Ghost in the Wires

Posted on May 19, 2011 by Bambi Vincent

I thought Kevin Mitnick was a friend of mine—but that was before I read his forthcoming book, Ghost in the Wires. Kevin’s the consummate liar, it seems. He’ll say anything to get what he wants, going to extreme efforts to research, then set up support for elaborate cons. He’ll claim to be a cop, a utility employee, or your colleague from a remote office, if it serves his purpose. A faceless voice on the telephone, he’ll sweet-talk one minute, and command with authority the next. At least he used to do this, before spending five years in federal prison…

To become the boldfaced name in social engineering, Kevin honed a natural knack for people-reading from childhood. He was a telephone Zelig who rarely needed to get out of his sweats. He always found a plausible pretext for his capers and pursued them with outrageous chutzpah. Rarely would he fail to obtain the information he sought.

Can one retire a talent like that? I doubt it, but as I can’t think of what use Bob and I are to Kevin, I prefer to think that we really are his friends.

Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker is Kevin’s third book, to be published in August 2011. I love that title. The book chronicles how Kevin, from an early age, tinkered with communication devices: ham radios, telephones, cellphones, computers, and the software that runs them all. Although he was obsessively compelled to dig deeper and deeper into the gizmo-code, he never tried to make or steal money from his exploits. He did it out of his own curiosity, to learn more, and to challenge himself to do what seemed impossible.

Sometimes, in his relentless pursuit of knowledge, he simply had to break into a company’s computer to get the software, the code, or the user names and passwords that he needed. In an electronic sense, that’s breaking and entering. And when he copied that proprietary information for his own use, well, that’s stealing.

Once he’d gained access to his target computer, he’d usually fiddle with its inner settings just enough to plant a “backdoor,” an easy way in for his next visit. He might read his target’s emails and even copy them, but he never destroyed the files.

Imagine an intruder who breaks into your house, sneaks around and looks into your secret hiding places, rifles your files, and picks through your drawers. Satisfied, he then backs out quietly leaving everything just as it was, sweeps up his footprints and, oh yeah—copies your house key on the way out.

I’ve heard Kevin call himself a “non-profit hacker.” Sure, he got himself free phone calls, but throughout his hacking career, he was always gainfully employed. With the information he had at his fingertips, he could easily have enjoyed a life of leisure from credit card fraud. He could have sold proprietary source code in the hackers’ underworld. But no; Kevin lacks a vital attribute. He has nerves of steel and gigantic balls, but he does not possess a criminal core. He was simply educating himself.

That is, until he got himself in trouble for snooping. Then he needed that information to protect himself, so he could make untraceable phone calls, so he could listen in to others. As the Feds closed in on him, he needed to know how much they knew about him, too.

Many times while reading Ghost in the Wires I wanted to smack Kevin. I wanted to shake him and say “you just got out of juvenile detention for doing just this—why are you doing it again?” He makes it clear that his hacking was his idea of fun and entertainment, to see if he could get to the next level. Like an addicted gamer.

It turns out, after all, that Kevin was busy educating himself. From “the world’s most wanted hacker” he has become one of the most wanted security experts in the world. He’s now considered the ultimate social engineer and an “ethical hacker,” one who’s challenge is to break into his clients’ systems, whether electronically or by social engineering. In other words, as Mitnick Security, he’s now paid to do what he loves, and he no longer has to look over his shoulder.

Social engineers are an ominous bugbear to security. A company (or you!) can have the tightest security system in place, but humans are its weakest link. For a hacker like Kevin, it’s easier to simply ask for the key to the front door than to steal it. He simply has to ask in the right way. Because social engineers are basically skillful actors playing a role, they’re an invisible threat and a daunting challenge for businesses.

I’m no hacker, that’s for sure, nor even a programmer. Yet, I found it fascinating to read exactly how Kevin finagled himself into systems and tweaked them to his advantage. Kevin wanted to include more of the nitty-gritty hackery in the book, but his co-author, Bill Simon, saved us readers from too much esoterica. I think they struck an excellent balance. I never felt bogged down by the technical bits.

In fact, some might worry that Ghost is a hackery cookbook, complete with lessons in how to get others to spill their secrets. I worried about this aspect with my own book, Travel Advisory: How to Avoid Thefts, Cons, and Street Scams.

Does an exhaustive explanation of theft techniques actually teach the thieves? Kevin and I obviously came to the same conclusion: no, there’s more to gain by putting all the details out there, the better to protect yourself.

I feel a little sorry for all the good people whose trust Kevin exploited. They bought into his ruses in a good-faith effort to be helpful. No doubt that he used them, and probably got many of them into big trouble. Well, in my line of work too, thiefhunting and training the public to avoid theft, a kernel of cynicism is not a bad seed to plant. Kevin’s patsies will think twice before giving out sensitive information.

Ghost is 400+ pages of tension, broken only by Kevin’s sentimental musings about his mother and grandmother, who are constant supportive figures in his life, and the heartbreaking side-story of his brother. It’s fast reading—a tribute to the clear writing and exciting story.

Yeah, yeah, you think I’m all positive because Kevin’s my friend. He gave me an unedited galley copy of the book (littered with typos), but didn’t ask me to write about it. If I hadn’t liked it, I wouldn’t have written a word.

Or maybe I would have. After all, Kevin might not be a real friend of mine…

Unrelated posts:

Dead zone

A typical ATM skimmer scam

Bait and switch—part 2

Bangkok scam

Posted on January 3, 2011 by Bambi Vincent

Barely five minutes after hitting the streets of Bangkok, a jolly, friendly fellow approached. Conservative and 50ish, the short man put himself head-on into our path and opened with a warm greeting and big smile.

“Hello! First time in Bangkok?”

“Hi, nope.”

“Oh, I am teacher!” The man gestured vaguely as if his school were right around the corner. “Where are you from?”

“Sweden,” Bob replied.

“Oh, guess where I go on Monday—AmsterDAM! And guess why—honeyMOON!” He put his palms together and gave a little bow.

“Congratulations!” Bob and I said.

“Where you go now?”

“MBK market.”

His face falls. “Oh, I’m sorry, it is closed today. Holiday!”

“Well, we’ll just walk around then. Goodbye!”

Short and sweet. He didn’t persist, like most of his ilk. But the man was a scammer of the gentlest kind. MBK market, a huge mall not far from our encounter, was certainly not closed, and neither was it a holiday. The man simply wanted to reroute our day. He wanted to take us to a tailor, a gem shop, or a souvenir shop he knows of (his “brother’s,” of course), where he’d collect a little commission just for bringing us.

A jackfruit seller in Bangkok wrestles open the huge fruit, then laboriously picks out and trims the delicious yellow part.

While this is a fairly harmless scam, it can lead to serious disappointment. I heard about several visitors who were detoured from their intended destinations by their taxi drivers, thereby losing perhaps their only opportunity to visit the Grand Palace, or the floating market, or wherever they were headed.

Sound naive? To quote myself:

Cynicism is an unnatural state for a traveler who has come far to experience a new land and unfamiliar customs. We’re prepared to accept our local hosts, however alien or exotic they seem to us. After all, it’s their country. We want to like them. Yet, we don’t know how to read these foreigners, even though they may seem just like us. We can’t always interpret their body language, their facial expressions, their gestures. We’re at a distinct disadvantage as tourists and travelers, due to our nature as much as our innocence.

—Travel Advisory: How to Avoid Thefts, Cons, and Scams

I’ve heard of this tout scam being reversed to the visitor’s advantage. Let a taxi or tuk-tuk driver take you to three shops and collect his commissions. In exchange, the driver should be at your service for the rest of the day.

Unrelated posts:

Panama Cannons: gangsters gone good

Knock-out gas on overnight trains

Airlines: disclosure and liability

Behavior analysis and video surveillance

Posted on February 21, 2010 by Bob Arno

Alleged member of the assassination team checks in at her hotel and waves toward the security camera. She's linked to the team by association. She wears various disguises during her stay.

For the last week, articles on the killing of Hamas operative Mahmoud al-Mabhouh in Dubai, have been a veritable smorgasbord of intriguing intelligence reports. Anyone working intelligence or security analysis has intensely followed the different, and often contradictory, summarizations of which organizations were behind the killing.

Experts and retired intelligence officers in both Israel and Europe have concluded with 99% certainty that it must be the Mossad. The most interesting conclusion was written yesterday as an opinion piece in the weekend edition of The Wall Street Journal, dated February 20-21, headlined Israel and the Dubai murder mystery, by Ronen Bergman (senior military and intelligence analyst for Yedioth Ahronoth, a daily Israeli newspaper).

Other observations and background bits that are far deeper and have more detail from the perspective of the intelligence community are posted as comments under Bruce Schneier’s blog post on the Al-Mabhouh Assassination.Â

To quickly understand why Dubai officials and their own intelligence office were able to piece together so quickly what really happened, look at the 28-minute video Alleged Assassins Caught on Dubai Surveillance Tape on Wired.com

Two other alleged members in the hallway outside the victim's hotel room, making a turn to the right while looking to the left, where the victim's room is located.

Ronen Bergman (and many others) wonders how the Dubai police could connect team members and their activities so quickly. In his next-to-last paragraph, he states that casino and hotel surveillance security have long used techniques to track and apprehend suspects, cheaters and thieves.

There are already companies in Las Vegas that specialize in software and database analytics of known cheaters, and cutting-edge algorithms that analyze suspect behavior. This is not yet foolproof, but is already in place in large chains where thefts by employees or employee associates are high.

In analyzing behavior, irregular movement, body language, and interaction with others, it is extremely difficult to define what is regular behavior versus irregular. But looking at the Dubai tape, there are many moments when the suspects appear to be loitering or turning or tilting their heads unnaturally. I am sure in years to come this video will be used as a case study in how not to behave to avoid surveillance analytics.

We know from our conversations with thieves around the world that the smart ones are very aware of camera surveillance and what they are capable of. The thieves simply avoid these locations and work elsewhere. A surveillance system is only as good as the monitor team. It takes a critical eye to quickly judge and determine what is suspect or irregular in order to stop crime before it happens.

A fourth alleged member of the team in the same hallway, standing with unnatural feet position, turned inwards.

Much more common is analyzing video after the fact. Once a crime has taken place, security personnel simply go back on the video timeline to establish exactly what happened and when. It then becomes essential to determine all the secondary …˜players’ around the incident, both before and after the event (attack, theft, or attempt), and to follow each individual backwards and forwards on the timeline to see who else is connected with these suspects. Examples include running the license plates of any car involved.

Facial recognition software is a good step forward if the individual already exists in a database. But this form of surveillance depends on camera angles, lights, and the suspects’ use of disguises. The Dubai suspects used many disguises, including wigs and different dress modes. The technology is in its early stages, especially the algorithms required to make irregular pattern recognition useful.

The Dubai debacle is particularly timely and interesting as a starting point for the security conference in Las Vegas today and tomorrow at theÂ World Game Protection ConferenceÂ and trade show. The keynote speaker will be Kevin Mitnick,Â the world-famous hacker who showed the security industry that terminals which are supposed to be fail-safe can be infiltrated. Several cases in the last few years involved clever gangs who succeeded in tampering with slots and poker machines, making huge illegal payoffs. Pattern recognition software was not able to block these modifications; only silly mistakes by the gang members tipped them off to casino management.

Kevin Mitnick is a social engineering sleuth of world-class reputation. In a few days, we’ll report on his work and keynote address. The rumor mill has been churning these past few weeks about the content of his presentation. We expect some intriguing revelations previously hidden by the gaming industry, or at least made to appear insignificant.

The manner by which the Dubai suspects moved about in hotel lobbies and around elevators, reminds us of how sophisticated pickpockets and other deception thieves operate when tracking a high target, be it a Japanese high-roller or a diamond jeweler attending a jewelry trade show. The bottom line is that it is difficult to appear natural or to blend-in as a regular traveler or tourist when your mind is running in a different direction.

More about the gaming security trade-show in a few days.

Unrelated posts:

Commercial flight; no security

Hotel security in the hands of housekeeping staff

Bad behavior in Cairo

Phone phishing

Posted on January 16, 2010 by Bambi Vincent

If you read this blog, you’re probably already security-conscious. But this reminder is worth repeating. Don’t trust anyone.

Sorry.

It’s a shame that’s what the world has come to. Even the good samaritan has to be looked at sideways.

Scammers are now blasting entire towns, phone number by phone number, telling residents that their debit card has been restricted. They target customers of a specific local bank or credit union, name it, and give the customer an 800 number to call in order to correct the situation. If you have a debit card from that financial institution, you just might believe it. Well, other people are believing it. After all, their caller-ID proves that it really is the bank calling.

Or does it? The scammers are able to “spoof” the phone number, so it only appears to be the bank calling. You have no inkling that you’ve been targeted by overseas phishers. If you aren’t a customer of that bank, you probably just hang up and forget it.

If you follow the scammers’ instructions, you’ll give them your card number, pin, and all the other juicy data they need to rack up the charges.

So the tired old reminder worth repeating is this: If you suspect a problem with your bank account or debit card, etc., call your bank’s main number. Call the number on the back of your card or on your bank statement. Especially don’t call a number given to you by the bearer of the news.

Unrelated posts:

Filming pickpockets

Scooter-riding bandits

A missing wallet, nakedness, email from a thief

Hotel room safe thefts

Posted on December 22, 2009 by Bambi Vincent

How safe is the safe in your hotel room? Not safe at all, it turns out, unless you factor in the odds. Odds are, your safe won’t be broken into. But the fact is, the crackin’s easy. Of course it is—hotels must be able to rescue valuables from faulty memories (forgotten codes, departed guests who forgot to empty their safes), lost keys, dead batteries, and power outages.

Hotel management and/or security can always access room safes. But how? Depends on the kind of safe. Does it open with a metal key? By swiping a magnetic card, or punching in a code? Does it use a plastic key card with a pattern of holes punched in it?

A hotel in Palma de Mallorca, Spain.

Bob and I have long endorsed the use of safes in hotel rooms, as long as they are electronic. We’ve shied away from metal- and plastic-key safes, concerned about how many copies float around. But there are other ways to enter safes, and an untold number of people who have access, authorized or otherwise.

A deluge of thefts from hotel room safes in Palma de Mallorca, Spain, led to an investigative report by Burkhard Kress for Extra, a news show on German RTL TV (unfortunately not online).

Hidden camera captures master override code.

Kress booked a room there and mounted a hidden camera, then called hotel management for help opening his safe. The hidden camera footage captured the code that management punched into the safe’s keypad, which ended with the room number. With the permission of the guest in the room next to his, Kress tried the same code appended with the other room number. The neighbor’s safe opened. Anyone with the master code could open every safe in the hotel.

And anyone with a hidden camera could capture the master code.

These three, who shared a room, called police when they found cash missing from their safe. As there were no signs of a forced entry, they believe they were robbed by hotel staff. Police never responded to their call, so they went to the police station.

Kress had his cameraman stake out a different room for a week, waiting for a safe break-in. Alas, he was never hit. Eventually, Kress found out why. The thefts occur in rooms booked by two or more friends staying together. When a theft is reported, front desk staff insist the theft was committed by one of the “friends.”

Guests are required to pay a fee for the use of the safe. This, along with the fact that the only rooms hit are booked by two or more friends, leads me to suspect that these safe thefts are inside jobs. Who but front desk staff know both those facts? Of course the thieves might also be former employees, or individuals in cahoots with an employee.

According to Eric Fischer, a tour leader interviewed by Kress, these thefts have been going on for years at this and other hotels in Palma. He’s kept a log of them. He himself had â‚¬14,500 stolen from the safe in his room. When the Spanish police investigated the theft without much interest, Fischer suggested that they take fingerprints. “The police responded no,” he said, “you must be watching too much German TV—we don’t do that.”

These old safes can still be found in budget hotels.

What about those plastic key cards with a pattern of holes punched in them? They can be copied onto cardboard by anyone with a pencil and a hole punch. Safes that open with a keypad or your own magnetic card (credit card, grocery store card, or anything swipeable) often have a visible keyhole for a tool held by hotel management or security. Or, the safe may have an innocuous-looking panel that simply snaps off to reveal the keyhole. Whose got that key?

Bob and I have also come across safes screwed to loose shelves in closets.

In our book, we wrote:

Safe-cracks are extremely rare, although a man was recently arrested in Palma de Mallorca and charged with a spate of hotel safe robberies. Somehow, he had come into possession of a master tool which hotel security uses to open certain jammed electronic safes. (Other electronic safes can be opened by security using numerical bypass codes.) Presumably then, the man also had the tools to get into the hotel room itself. The burglar posted his female accessory at the elevator. They each had a cellphone and kept an open connection between them. When people came to the elevator, the woman would delay them for one minute. The burglar would hear the conversation, tidy up, and get out of the room.

Travel Advisory: How to Avoid Thefts, Cons, and Scams While Traveling
Chapter Four, Hotels: Have a Nice Stay

The “international conman” captured last September social-engineered his way into guest rooms and tricked hotel staff into opening safes. Hotel management, meanwhile, walks a fine line, compromising somewhere between providing real security and reluctance to inconvenience guests.

So how does Mr. International Conman get into your safe? Or—maybe not your safe because, obviously, he’s going to target a “whale,” or some other affluent hotel guest. First, he needs to get into your room—when you’re not there. Like any good con artist, he knows that front desk staff at most hotels will ask for ID, so he’s prepared. Here’s how. First, he follows you to learn your room number. Later, he goes to the front desk and, giving your room number, asks for a printout of “his” charges to date. Bingo. He’s now got your name and address. Next job is to whip out a fake ID, right in his car in the parking lot. Sounds like a lot of trouble, doesn’t it? But look at the payout.

Our usual set of old, beat-up Halliburtons.

What should you do, then, with your million-dollar bauble? Carry the stuff and get pickpocketed or mugged? Leave it in the hotel safe for the safe-cracker to burgle? Put it in the front office safe? Often, Bob and I choose to lock our stuff into our largest hardsided (aluminum) luggage.

This is a good moment for intuition, or at least for some conscious reasoning. Bob and I stay some 200 or more nights a year in hotels and, though we don’t always use the safe, we’ve never had a problem with one. YMMV. The practical danger in using the hotel safe is remembering to empty it before you check out. When I expect a hurried or groggy, pre-dawn check-out, I scrawl a bedside note to myself.

What kind of joints do you stay in? What do you carry?

Unrelated posts:

Barcelona street crime today

Watch-stealing

Bob Arno "Pickpocket King" National Geographic documentary—part 2

A typical ATM skimmer scam

Posted on August 25, 2009 by Bambi Vincent

A tiny skimmer removed from an ATM way back in 2006.

A reader wrote of an ATM experience which, soon after, led to $9,000 in fraudulent withdrawals. He was abroad, but this happens at ATMs everywhere; and so frequently that I think it’s worth posting as a reminder.

As I was using an atm at a money exchange kiosk, I received the cash I wanted but was unable to get my card back. The man in back of me told me I had to enter my pin number again in order to have the card returned. He even reached in front of me and hit some buttons and told me to enter my pin. I did so and after a slight wait, the card came back. The experience was unsettling because I had never heard of entering a pin number a second time to get your card back after a transaction and no one had ever brazenly reached in front of me to assist me at an atm. Since I received my cash and finally my card, I felt everything was fine. But that was the day the mysterious withdrawals began.

I called my bank as soon as I realized there was a problem. The woman I spoke with immediately closed the credit card account linked to my atm card. Within a couple weeks, the bank had deposited the total of the disputed withdrawals into my account.

There are two essential goodies the card fraudster needs: the info on your card and your PIN. Info on the card can be gained in many ways. A snapshot can be taken of it with a cellphone camera, an imprint can be made, or a skimmer can be attached to the ATM itself. Nowadays, skimmers can be tiny and imperceptible. The vital PIN can be easily obtained by the crafty thief’s strategy. The example above is a classic: the false samaritan. The fraudster offers help in order to gain what he needs. Sometimes these “samaritans” even make cellphone calls to helplines, handing the phone to the mark; but the person on the other end of the phone call is the fraudster’s colleague, who pretends to be a bank official.

To protect against these scams, first, don’t use an ATM that looks suspicious in any way. Unfortunately, they usually don’t look suspicious, even if they’ve been tampered with. Second, shield your PIN with your hand as you enter it. A wireless video camera may be mounted to capture the entry of your PIN. The illicit video camera, which is only the size of a sugar cube, might be in front of you, so your body won’t block it. Use your hand. Third, if your card gets stuck, get suspicious! Do NOT accept help from a stranger. Walk away from the card if you must, but do not give up your PIN. And lastly, always suspect the stranger who enters your personal sphere. That’s just not natural. He or she is after something—of yours!

It’s sad that we must suspect a friendly stranger, but a look at identity theft statistics is enough to convince anyone that it’s better to be safe than sorry. Ruthless, creative scammers specialize in benevolence, and they’re darn convincing. CONvincing, as in gaining your CONfidence. That’s why they’re called CON artists!

Unrelated posts:

Rome train station

Fake police, aka Pseudo-Cops

Bob Arno and Bambi in a den of thieves—13

Shoulder-surfers and pseudo-cops in Sweden

Posted on August 6, 2009 by Bambi Vincent

A shoulder-surfer in Stockholm gets seniors' PIN, then steals their ATM card.

I want to wail even in Sweden, because the country has long been perceived as enjoying a relatively low crime rate. And it did. But not any more.

The day I arrived in Stockholm, the paper featured a spread on thieves lurking at ATMs who preyed on the elderly. The scam stars a shoulder-surfer lying in wait for seniors to come use a cash machine. He watches them enter their PINs, then tricks them into allowing their bank card to be physically stolen in one way or another. The thief may ask to change a ten crown note, or may meet the mark at the parking meter and ask for a small coin. Anything to get the mark’s wallet out.

One wallet, many hands.

Then what? “Magic arts,” one victim said. “Finger magic,” said the police. Hard to believe that a bank card can be stolen from a victim’s wallet right under his nose. Yet, Bob and I recognize the trick we call the “flower gift lift,” as practiced by women in Palma de Mallorca (and I’m sure other places, too). It’s forceful, brazen, devious, and it works. I’ve written about that here.

The Stockholm shoulder-surfer was part of an international gang from Romania. He and one other were sentenced to a few years in prison. Police say they’ve operated all over Sweden, targeting the elderly and handicapped. ATM surveillance photos show victims in wheelchairs and using walkers.

At around the same time. a community newspaper warned of “false policemen” also targeting seniors at ATMs. The thieves convinced the seniors that they needed their bank cards and PINs in order to control illegal withdrawals. Police report additional ploys: door-to-door police impostors warn of burglaries in the neighborhood and want to photograph jewelry and valuables. Whatever the ploy, the thief gets in—cash and valuables go out.

Graph from www.bra.se

As I was writing this, the evening news came on. Seems some scammers are knocking on seniors’ doors to give them tips about H1N1. Rather, one scammer knocks and talks. While the senior is occupied, the other slips in and robs the resident.

Meanwhile, last month, police saw for the first time credit cards being skimmed at gas pumps. “So far police have no suspects and haven’t been able to determine how the skimming operation has been carried out.” I have advised them!

Skimmers have been found attached to ATMs at Ikea and a Stockholm Toys R Us store. There was a home invasion in the sleepy suburb where my family lives.
What has Sweden come to?

Unrelated posts:

Bus garden

Getting used to cameras on me all day

A pickpocket party begins

Fake police, aka Pseudo-Cops

Posted on July 30, 2009 by Bambi Vincent

In Bangkok, seemingly corrupt police are extorting large sums from foreign visitors. In South Africa, pseudo-cops are stopping drivers and pedestrians, requesting wallets in order to see identification or “search for contraband,” then absconding. In Stockholm, thieves impersonating police lured seniors into give up their PINs at ATMs in the name of “controlling withdrawals.”

This strategy seems to have exploded recently, or at least is being recognized for what it is, or at least making it into the news.

In my book, Travel Advisory: How to Avoid Thefts, Cons, and Street Scams, I categorize thieves as either opportunists or strategists. Fake police are a specific type of strategist. They’re operating in small U.S. towns and cities as well as abroad. And it’s easier than ever to gear up for the job with fake badges and uniforms.

—

THE DUPLICITOUS STRATEGIST

The strategist elite are those who make participants of their victims. Like the Palma claveleras, they’re in your face with a story. Their only goal is to walk away with your wallet. Consummate con artists, they’re the slipperiest, wiliest, and most difficult to detect. Garbed in a counterfeit persona designed to gain your confidence, they lay bait and entrap their prey: usually the unsuspecting traveler.

Pseudo Cops

These strategists concoct ingenious schemes. Who could avoid falling for what happened to Glinda and Greg? They were walking in a foreign park in—well, it could have been anywhere, this is so common—when a gentleman approached them with a camera. He asked if one of them would mind taking his picture, and the three huddled while he showed them how to zoom and where to press. Suddenly two other men arrived and flashed badges. The man with the camera slipped away while the two “officials” demanded to know if the couple had “made any transaction” with him. Had they changed money with him illegally? They would have to search Glinda’s bag; and they did so, without waiting for permission.

“It all happened so fast,” Glinda told me a few days later, “I knew something wasn’t right, but I didn’t have time to think.” The “officials” absconded with Glinda’s wallet, having taken it right under her nose. In variations on this theme, the pseudo cops take only cash saying it must be examined, and they may even offer a receipt. Needless to say, they never return and the receipt is bogus.

On first impression, the pseudo cops’ scam is believable; their trick requires surprise, efficiency and confusion: they don’t allow time for second thoughts. Theirs is a cheap trick, really. They depend on a fake police shield to gain trust; they can’t be bothered to build confidence with an act. Authority is blinding, and that’s enough if they’re fast. It’s a thin swindle, but it works.

Excerpt from Travel Advisory: How to Avoid Thefts, Cons, and Street Scams
Chapter Seven: Scams—By the Devious Strategist

Unrelated posts:

Bob Arno on thiefhunting

A pudding

Hotel oddity #5

Hotel security in the hands of housekeeping staff

Posted on June 12, 2009 by Bambi Vincent

Can you identify this thief?

Loot ‘n scoot: Through my police friends, I learned of another devious M.O. resulting in theft from hotel rooms. The thief simply poses as a guest. Wearing pool attire, she enters a hotel room that has a housekeeping cart at the door, as if she’s just returning to her own room from the pool. She tells the maid that she forgot her key, starts looking for it, and dismisses the maid. I suppose her beach bag is big enough for all the goodies she grabs, and she scoots out in her swimsuit looking as innocent as can be.

Maid left hotel room open and empty.

In another version, a female thief gets a nearby housekeeper to open a hotel room door because she’s carrying a heavy load. She may or may not have spotters on the lookout for guests returning to that floor.

In both cases, the security of our belongings is in the hands of the maids. How well are they trained? How much discretion do they have? When should they break the rules in order to be nice? When should they bend the rules in anticipation of a nice gratuity? What about temporary workers during the hotel’s high season—do they receive as thorough training? How many of us have approached our room only to find that we forgot our key, or the key doesn’t work, and a nice service staff member volunteers to let us in?

Hotel policy is one thing; compliance is another. How do you react when you find that your key doesn’t work (for the third time), the front desk is far away (giant hotel), your feet hurt and your arms are full and you’re dead tired, and the maid with a master key says “I’m sorry. It’s for your own security.”?

The burglars described in the recent police bulletins were females of average height and weight, 50ish and blonde. Nicely generic. The maid may believe she’s seen the impostor; and perhaps she has. Should she risk offending the “guest”?

Perhaps the maid should be required to ask the name of the guest and match it to a list. Yeah, a list on a clipboard left on the cart, that the thief’s accomplice copped a glance at. Perhaps the maid should be required to snap a photo of the guest “for your security.”

As a very frequent hotel guest, I have many times returned to my room to find the door left open by housekeeping staff “just for a minute” while they run to do something else. This always infuriates me, as there’s usually a laptop or two left out, as in the photo here, not to mention other valuables. But this is simply housekeeping error, and with proper training, can be corrected. The impostors described above are skilled social engineers, harder to protect against.

Bruce Schneier is currently blogging from SHB09, the Second Interdisciplinary Workshop on Security and Human Behavior, at MIT. I doubt if discussions covered “tricking hotel maids,” but what a complicated and interesting subject. I would have liked to be a fly on the wall there. Instead, I can read articles by the presenters.

Hotel oddity #11

He Packs, She Packs

Bob Arno on competitive intelligence

Posted on June 1, 2009 by Bob Arno

Slovenia Twitter-bird?

I (@bobarno) recently wrote about my reluctance to use Twitter and the pros and cons of sharing information with everyone who might be a follower. Not about the benefits of twittering, which I fully appreciate and understand, but about my own reservations and the extent of my own involvement. My concerns were competitive intelligence repercussions, and maybe my own desire to be as spunky (in a tweet) as I try to be on stage.

Well, this is obviously a timely subject matter, faced by many busy executives. In the last couple of weeks conversations with like-minded entertainers, speakers and bookers have all raised similar concerns. On May 27, Molly Murray-Threipland (who often writes about twittering in The New York Times), made the observation that it isn’t teenagers who are the largest tweeting group, but the 45 to 54′s.

Just three weeks after I wrote my own blog post, Business Week (May 21) dedicated its main theme, cover page, and several articles to the same issues. The two lead stories were Learning, and Profiting, from Online Friendships and Web 2.0: Managing Corporate Reputations.

In Managing Corporate Reputations, Gina Poole, vice-president of social software programs and enablement at IBM—that’s right, her life centers solely on how to train and harness IBM’s employees’ twitter posts—said, “You’re building your social reputation, so you don’t want to be a frivolous or an uninteresting person,” and the article summarizes “while many see Twitter as a place to indulge one’s inner self, IBM wants employees to “add value” in all their online postings.” Of course that’s seen from the perspective of the corporation and its concern of corporate image and identity.

On being perceived as mundane versus a source of brilliant repartee with deep content, take look at Kevin Mitnick’s tweets. Kevin (@kevinmitnick), one of the world’s most famous or infamous hackers, depending on your point of view of anyone who has served time in “the box” (prison-slang for a full-board vacation, courtesy of the U.S. government), twitters occasionally and has many followers. Kevin is an astute …˜social engineer’ (maybe one of the all-time best), a great observer of human behavior, and equally funny (privately at least); but Kevin does not share his latest skill sets or pen-testing exploits in his tweets. A follower (of Kevin’s) recently complained: “You never tweet anything interesting! Just your travel schedule. Tell us what you’re working on. something! Unfollow.” Kevin replied “Sorry I don’t meet your expectations of tweeting interesting stuff meniscuss—maybe i should tweet your passwords—hehe.”

Of course what they really want is some insight in “hacking” so that they can do what Kevin does, for fun or profit. High-profile pen-testing is a murky world and probably very profitable for those with the ultimate knowledge base. The hackers at the top of the food-chain have strong relationships, globally, with the …˜bad guys.’ Is it conceivable that Kevin, or someone like Kevin would tweet: “in St Petersburg today hanging with Dmitri Androsov & the Hell Knights Crew, & we’re working on some cute BackTrack exploits.” Not a chance! Acknowledging sources, or anything that would let your readers deduce your ‘deep’ friends would have to be restricted.

That’s like me asking a pickpocket in Barcelona Continue reading →

Unrelated posts:

Anatomy of a victim

A typical ATM skimmer scam

TV studios today