Social Engineering - Christopher Hadnagy [114]
The key to using the principles of Commitment and Consistency to manipulate people is held within the initial commitment. That is—after making a commitment, taking a stand or position, people are more willing to agree to requests that are consistent with their prior commitment. Many compliance professionals will try to induce others to take an initial position that is consistent with a behavior they will later request.
The social engineer hoping to employ the technique of commitment and consistency usually tries to get the target to divulge a small piece of information toward the overall intended goal. By getting the subject to remain consistent with things he or she has already said, the attacker may get the subject to reveal even more information.
On the other hand, the attacker must remain consistent with what he is asking. The attacker should start off small and escalate the information gathering.
To use an unrealistic example, an attacker should never start off asking for the nuclear launch codes. This request will be denied, and the attacker will be left few options but to backpedal the request. However, starting off small and escalating the value of the information requested with each new piece of gathered information will seem like a more natural progression and will not appear so obvious to the victim.
Going slowly and progressively can be hard as social engineers are often impatient and want to get the “password” right now. Playing it cool and remaining patient can make this avenue rewarding. Clearly defining, maybe even writing out, a path that you can use on each audit can help you go into the audit with clearly defined goals and a path to accomplish them.
I created a chart you can see in Figure 6-2 that shows how a social engineer may be able to visualize this path to obtain information using commitment and consistency.
Getting a target to verbally commit to a certain action can force the target into a certain path of action. Cialdini states, “The commitment and consistency rule states that once we make a decision, we will experience pressure from others and ourselves to behave consistently with that decision. You can be pressured into making either good or bad decisions depending on your past actions.”
Maybe you have felt this if you ever verbally told your wife or spouse that you wanted to lose weight. That verbal “commitment” leads to a lot of pressure to hold up to your end of the “bargain.”
Sometimes, ending up disagreeing with yourself can be hard and almost impossible. Everyone has, at one point or another muttered the phrase, “I’m sorry, I changed my mind,” at least once in our lives. When we do, we hang our head in shame, our voice tones drop, and we sound sad. Why? We have just broken a commitment we made and we feel guilty for doing it.
Figure 6-2: Clearly defining your goals can help you to obtain an information commitment.
Even small, seemingly insignificant commitments can lead to exploitation. For example, a phone conversation often used by solicitors goes something like this:
“Hello, how are you today?”
You answer, “I am doing great.”
Now, prepare for the exploit: “That is good to hear, because some people who are not doing so great can use your help.”
You can’t go back on what you said now, because you are still doing great and committed to it.
This is not to say that you need to be so paranoid that you cannot even answer simple questions without the fear of exploitation, but being aware that one commitment does not mean you must commit to everything that follows is vital. I once worked with a guy who could literally get anyone to do the worst jobs and make them think it was their idea. Ensuring their commitment was one method he used.
If you committed to a path of agreeing with him on certain things, which was almost impossible not to do, because he got you to say “yes” upfront, then you had to continue to say “yes.” Those yeses lead down one path, and that path was right to where he wanted, agreeing to the job he needed to get done.
Being aware that it