People are more likely to share their passwords when offered chocolate

A shift to social engineering from traditional cyberattacks might be on the horizon. By offering rewards, hackers could improve their success rates, a study finds.

Social engineering works better with rewards

"Beware those bearing gifts" is the ancient phrase that dates back a few thousand years. It referred to the wooden horse that was used to dupe the folks of Troy into allowing the Greeks into their city.

Well, don’t trust the horse today, either.

Freebies are just as likely to be accompanied by trickery now as they’ve ever been, according to scientists who’ve been studying the willingness to communicate confidential information.

Presents “greatly increased the likelihood of participants giving away their password,” psychologists from the University of Luxembourg say their research has revealed.

The academics had been looking into how individuals “are manipulated into sharing their passwords with complete strangers in return for small gifts,” the press release on the university’s website explains.

They found that when people on the street were given chocolate while at the same time asked for their password—before those individuals were asked about their feelings about computer security—that almost half (44 percent) gave up the password.

+ More on Network World: Social Engineering: 8 Common Tactics +

A control group, who received the chocolate at the conclusion of the questioning, weren’t as likely to proffer up the secret. Only a little under a third (30 percent) gave up the restricted information, the researchers found. They interviewed 1,208 people.

“The willingness to divulge passwords increased further if the chocolate was offered immediately before the participants were asked to disclose their password,” the release says. The password was a reciprocated gift.

The scientists say we need to watch out because as cybersecurity gets taken more seriously in the future, and as the cost of hacking attacks increases, hackers' social engineering will become more prevalent.

What is social engineering?

Social engineering is the psychological manipulation of workers, by enemies, to gain private, valuable information, such as passwords.

“Social engineering targets the weakest link in the chain, and that is the user,” says Dr André Melzer, co-author of the study published in Computers in Human Behavior.

The problem is that “when someone does something nice for us, we automatically feel obliged to return the favor,” says Melzer. It’s the “social norm of reciprocity,” the paper’s abstract says.

This isn’t the first time a study like this has been attempted. In 2008, Darknet reported on a smaller survey (576 people) performed by Infosecurity Europe, a conference. It found that 21 percent of workers questioned on London’s streets “were willing to share their computer passwords with a good-looking woman holding a clipboard.” They, too, were offered chocolate.

That 21 percent take-up was an improvement over previous years, apparently. Darknet says that in a study the year before, 64 percent would have given away their code.

One question that obviously arises is whether the passwords tendered in any of the surveys were in fact real.

“Hey, if you’re a pretty girl and you’re offering me chocolate, I, too, will be delighted make up a password and give it to you to write on your clipboard,” said Darknet commenter David in 2008.

The abstract and press release for the University of Luxembourg’s recent study doesn’t say how or if the passwords were ever checked.

However, one might want to note the words of Greek playwright Sophocles in any case. He lived from 496 to 406 B.C. and often wrote of treachery and trickery. “Foes' gifts are no gifts: profit bring they none,” he said.

Or, do not trust the horse.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10