Why I don't reply to IMs from new screennames

[giza]

Okay, I'm getting tired of people sending me IMs from screennames that I have never heard from before that say "Hi, this is so and so. This is my new screen name!"

I do not reply to such messages. Period. Why? Because it is WAY too easy to engage in Social Engineering. Social Engineering is also known as the art of bullshitting people to get information out of them. Heck, Kevin Mitnick did a great job of getting into systems that he wasn't supposed to be in simply by using social engineering.

Then there is this recent case where a basketball player from USC was duped into thinking that he was talking to a student from UCLA named "Victora" who said she wanted to party with him. Imagine the look of surprise on his face at the subsequent basketball where people in stands held signs with his phone number and passed out copies of chatlogs.

Remember: trust, but verify.

Comments

[greenreaper.livejournal.com]

Hmm. So where's the trust - or the verification, for that matter? Couldn't you ask them something that only they (or someone who knows you) would know?

Hi, this is Eddie Vedder over in Accounting.

[coyoteden.livejournal.com]

We had a power surge here and need to log back in. Can you tell me what the password on the modem is?

[giza.livejournal.com]

Ah... you were paying attention. :-)

It's kinda hard when you've never met met someone in person to be able to verify that a certain screenname belongs to them, of course. The next best thing you can do online is to have a web of turst. Either verify someone's screename/email address through a friend that you trust, or check their LiveJournal or website for a match.

So... if someone IMs me and I Google for their screenname and find their LJ, I now know that the screenname is tied to their LJ. I can then look through their LJ to try and learn more about them, and maybe look at their friends list to see if they know anyone I know.

I dunno if you ever used the command line versions of PGP or GnuPG, but they had a some great web of trust features for keeping track of keys, who signed them, etc.

Re: Hi, this is Eddie Vedder over in Accounting.

[giza.livejournal.com]

It's: +++ATH

[greenreaper.livejournal.com]

I don't use them, but I am aware of them. I am a member of the similar Thawte Web of Trust (http://www.thawte.com/secure-email/web-of-trust-wot/index.html), though I never did quite make it to the 50 points I needed to get my name assured (I'm currently on 45, just need one more assertion).

[puctiger.livejournal.com]

Another reason why I tend to ignore pages from people that I don't recall and aren't on any of my lists. I don't keep up with everyone's alts and don't pretend to remember them all.

On a different note, I've done the social engineering thing in the past, too. Not for malicious purposes, but to wiggle up the ladder and talk to the right person to solve problems that front-line customer service folks have no clue on how to.

[gizmo-nine.livejournal.com]

I tend to not speak with people who I haven't added myself. Of course this means my IM list is rather short, but I have never been a real sociolite anyway.

[omnibahumut.livejournal.com]

If I see a new s/n IM me saying its an alt to someone I know, and the next word out of thier mouth is "Hey I lost... could you tell me again?" You'd have to be pretty dense to just give out the info.

I'm pretty trusting, but I keep in tune to convienient coincodences like that.

[irbisgreif.livejournal.com]

True, but people who want the info can work at playing you for a period of time.

[hotmaewest.livejournal.com]

So, does this mean you won't talk to me until anthrocon?

[giza.livejournal.com]

No, it just means that if you IM me, expect me to Google for your screenname and only respond if I find a match on your LJ user info page.