How to Hack a Human: Cybersecurity for the Mind

By Raef Meeuwisse and Marina Meeuwisse

Do you worry about cyber criminals hacking your computers and other digital devices? You should. Connect a new computer to the Internet and the average time before there is a hacking attempt is less than a minute.

But you may not be aware that hacking the human mind is far easier than hacking any computer system – if you know how to

• Language: English
• Publisher: Cyber Simplicity Ltd
• Release date: Jan 9, 2019
• ISBN: 9781911452287

Raef Meeuwisse

Raef Meeuwisse holds multiple certifications for information security and authored the security control framework for a Fortune 20 company. He also created AdaptiveGRC, the world’s first single data source / zero replication governance, risk management and compliance suite. He is an interim CISO for hire and an entertaining international speaker.

Book preview

Introduction

Deception has now become part of everyday life. There is so much of it taking place; it is easy to let most of it go unnoticed.

This book is a guide for people who want to improve their ability to detect deceptions. It is designed to provide an overview of just how people, organizations and other entities hack the human mind.

Its main objective is to equip you, the reader, with information about how to detect content and interactions that are intentionally constructed to influence, persuade or even coerce you into doing things that are against your best interests.

To do that, we will look at many different factors, including:

• How do people make decisions?

• How can decision processes be corrupted or manipulated?

• What can you do to defend yourself and make more informed decisions?

However, in addition to the how part of How to Hack a Human, we also need to take a closer look at the who component. Just who would stoop to use deceptive tactics?

There are 3 main types of people who may be interested in the topic of hacking the human mind:

• Aspiring future billionaires bent on world domination.

• Sociopaths and psychopaths looking for a field manual

• …and mainstream normal people who really want to improve their defenses against nefarious mental manipulation.

My hope for this book is that it attracts its readers from the 3rd category; regular people.

However, it is an important fact to recognize that anyone in the first category (let’s consider these to be the power-hungry megalomaniacs) is also more likely to be part of the second category (a sociopath) – and vice versa.

Sociopaths can acquire position and wealth more easily than people constrained by their ethics. They are not necessarily always manipulative, but they are often charismatic, focused and less constrained than others. This is a fact borne out through empirical evidence. The percentage of sociopaths in positions of power is much higher than the percentage of sociopaths in the general population.

Any person willing to treat ethics as obstacles to work around (instead of principles to apply), can enter every engagement with a considerable advantage. If you put two adversaries in a ring and only one of them is willing to use deceptive and sneaky tactics, the ethical person must have much greater strength or mental acuity to stand any chance of leaving the arena with a victory.

This same principle also applies to organizations willing to navigate around rather than follow ethical policies. Any organization willing to hack humans for as much profit as possible can dominate any competition that is unwilling to adopt the same tactical approach.

This has created a situation where the hacking of humans has not just become normal practice; it has become an accepted commercial necessity for survival.

Whenever I mentioned to anyone that I was writing a book on this topic, his or her first thought was that the primary focus would be on social engineering scams. These are confidence tricks modern-day criminals use to try to steal money or privileged information.

Although this book spends considerable time exploring social engineering by less-than-ethical individuals and organizations, human hacking also involves legitimate organizations collecting, analyzing and using personal information, often without the transparency we would prefer. So we will also look at why so many organizations are interested in personal data, how they are using it and what regulators worldwide are doing to control this.

When you look at a web page and find something interesting or compelling, you may have wondered why you find that component so engaging. In fact, it’s highly likely that item is present because its creators know who you are, what you like and how to appeal specifically to you. This knowledge comes from monitoring and analyzing behavior and targeting individuals with appropriate language and images, which is part of the emerging sub-discipline of psychology known as psychographics. In this book we will thus look at psychographics and other new and evolving disciplines that affect human hacking.

When combined with the power of modern technology, these evolving disciplines and sub-disciplines are catapulting our collective capabilities ahead of our ethics. In the past, tracking, analyzing and exploiting people took considerable effort, but technology has changed all that. The names and addresses of everybody on the planet (nearly 8 billion people) can now fit onto a single memory card no bigger than your thumbnail.

Given how simple it is to manipulate everyday people and earn millions of dollars by covertly influencing them, questions have emerged about whether the individuals controlling these enterprises will toss ethical standards aside to profit from such exploitation. Similar questions about whether an organization that adopts ethical communication methods can survive are also relevant to human hacking and to this book, as mainstream political parties and most commercial organizations now use tactics like confidence tricks and waking hypnosis techniques that were once common among criminals alone.

Advertisers and social media platforms now exploit common human weaknesses such as FOMO (the fear of missing out) and FUD (fear, uncertainty and doubt) to influence peoples’ decision-making processes. These weaknesses are also combined with personality analysis to tailor peoples’ ad experiences on their web pages.

The use of these techniques by non-criminals and criminals alike reaffirms the fact that people are now viewed as assets of value that can be exploited for other peoples’ financial or political gain.

These trends also show that these days, there is no cheaper, easier or more effective platform for this exploitation than using technology. You may not know it, but you are connected to the most powerful and vulnerable network in the world; The Internet of People.

As more and more of the Internet of People accept, subscribe or concede to manipulative methods, the resulting social momentum means it will become harder and harder to win back control over our choices and options.

This is therefore a book not only about how to help protect your mind, but also to provide insights into the trajectory of mankind itself.

How to use this book:

Throughout the course of this book, certain terms are highlighted in bold italic text early on in their usage. This indicates that a definition for the term can be found at the back of the book.

When appropriate, a definition may also be provided in a chapter. Definitions provided within a chapter are shown in grey boxes in the following format:

confidence trick – a process in which a manipulator (the confidence trickster) seeks to gain the trust of a target (the mark or victim) to deceive the individual into performing an action that results in the perpetrator gaining something of value from the victim.

Any other terms that are bolded within the grey box are also defined at the back of the book.

Examples of scams and mind tricks are provided in outline boxes in the following format:

The driver of a white van with a company logo on the side is driving like a maniac. He cuts you off and brakes aggressively. The driver then makes a point of sticking his hand out the window and flipping you off.

On the back of his van is a large, prominent company sticker that says:

How am I driving?

It provides a phone number to report any dangerous or reckless behavior.

You call the number and record your complaint.

When your phone bill arrives, you discover that calling the company’s fake, premium rate number was extremely expensive.

1. Manipulating Minds for Money

Lying in bed one morning next to my wife as she surfed the Internet on her tablet, I stared off into the distance and said two words: Ok Google.

To her surprise her surfing session was interrupted and a pop-up screen started to listen for my command. Even though we had discussed on many occasions how device microphones are permanently on and listening, witnessing the evidence was a surprise to her.

What’s the weather like in Kent today?

Her tablet spoke back to me, The weather in Kent today is overcast with a temperature of …

When George Orwell envisioned a society where cameras and microphones monitored the innermost thoughts and actions of people, little did he know that we would even choose to pay for that privilege and then willingly place them all around us.

It isn’t just the tablets and obvious computers that are listening in. Most smart TVs are also continually listening and transcribing the conversations that happen around them, then diligently sending those transcripts back to their manufacturers. You will find acknowledgement of that fact in the press and in the small print of the end user agreement that you have to accept to set up the TV. The justification: they need to listen in to improve the ability of their technology to understand and improve how it can respond to us.

This book is all about the art of human hacking. Social engineering, confidence tricks, conscious and subconscious persuasion; all of these techniques turn out to be processes that can be mapped and weaponized for use. Each of them is more effective when they are equipped with an understanding of the interests, opinions, beliefs and preferences of their targets.

After writing this book, I no longer look at the world in the same way. I find myself looking at every interaction for both the subtle and not-so-subtle mind hacks it contains.

One of the most powerful assets in the arsenal of human hacking is to take words and situations we are conditioned to understand in a certain way and to then use those assumptions as flaws or vulnerabilities to take advantage of.

Take the word ‘upgrade.’ It used to mean that a product or service contained an overall improvement for the customer, but now, for me, this word has become a screaming signal that a product or service has been tweaked so the overall benefits are for the seller rather than for me, the buyer.

Yes, something will have been improved for the customer, but other things more costly for the seller to include will have been stripped away, meaning that the upgraded item is in fact of less value than its supposedly outdated predecessor.

Take the example of the October 2018 launch of the Microsoft Surface Pro 6. The word ‘Pro’ used to mean that the device included Microsoft’s professional operating system as standard – but the Pro 6 upgrade dropped that standard feature. It became a pricey optional extra, but the company still kept the name ‘Pro,’ even though it now shipped with the ‘Home’ operating system, unless you paid extra.

Almost anything we have been conditioned to make assumptions about is a target for these hacks.

For example, I went to my Linked-In page and found a notification mark in my messaging feature. I of course thought someone had sent me a message, but no. When I went to the messages page, I found an ad from Linked-In in my inbox. I felt like screaming ‘Hey Linked-In, that’s not a message – it’s an ad!’ And unsurprisingly, the ad was for an ‘upgrade’ that would allow me to pay for extensions to a service that I currently use for free. To add insult to injury, the irritating notification symbol would have stayed on that website to harass me until I cleared it by reading the message.

And then there are the irritating cookie permission boxes on almost every webpage you visit. These are the biggest insults to the regulators in the history of insults. You can no longer switch off your cookies because if you do, the cookie permission box will appear on every page and block the content from view. But if you switch on your cookies, your only options to view each website are either to dismiss the permissions box by clicking ‘accept all’ or to spend 6 hours wending your way through life-sucking small print and legal documentation. Even if you do spend the time setting those privacy permissions, you will usually find there is some final sting that points out that the cookie and privacy agreement can change at any time, so you still have to remember to check back regularly for updates.

Forcing people to switch on and accept cookie and privacy permissions by manipulating the delivery mechanisms was not the intention of regulators who try to balance the needs, rights, and welfare of consumers and Internet moguls – but it has been the immediate outcome.

Yet even these ploys are rookie moves compared to many of the techniques we will review. After all, acts of manipulation that can be noticed are far less effective than those that can remain below our perceptive radar.

The human brain is the most lucrative and vulnerable asset on the planet – and everybody knows it. These days, cyber-criminals, nation states, commercial organizations, political parties and others are all interested in how the dark art of mental manipulation can be leveraged.

Each year, trillions of dollars, an amount larger than the entire gross domestic product of the US, is spent on acquiring and using personal information to help control and influence our actions.

When news of the Cambridge Analytica scandal broke, expert after expert was brought forward to talk about single topics of relevance, including the extent of personal information tracking, the nature of market influencing techniques and the dimensions of the human psychology involved.

Cambridge Analytica had worked out how to farm multiple sources and resources to the extent where they could sell enough influence to change whatever market the sponsor was interested in. The problem was that the tactics used were far from transparent to the recipients.

What struck me as the story unfolded was that nobody seemed able to join up the big picture and provide the public with an understanding of the wider implications. Many journalists did a very good job of filling in some of the information gaps between their experts’ opinions, but the problem was that there were and are just too many disciplines involved.

From my own perspective as an expert in cybersecurity, with a keen interest in psychology and extensive experience in digital marketing, those news stories barely scratched the surface of the problem (no pun intended Microsoft).

We live in a culture in which it has become increasingly acceptable to try to dupe, cheat or trick our way into a better position. Every day, savvy criminals, along with many legitimate businesses and institutions, persuade people to make decisions and take actions that are against their own best interests and are different from the ones they would choose if they were acquainted with all the facts.

Even if you are acquainted with all the facts, there are ways around that too. All a manipulator has to do is to bury the option that you would really prefer behind a wall of confusion and excessive effort. This is the human hacking technique I have called fuzzing that will be covered in the chapter on social engineering.

It is true that deceptive tactics also feature prominently in nature. Camouflage and other trickery are regular features that help creatures achieve a better position against both their prey and their predators.

As in nature, using fakery, deception or even employing slightly underhanded control and influence techniques are not necessarily bad things; indeed, they are often critical tools for the survival of the weak or under-privileged, and they have also been used to win wars against evil but powerful adversaries. But what happens when manipulation and deception become the norm? What happens when the apex predators routinely use these techniques and exploit technology to widely disperse their deceptive tactics?

What happens when practically every interaction between humans and the technologies they depend on for information or communication is designed to optimize the impact and influence on the user?

What happens is that communication and technology companies resort to trying to convince the public that these manipulative measures are designed to personalize the shopping or social media experience. At the same time, privacy regulators and many consumers are not buying these euphemistic attempts to convince people that their best interests are being protected, and concerns that these companies are collecting and sharing personal data without regard for individuals’ best interests, are emerging. Even the act of obtaining consent for collecting that data is usually manipulated so that the settings you may want are difficult or impossible to find or activate – in other words – these companies are fuzzing.

Perhaps the final determination of whether these schemes actually support a greater good or are manipulative hacks working to control peoples’ behavior will only be revealed much further down the track.

In chapter 2, we will begin to break down the basic components involved in human hacking. But before that, we need to look at how our attitudes to one of the most important enablers of human hacking have changed.

Back in 1990, I spent some time in East Berlin just after the wall came down. During that time, one of the people I met confided that she was a former East German Stasi agent. The term Stasi was an abbreviation for the state sponsored secret police (the Staatssicherheitsdienst). She explained to me how the former East German state (known as the GDR or German Democratic Republic) was a country that had, until its downfall in 1989, advocated and sponsored mass surveillance. No conversation was safe. Anyone who made an anti-state comment, even at a private dinner with extended family, could be arrested and imprisoned if someone reported the crime.

She explained to me that about 1 in 6 citizens of that country were believed to be on the payroll of the secret police, and for that reason, everyone had to be cautious with all of their interactions. Even as an agent of the Stasi, you did not know who most of the other Stasi personnel were; your closest friend or even your spouse could be a paid informer.

A short time after the Berlin wall came down, the magnitude of the surveillance became apparent. Thick files about each citizen were discovered, proving that the Stasi knew who every citizen was, who their friends were, and what their likes, dislikes, opinions, and skills were.

When you stop to think about it, this is effectively the same information that most of us knowingly or unknowingly share with Facebook, Microsoft, Google, Apple, Amazon and many, many other online companies. And in the Internet age, the gigabytes of personal information some entities hold about each one of us can be far deeper, easier to analyze and more accessible than any secret police files ever were.

As the Internet has evolved, you no longer have to be a closed military state with substantial human assets to acquire extensive information about any individual’s interests, beliefs, attitudes, and activities or to monitor his or her communications or conversations.

The more a hacker of humans knows about the target, the easier it is to personalize an advertising campaign or to persuade, influence or coerce the target for financial, commercial or political gain.

The Staasi story is important because somehow in the past 30 years, we have taken surveillance from being a terrible evil to being an acceptable trade-off for lower-priced goods and services.

The more information I pulled together on what is known about how to hack humans, the more frightening the picture became.

Technology has allowed our species to do anything we want to at a scale never previously possible, using less effort than ever. Driverless cars, super computers in your pocket with access to most of the sum of human knowledge, energy production with ever increasing efficiency, space travel, robotics, artificial intelligence – there is literally nothing our species cannot create with only one condition; it has to be expected to generate profit.

Profit is the accumulation of wealth and power that often involves the acquisition of money or other material assets.

If someone’s only goal is profit, it turns out he can use technology to create that too.

A deep understanding of psychology combined with technology enables relevant information about consumers to be acquired and then used to influence, control and predict consumer actions in ways that result in the manipulator acquiring wealth and power.

This industry is known as the surveillance economy.

Most people underestimate just how much personal data is collected about them.

Place a request into a major technology platform for whatever personal information it holds about you, and if it reveals everything on file, it may include nearly every webpage you ever visited, all the devices you use, your interests, opinions, beliefs, who your contacts are and much, much more. It can even include extensive transcripts of conversations that you never even realized were captured.

Regulatory improvements could lead you to think that your personal information is more protected than ever, but in fact data privacy is somewhat of an illusion. That simple act of clicking ‘accept all’ on a single cookie permission box can provide legitimate consent for several hundred companies to track your activities. They don’t even need your name, although they probably have it anyway.

For every major technology platform you know about that collects