As an attacker, I would like to identify the weakest part in a security system to get confidential information.

Physical access – One possible way is through direct physical access to a device or server, or a password book. For example, some users save their login credentials on browsers like Chrome and leave their computers unlocked. Besides, most people write down all of their passwords in a book or in a notepad.

Password reuse – In addition, many people use the same password across platforms. If you know that password, you can access all his confidential information.

Simple or default password – Another approach is to guess and try a simple password and the default password. Sometimes, the admin shares the user account with the default password like “admin”, “user”, or “serial number”, and the user has not changed that password. This is the easiest way to get confidential information.

Demographic information-based password: Furthermore, passwords created from demographic information, such as name, birthday, or NRC, are easy to breach. Finding this vulnerability is another way to gain access.

Through social engagement, I could also manipulate or trick an employee or someone close to the victim who is trusted. This is another way to access it.

Phishing: Lastly, I can conduct phishing attacks via email or a link.

Possible ways the attacker could use to conduct security attack:
Unauthorized access to servers via:
1. Physical means: An attacker could try to gain access by physically entering the server room or data center. If there is no proper security measures such as locks, surveillance, or restricted entry, the attacker could tamper with the equipment, and steal storage devices.
2. User accounts:If we use weak passwords such as using personal data, name, simple and logical words, or share their login credentials, the attackers can easily break in and misuse the system. Phishing attacks or stolen login details can also give outsiders the same level of access as authorized users.
3. Software vulnerabilities: Outdated software or unpatched applications often leave holes in the system that attackers can exploit. Hackers may take advantage of bugs, or misconfigurations to insert malicious code, and spread malware.
4. Weakness of the system: If the system is poorly designed or lacks strong security controls, the attackers can exploit those weaknesses. For example, insufficient encryption, lack of network firewalls, etc.

The basic attack is non-technical methods such as social engineering (manipulating individuals into giving away confidential information), shoulder surfing (observing someone’s screen or keyboard to steal login credentials) and physical observation (collecting credentials written on a sticky note or paper or physical media).

The next one is using ready-made tools such as phishing emails, phishing websites, key loggers, brute force attack, malware and ransomware infection. This one requires some level of technical knowledge although the attacker doesn’t need to create one.

The advanced methods use technical knowledge and expertise to attack. Examples include SQL injections, exploiting software bugs and zero-days exploits.

The most dangerous method is targeted attack where a single entity (person or company) is specifically targeted for the attack. The attack is mostly advanced and specially designed to that entity. The famous 2014 celebgate is a typical example of that kind of attack.

As an attacker, He/she will find the vulnerability points of the system. There might be different based on structure of the system.
1) If the structure is web-based and control by user name. The first technique invading the system based on constructed web-based language. The another one will be user name and level of user privilege. If he/she gets the higher level user permission, the impact will be huge.
2) The second facts is based on assets. If asset are stolen or loss and transferred to attackers, they will try to hack or modify based on asset type.
3) IF the IT dataset is offline system, he/she might duplicate and misuses or selling the project to opponent’s company or agencies.

Facebook is the most popular social media platform in the Philippines, with an estimated 90 million users in 2025. However, a lot of users lack awareness on data privacy and security. Attackers can use their ignorance to stealing information.

For example, I have seen many “content creators” or “social media influencers” do raffle on their Facebook account/page. They would post something like “Comment your GCash number below, I will choose one who will win 5,000 pesos”, and people would willingly comment their GCash account number (a popular mobile wallet app). I have seen many Facebook posts like this, with hundreds of people posting their account number (and sometimes even other personal details) for everyone to see.

In addition, a person’s GCash account number is usually the same as his/her phone number. This makes them vulnerable to attacks such as identity theft and phishing. For example, Facebook allows login using phone number, so if you posted your phone number online, an attacker may use it to gain access of your Facebook account.

I have just noticed that someone was trying to attack one of my social media accounts last week. So I’d identify some possible means as followings:

– Reuse passwords: I am too lazy sometimes to change and remember different passwords across many accounts. If one of passwords has leaked somewhere online, attackers could try to use it to guess my other accounts.

– Weak 2FA: I also noticed that I haven’t set the 2FA for this account, so that could be another weak point where someone could trick to be the owner.

– Tied email account: Since I use the same email address to many accounts, attacker s could use it to reset my password.

– Phishing: While scrolling the social media, I might sometimes get hooked by advertisements (that know my personal interests based on my online activities). I might make a mistake clicking on a fake login or even get tricked by a warning message with a fake link.

– Mobile malware: If my device has malware getting from my online activities, it could steal my passwords, or other linked information that attackers could use to log into my account.

An attacker can use the following to conduct the security attack:
1. Using malware (viruses, ransomware, and spyware), an attacker can harm the system or steal the information.
2. Using social engineering, an attacker can manipulate people to gain access to systems or data. A common method is phishing, where fake emails or websites trick users into giving away passwords or personal details.
3. By targeting network communication like Man-in-the-Middle (MITM) attack, the attacker intercepts data between two parties.
4. Attackers can also take advantage of bugs in software using SQL injection.
5. Attackers can also conduct DDoS attack to overload the servers making them slow or unavailable. This disrupts services and can cause financial damage.

Nowadays, people have habit to post the personal matters on social media platforms. So, the attackers use those information to attack.
E.g., phishing mails use the specific personal information (Name, their jobs. their publications etc) to make the people believe that they are real.
The attackers may act as the service providers and they ask information illegally and use it for their profit.
E.g. they offer online payment for internet and give application to install. After installing, the application set OTP to use. When the user give OTP to the attackers, they have fully authorization to use the user’s money wallet and steal money. The attacker used the weak security of banking system and lack of awareness of user security.
If the attackers want to attack the system, they can use the insider to add bugs via memory stick to the main server. They add trojan softwares and remote control softwares like ANYDESK to user’s computer or mobile devices, then steal the information, access control and money from mobile banks.
In our country, many people are being attacked by Zhàpiàn gangs in various forms, attracting the users about investments via Viber and Messenger applications. It is because of lack of awareness and praactice of data security.