Social engineering: Your role as gatekeeper in keeping Texas Children’s Hospital secure

42716SocialEngineering640“We just had someone on the floor who didn’t have a TCH badge or an appointment to see anyone. He claimed to work for a company called ‘Amtelco,’ and got past Security on the first floor, then came up the elevator and one of us let him in the front door.”

How many times has someone asked you to let them into secure offices because they “forgot their badge?” How many times have you cheerfully held the door? Ooops!

This is not an uncommon occurrence at Texas Children’s. People pretend to be someone they’re not to gain entry into wards or offices, and then steal purses, computers or worse, attempt a kidnapping!

Welcome to social engineering!

In this case, social engineering refers to someone pretending to be someone else to gain illicit entry. Think of it this way: What if a thief pretending to be a computer technician conned you into giving him access to your computer and confidential patient records?

Potential thieves prey on people’s trust, innocence and good nature to gain access to secure areas or protected information. This is why Information Services, the Privacy Office and Security Services continually remind everyone of basic security protocol: Challenge unfamiliar people without a badge; don’t allowing “tailgating” into secure areas.

Social engineering online

Social engineering, unfortunately, is not confined to the physical world. It’s not uncommon for hackers to use a combination of public information and social engineering to gain access to others’ accounts.

In one case, Amazon tech support gave hackers the ability to see a piece of information – a partial credit card number – that they used to persuade Apple to release iCloud account information. Both Apple and Amazon have since updated their security procedures, especially when it comes to accessing accounts.

Moral to the story

Although it’s easy to focus on the failures of Apple and Amazon, user error also exacerbated the extent of the damage in this sad tale. Some lessons to share:

  • Don’t share passwords – sharing a single password across accounts means a hacker can access multiple accounts with a single key. Remembering multiple passwords can be onerous, but it’s important. A good password app can help.
  • Back up, back up, back up – back up your data on your computer regularly, a fundamental action that can save you from losing family photos, documents and emails that are irreplaceable.