I know I shouldn’t post this, as some folks might take note for
illicit purposes, but what I’m writing is nothing new. It’s already
well-known by the criminal fraternity, so I might as well share it with
you. It’s also well known in the risk and security community, but they
don’t seem to make it as clear as I’d like it to be.
What am I talking about?
The number one method of committing a robbery in the 21st century.
Here are a few examples of how easily social engineering works.
go to a conference in a suit. You are not part of the conference and
you wait until lunchtime, when everyone leaves the room. You then go
in and steal as many laptops and briefcases as you can without looking
conspicuous. Because you are in a suit with a briefcase, no-one in
the hotel stops you as you leave. Because all the conference folks are
in another room scoffing, no-one notices.
This one happened to
me where I lost my passport and laptop one time. Now I always pack
everything up and make sure I carry it around with me.
customers in the bank hall are taking their time to complete paying in
forms and are carefully looking at their statements. They obviously
are meticulous about their financial affairs. What they are actually
doing is listening carefully to the branch staff conversations, and
they pick up the fact that tomorrow morning the systems are being
checked and a replacement network router is due to be installed.
next day, two technicians turn up with a new network router and are
sent through to the back of branch to carry out their work. They then
steal almost over $250,000 … and the real technicians turn up an hour
later. The two imitators were the studious customers of yesterday.
I look around Facebook and find the details of a person. They have given their email address as firstname.lastname@example.org
and, as I look around their Facebook profile I find their mom is called
Ruth, their dad is David, they have a sister and brother, Carly and
Robert (Bobby), and a pet dog called Scamps. Their favourite rock star
is Christina Aguilera and their favourite celebrity Ashton Kutcher. I
go to AOL and enter username as sdavies and then try variations of
passwords from Ruth, David, Carly, Robert, Bobby, Scamps, Christina and
Ashton. It works as most folks use a password that is a family
member’s name, a pet or a personality they like.
Result: identity compromised in less than ten minutes.
I want to gain access to someone’s account so I begin by using Facebook
as above. This time, I have found a variety of details about the
individual, including the fact that their name is Suzanne and they have
a number of financial accounts and investments. I’ve discovered this
information because I’m quietly watching what they’re emailing, both
sending and receiving, and they have no idea I’m watching or accessing.
Eventually, I know enough to be
confident to call their bank, and I get my female friend to make the
call and pretend to be Suzanne:
“Hello, my name’s Suzanne Davies and I’d like to move £650 to my savings account.”
friend struggles with some of the security questions and, not wanting
to be rude, the call centre person helps them out with a little
prompting, as Suzanne seems to know most of her personal information.
So she gets to know the postcode, the place of birth and other
information. However, she gets to the personal security question,
“what’s your mother’s maiden name”, and my friend says that she’s been
interrupted and will call back.
This goes on several times until my female friend has all the information needed to transfer funds.
Result: identity stolen within half a day (something I’ve spoken about before)
There’s a major merger and acquisition going down in the City with
Megabank Advisory Services taking the lead. I’m the lead negotiator
for one of the firms in the fight to win the bid, and I’m desperate to
know what’s going on with the competition and with the advisory firm.
So I hire some friends to help and they offer £25,000 to a cleaner, who
works for the advisory firm, to place a covert listening device under
the leading advisor’s desk. The cleaner, who earns about £15,000 a
year, of course accepts.
As a result, I can hear
and know everything that is taking place and act accordingly. After
all, how many of us look under our desks and check there’s not a bug
there every day?
These are just a few examples from
hundreds and, although you may think me a little risky in posting them,
if anyone wanted to try these techniques then they’re all out there,
known and can be easily demonstrated.
This is because all of
the stories above are true stories and all of them rely upon one
fundamental characteristic: the villain is bold, confident and
assertive, whilst the rest of us are trusting, unchallenging and
That, my friends, is the total basis of social engineering for robbing in the 21st century.
In other words, most deliberate theft relies upon
the fact that most of us are trusting. We don’t protect vital
information because we trust people. We fear challenging someone who
seems to know what they’re doing because we trust they should be
honourable and ok.
All you need is a little information, a lot of confidence and then prey on people’s trust. This is the stuff of The Real Hustle and there are many other examples of how this works in practice. In fact, robbers haven’t really changed for years, as Raffles, the
fictional gentleman thief from over a hundred years ago, stole with the
same tricksters confidence. It’s just far easier to be Raffles today
than it was a century ago.
A robber who is confident and knows a few facts, can blag their way through anything. A bit like the way Chris Tucker in Rush Hour or Eddie Murphy in Beverly Hills Cop can
convince a bar room full of tough guys that they’re a cop with a
licence, when all they are is a guy with a flashy badge, if you look
the part, act the part and believe you are the part, then you can swing
So, there you have it. I can easily pass myself off as anyone I want to be, as long as I believe.
Somebody stop me!