Change blindness is an interesting natural phenomena every human experiences on a pretty regular basis, but what is it exactly? Essentially its our inability to spot obvious changes that occur around us. There has been a fair bit of study done to understand this better, while I wont claim to have all the answers I do know that this research has shown that surprisingly we are not so good at spotting changes in colour, but are better at spotting when something is added or removed from a scene. I imagine carrying out these studies are pretty difficult as by there nature the participants are being tested and are under controlled additions, which is interesting as change blindness is most common when we are not looking for changes, when our mind isn’t focused and attentive to the finer details. This is an interesting area of study and one that I believe will continue for a while, as there can be legal complications when it comes to testimonies where images are concerned, I personally think some of this comes back to what we have discussed before, the human mind is processing so much information so quickly, it wants to help out and define an easy answer, so doesn’t pay attention to what it may consider minor details at that moment. I recommend if you find this sort of thing interesting do some further research on change blindness and what your mind really knows about what is occurring at this instance.
So why is change blindness of any interest to you from a social engineering perspective? Well I fell there are a few reasons. The first one, and the one most difficult to possibly get your head around is that attention to detail really isn’t that important sometimes. What do I mean? Well Harvard did some interesting research (Derren Brown example below) called “The Person Swap” where they had people approach a desk where a gentleman would have them sign a form, he would then duck down to file the form and another man would pop up, and a large percentage didn’t notice any change. When you think of a change this significant it puts a few things in perspective, the key thing here is that people were not looking for / expecting change. So if you are prepping for an onsite engagement, ask yourself will my ID need to stand up to direct scrutiny, or will just having something similar do the job?
The same applies in things such as phishing campaigns, its may seem obvious as many people already know that when we read something the letters of a word can be jumbled but it still makes sense to us. The same applied to domain names and other key pieces of information, so perhaps substitution isn’t always required, simply omitting it could still be successful as it wouldn’t be expected for it not to be right.
This is just a brief glimpse as what change blindness means to us, in reality it should tell us that alot of what we do / dont see is an illusions. If you think it wouldn’t happen to you, or you spotted thing again. Sure you will spot the issues where you are suspicious and are looking, but these not something many of us do for everything, unless we are very paranoid. Then we imagine things that are not there at all 😀
Another good change blindness test