not be psychologists but they know how to take advantage of our habits, hack our minds and “get access”. That’s the ultimate goal of hacking after all: accessing databases, security systems, bank accounts, social networks’ profiles. If you made it to here, it’s time to meet 5R, the willing hacker that accepted to talk with us. She tells a short but common story of how she gets into people’s accounts.
Hello there. My handle is 5NIP3R but the gang calls me 5R. I can’t remember when I got into computers for the first time or when my addiction to the internet started. What I am sure of is that during high school I found my inner hacker calling. Talking to other hackers in the deep web, working to impress one another, made me realise the endless doors internet and data can open. Knowledge is power, and the power is online. Although I started with small hits, I built my experience through the years and decided to take it a step further.
I did my studies in Behavioural Psychology. Understanding behaviours and patterns always fascinated me. All that time, all my effort, paid off. Now, I consider myself a gentle master hacker. People give hints about their lives all over the web; you just have to be patient, curious and perseverant. Data that people see as meaningless happens to be gold when analysed together. I’ll tell you a story about my most recent successful corporate hacking, and how I pulled it off.
Hack my background: A little reconnaissance
I’m a freelancer. I work here and there and I’m a hacker for amusement. It makes me feel a bit like a superhero too. When I don’t like a brand or a person, I hack them, I take revenge.
The choice of target came by chance last time. I paid a multinational company for a bundled service, and they ended up not presenting the final product I was expecting, refusing to return the money I invested. So I did what any good hacker would do. I returned home and suited up.
The first part was easy: knowing more about the company. Its website was on the top five of the results page of a search engine I refuse to endorse but I greatly thank anyway. Fortunately, there was an extensive amount of information on the page. Within the first ten minutes I took notes of the services the company provides, the email address and names of the CEO, CFO, CIO and COO and their corresponding titles. A piece of advice: note everything down. Every detail counts.
The next step was to find out what kind of technology they use. Technology packages are easy enough to hack. The fact that they’re standard and common among large companies makes it all too easy to discover. How, you may ask? Well, you know, it can’t get any simpler: using job descriptions! Most companies have a website section for careers and more often than not, they post job openings on recruitment websites, commonly accessible without registration.
The list of technologies, programming languages, and the usual “Mandatory Knowledge of Microsoft Office and Outlook” are mentioned as required skills and I can get information of the email server too. Email addresses should follow the standard formula, first last name (but I confirmed that later on). Now is when the fun part begins, choosing a profile to hack and enter the system. To have access to juicy data, I needed someone with direct access to the system and the information I was looking for. The COO Carl Wilson was the perfect match.
Hack my mind: discovering Carl’s interests and online patterns
To discover more about Carl, LinkedIn was a good place to start. From name, professional email, job description, past professional experiences to hobbies, you can get valuable information ‘in a nutshell’. I ended up confirming my hunch about the email ID and the email server the company is using.
The next step was to explore his social networks and find patterns. Although I already had an idea of Carl’s tastes based on the hobbies he describes on his LinkedIn profile, I needed to dig deeper.
I started with Facebook. I explore Carl’s profile, protecting my VPN at the same time. He’s divorced with no children and no obvious, public, close family ties based on his personal information and the pictures he posts. He’s mostly with friends, three of them more present than others. The background is usually the same when they’re together. The location shows the restaurant of the golf club close to his workplace. Judging by the pages, groups he follows, and his photos he isn’t only an amateur golf player but a big fan of sports in general. Carl also follows famous golf players and often shares content from the page of the golf champion Rory McIlroy. To know more about him and his wins, the know-it-all of the internet was the obvious choice.
On Instagram and Twitter he shares the same photos he has on Facebook and I confirmed he follows Rory McIlroy and often writes comments on his pictures and posts. I ended up discovering a detail that I missed on Facebook. He follows the brand that sponsors this particular player and often writes comments like I already got mine! and This one isn’t on sale yet in my local shop, but I already ordered it online! He’s definitely a faithful buyer of this particular brand and follows its news avidly. The other pages Carl follows are general sport shops, but while they sell different products, they kind of share a similar display.
We are predictable without even realising it. Humans are creatures of habit and following a certain routine bring us comfort and the sense of security. In our habit-driven lives, cyber security is forgotten almost entirely. Lucky me!
We tend to choose websites with a similar design because the sense of familiarity makes the navigation an almost automated process. It’s the same with passwords. People tend to pick names of people they’re fans of or close family members like the daughter’s or the son’s name. Choosing a password based on personal tastes and interests makes it easier to remember, reducing the effort and attention rate, and the login burden. In most cases, people use the same password to log into their different accounts or maybe just a slight different one, which usually includes a familiar number. With my now intimate friend Carl, the answer was, well… almost very obvious.
Hack my identity: Getting access
Carl wouldn’t pick the name of his ex-wife; neither the name of a family member.
He’s a rabid fan of Rory McIlroy. The players’ name is the logical choice and the number, if any, could probably be the year he won the last golf championship or maybe when he won his first championship. I tested my theory on the website section dedicated to the employees, and after five attempts, I got in. It isn’t worth to annoy you with nasty details, but let’s say payback never tasted so sweet. I got the key. Now, it’s time to play nasty.
What we’ve learned from this story
Changing people’s behaviour is crucial to facing the current and upcoming cybersecurity challenges. Yes, success goes beyond programming, firewalls and sophisticated security programmes. No matter how advanced technology becomes, online behaviour will play a major role to the success or failure of any system protection. One way to drive change to habits and behaviours is to use psychology principles to understand users’ motivations. “Empowerment” and “engagement” may be, according to experts, key to involve people in cybersecurity and make them accountable for what they do. The Nudge theory, for example, proves that positive reinforcement can influence decision-making processes and, if used properly, can become a cybersecurity ally. Introducing the human-centric approach to the existing efforts to fight cyber crime and cyber threats is a must do.
What we think
Vincent Villers, Former Cybersecurity Leader at PwC Luxembourg
In a fast evolving digital world, where machines and artificial intelligence are proliferating (and menacing to take over a big chunk of the job market), we shouldn’t forget we’re at the top of the food chain and we should remain in that privilege position because of our intelligence to create, build, change and feel. Artificial intelligence will remain artificial; it essentially mirrors human behavior and how we understand the world.
If people lives become a mere set of repetitive habits, we’ll lose the war against hackers and eventually against robots if prophecies about their “rise and shine” become truth one day. I believe that, when people are aware of what they are, when they are conscious about their behaviors, they’re equipped enough to progressively “take the control back”. Beyond each individual’s role, companies have the responsibility to create a working environment that inspires people and supports them, and to develop a culture that celebrates diversity and humanity. An employee who feels that he/she can behave according to his/her core needs and values will adopt the right approach to cybersecurity.
Organisations should base culture on positivity, engagement, innovation, support and transparent governance. At PwC Luxembourg we call it the right “Tone at the Top”. I truly believe that hackers will have a hard time in a future where people will “take the control back from their habits”.
