It requires quite a bit of effort and expense for hackers to program a Trojan virus and infiltrate individual or company computers.
But why not go a much easier route and apply some social engineering principles to manipulate computer users into voluntarily divulging their login details.
For the first time, psychologists at the University of Luxembourg conducted a large-scale study involving 1,208 people to investigate how people are manipulated into sharing their passwords with complete strangers in return for small gifts.
“Social engineering targets the weakest link in the chain, and that is the user,” said Dr. André Melzer, co-author of the study “Trick with treat – Reciprocity increases the willingness to communicate personal data,” which appeared in the most recent edition of Computers in Human Behavior. “More specifically, we investigated the psychological principle of reciprocity. When someone does something nice for us, we automatically feel obliged to return the favor. This principle is universal and important for the way we function as a society. However, this internal pressure can also be exploited to achieve certain purposes, such as encouraging someone to divulge a password.”
During the experiment, researchers asked randomly selected passers-by about their attitude toward computer security, but also asked them for their password. The interviewers were carrying University of Luxembourg bags, but were otherwise unknown to the respondents.
In one scenario, participants received chocolate before being asked for their password, while in the control group they were only given chocolate after the interview.
The research showed this small gift greatly increased the likelihood of participants giving away their password. If the chocolate was only given out afterward, 29.8 percent of participants revealed their passwords. However, if the chocolate was received generally beforehand, 43.5 percent of the respondents shared their password with the interviewer. The willingness to divulge passwords increased further if the chocolate was offered immediately before the participants were asked to disclose their password. Here, the internal pressure felt by the recipient appeared to be particularly high, with 47.9 percent giving away their passwords, compared with 39.9 percent of participants who received their gift at the beginning of the interview.
The study shows how easy it is for people to end up manipulated with the help of a simple incentive and the principle of reciprocity.
“This simulated attack was in no way a sophisticated criminal strategy,” Melzer said. “Although the consequences of such attacks can be severe for individuals or companies, many people lack awareness of such dangers.”