Although I concur with the need for the service provider's(') diligence in securing the site and its resources, social engineering is hard to carry out once preventative methods are put in place.
Social engineering requires one of the following:
-physical access to the user's machine
-remote access to the user's machine
-user's assistance via revealing the password(s)
-user's assistance via revealing confidential information
-access via server's(') employees
-access to the server's(') machine(s)
The first two requirements on the list are mostly preventable. Physical access is basically the point of no return. Remote access utilizes the functionality of malware. The next two are preventable assuming the user analyzes emails from the service carefully and enters URLs properly. The last two are not preventable from the user's side, thus it should be the only attack vector if the user prevents the first four criteria from being met.
Agreed, social engineering from the user's point of view is usually moderately easily preventable with vigilance, however a weak moment (e.g. not properly checking or verifying information) or insufficient education may still allow it to happen. And one way for malware to gain access in the first place is social engineering as well (e.g. e-mails with malicious attachments), so it doesn't need to be the end all way of access but can also be a part in the chain.
Although I concur with the need for the service provider's(') diligence in securing the site and its resources, social engineering is hard to carry out once preventative methods are put in place.
Social engineering requires one of the following:
-physical access to the user's machine
-remote access to the user's machine
-user's assistance via revealing the password(s)
-user's assistance via revealing confidential information
-access via server's(') employees
-access to the server's(') machine(s)
The first two requirements on the list are mostly preventable. Physical access is basically the point of no return. Remote access utilizes the functionality of malware. The next two are preventable assuming the user analyzes emails from the service carefully and enters URLs properly. The last two are not preventable from the user's side, thus it should be the only attack vector if the user prevents the first four criteria from being met.
Agreed, social engineering from the user's point of view is usually moderately easily preventable with vigilance, however a weak moment (e.g. not properly checking or verifying information) or insufficient education may still allow it to happen. And one way for malware to gain access in the first place is social engineering as well (e.g. e-mails with malicious attachments), so it doesn't need to be the end all way of access but can also be a part in the chain.