Hotel room safe thefts

hotel safe theft
hotel safe theft
Hidden camera captures master override code.

How safe is the safe in your hotel room? Not safe at all, it turns out, unless you factor in the odds. Odds are, your safe won’t be broken into. But the fact is, the crackin’s easy. Of course it is—hotels must be able to rescue valuables from faulty memories (forgotten codes, departed guests who forgot to empty their safes), lost keys, dead batteries, and power outages.

Hotel management and/or security can always access room safes. But how? Depends on the kind of safe. Does it open with a metal key? By swiping a magnetic card, or punching in a code? Does it use a plastic key card with a pattern of holes punched in it?

A hotel in Palma de Mallorca, Spain.
A hotel in Palma de Mallorca, Spain.

Is the safe safe?

Bob and I have long endorsed the use of safes in hotel rooms, as long as they are electronic. We’ve shied away from metal- and plastic-key safes, concerned about how many copies float around. But there are other ways to enter safes, and an untold number of people who have access, authorized or otherwise.

A deluge of thefts from hotel room safes in Palma de Mallorca, Spain, led to an investigative report by Burkhard Kress for Extra, a news show on German RTL TV (unfortunately not online).

hotel safe theft
Hidden camera captures master override code.

Kress booked a room there and mounted a hidden camera, then called hotel management for help opening his safe. The hidden camera footage captured the code that management punched into the safe’s keypad, which ended with the room number. With the permission of the guest in the room next to his, Kress tried the same code appended with the other room number. The neighbor’s safe opened. Anyone with the master code could open every safe in the hotel.

And anyone with a hidden camera could capture the master code.

hotel safe theft
These three, who shared a room, called police when they found cash missing from their safe. As there were no signs of a forced entry, they believe they were robbed by hotel staff. Police never responded to their call, so they went to the police station.

Kress had his cameraman stake out a different room for a week, waiting for a safe break-in. Alas, he was never hit. Eventually, Kress found out why. The thefts occur in rooms booked by two or more friends staying together. When a theft is reported, front desk staff insist the theft was committed by one of the “friends.”

Guests are required to pay a fee for the use of the safe. This, along with the fact that the only rooms hit are booked by two or more friends, leads me to suspect that these safe thefts are inside jobs. Who but front desk staff know both those facts? Of course the thieves might also be former employees, or individuals in cahoots with an employee.

According to Eric Fischer, a tour leader interviewed by Kress, these thefts have been going on for years at this and other hotels in Palma. He’s kept a log of them. He himself had €14,500 stolen from the safe in his room. When the Spanish police investigated the theft without much interest, Fischer suggested that they take fingerprints. “The police responded no,” he said, “you must be watching too much German TV—we don’t do that.”

hotel safe theft

hotel safe theft
These old safes can still be found in budget hotels.

hotel safe theft

What about those plastic key cards with a pattern of holes punched in them? They can be copied onto cardboard by anyone with a pencil and a hole punch. Safes that open with a keypad or your own magnetic card (credit card, grocery store card, or anything swipeable) often have a visible keyhole for a tool held by hotel management or security. Or, the safe may have an innocuous-looking panel that simply snaps off to reveal the keyhole. Whose got that key?

Bob and I have also come across safes screwed to loose shelves in closets.

In our book, we wrote:

Safe-cracks are extremely rare, although a man was recently arrested in Palma de Mallorca and charged with a spate of hotel safe robberies. Somehow, he had come into possession of a master tool which hotel security uses to open certain jammed electronic safes. (Other electronic safes can be opened by security using numerical bypass codes.) Presumably then, the man also had the tools to get into the hotel room itself. The burglar posted his female accessory at the elevator. They each had a cellphone and kept an open connection between them. When people came to the elevator, the woman would delay them for one minute. The burglar would hear the conversation, tidy up, and get out of the room.

Travel Advisory: How to Avoid Thefts, Cons, and Scams While Traveling
Chapter Four, Hotels: Have a Nice Stay

The “international conman” captured last September social-engineered his way into guest rooms and tricked hotel staff into opening safes. Hotel management, meanwhile, walks a fine line, compromising somewhere between providing real security and reluctance to inconvenience guests.

So how does Mr. International Conman get into your safe? Or—maybe not your safe because, obviously, he’s going to target a “whale,” or some other affluent hotel guest. First, he needs to get into your room—when you’re not there. Like any good con artist, he knows that front desk staff at most hotels will ask for ID, so he’s prepared. Here’s how. First, he follows you to learn your room number. Later, he goes to the front desk and, giving your room number, asks for a printout of “his” charges to date. Bingo. He’s now got your name and address. Next job is to whip out a fake ID, right in his car in the parking lot. Sounds like a lot of trouble, doesn’t it? But look at the payout.

Halliburtons for luggage security; hotel safe theft
Our usual set of old, beat-up Halliburtons.

What should you do, then, with your million-dollar bauble? Carry the stuff and get pickpocketed or mugged? Leave it in the hotel safe for the safe-cracker to burgle? Put it in the front office safe? Often, Bob and I choose to lock our stuff into our largest hardsided (aluminum) luggage.

This is a good moment for intuition, or at least for some conscious reasoning. Bob and I stay some 200 or more nights a year in hotels and, though we don’t always use the safe, we’ve never had a problem with one. YMMV. The practical danger in using the hotel safe is remembering to empty it before you check out. When I expect a hurried or groggy, pre-dawn check-out, I scrawl a bedside note to myself.

What kind of joints do you stay in? What do you carry?
© Copyright 2008-present Bambi Vincent. All rights reserved.

A typical ATM skimmer scam

A tiny skimmer removed from an ATM way back in 2006.
A tiny skimmer removed from an ATM way back in 2006.

A reader wrote of an ATM experience which, soon after, led to $9,000 in fraudulent withdrawals. He was abroad, but this happens at ATMs everywhere; and so frequently that I think it’s worth posting as a reminder.

As I was using an atm at a money exchange kiosk, I received the cash I wanted but was unable to get my card back. The man in back of me told me I had to enter my pin number again in order to have the card returned. He even reached in front of me and hit some buttons and told me to enter my pin. I did so and after a slight wait, the card came back. The experience was unsettling because I had never heard of entering a pin number a second time to get your card back after a transaction and no one had ever brazenly reached in front of me to assist me at an atm. Since I received my cash and finally my card, I felt everything was fine. But that was the day the mysterious withdrawals began.

I called my bank as soon as I realized there was a problem. The woman I spoke with immediately closed the credit card account linked to my atm card. Within a couple weeks, the bank had deposited the total of the disputed withdrawals into my account.

There are two essential goodies the card fraudster needs: the info on your card and your PIN. Info on the card can be gained in many ways. A snapshot can be taken of it with a cellphone camera, an imprint can be made, or a skimmer can be attached to the ATM itself. Nowadays, skimmers can be tiny and imperceptible. The vital PIN can be easily obtained by the crafty thief’s strategy. The example above is a classic: the false samaritan. The fraudster offers help in order to gain what he needs. Sometimes these “samaritans” even make cellphone calls to helplines, handing the phone to the mark; but the person on the other end of the phone call is the fraudster’s colleague, who pretends to be a bank official.

credit card detail

To protect against these scams, first, don’t use an ATM that looks suspicious in any way. Unfortunately, they usually don’t look suspicious, even if they’ve been tampered with. Second, shield your PIN with your hand as you enter it. A wireless video camera may be mounted to capture the entry of your PIN. The illicit video camera, which is only the size of a sugar cube, might be in front of you, so your body won’t block it. Use your hand. Third, if your card gets stuck, get suspicious! Do NOT accept help from a stranger. Walk away from the card if you must, but do not give up your PIN. And lastly, always suspect the stranger who enters your personal sphere. That’s just not natural. He or she is after something—of yours!

It’s sad that we must suspect a friendly stranger, but a look at identity theft statistics is enough to convince anyone that it’s better to be safe than sorry. Ruthless, creative scammers specialize in benevolence, and they’re darn convincing. CONvincing, as in gaining your CONfidence. That’s why they’re called CON artists!

© Copyright 2008-2009 Bambi Vincent. All rights reserved.

Shoulder-surfers and pseudo-cops in Sweden

A shoulder-surfer in Stockholm gets seniors' PIN, then steals their ATM card.
A shoulder-surfer in Stockholm gets seniors' PIN, then steals their ATM card.

I want to wail even in Sweden, because the country has long been perceived as enjoying a relatively low crime rate. And it did. But not any more.

The day I arrived in Stockholm, the paper featured a spread on thieves lurking at ATMs who preyed on the elderly. The scam stars a shoulder-surfer lying in wait for seniors to come use a cash machine. He watches them enter their PINs, then tricks them into allowing their bank card to be physically stolen in one way or another. The thief may ask to change a ten crown note, or may meet the mark at the parking meter and ask for a small coin. Anything to get the mark’s wallet out.

One wallet, many hands.
One wallet, many hands.

Then what? “Magic arts,” one victim said. “Finger magic,” said the police. Hard to believe that a bank card can be stolen from a victim’s wallet right under his nose. Yet, Bob and I recognize the trick we call the “flower gift lift,” as practiced by women in Palma de Mallorca (and I’m sure other places, too). It’s forceful, brazen, devious, and it works. I’ve written about that here.

The Stockholm shoulder-surfer was part of an international gang from Romania. He and one other were sentenced to a few years in prison. Police say they’ve operated all over Sweden, targeting the elderly and handicapped. ATM surveillance photos show victims in wheelchairs and using walkers.

At around the same time. a community newspaper warned of “false policemen” also targeting seniors at ATMs. The thieves convinced the seniors that they needed their bank cards and PINs in order to control illegal withdrawals. Police report additional ploys: door-to-door police impostors warn of burglaries in the neighborhood and want to photograph jewelry and valuables. Whatever the ploy, the thief gets in—cash and valuables go out.

Graph from www.bra.se
Graph from www.bra.se

As I was writing this, the evening news came on. Seems some scammers are knocking on seniors’ doors to give them tips about H1N1. Rather, one scammer knocks and talks. While the senior is occupied, the other slips in and robs the resident.

Meanwhile, last month, police saw for the first time credit cards being skimmed at gas pumps. “So far police have no suspects and haven’t been able to determine how the skimming operation has been carried out.” I have advised them!

Skimmers have been found attached to ATMs at Ikea and a Stockholm Toys R Us store. There was a home invasion in the sleepy suburb where my family lives.
What has Sweden come to?

© Copyright 2008-2009 Bambi Vincent. All rights reserved.

Fake police, aka Pseudo-Cops

fake police

fake police

In Bangkok, seemingly corrupt police are extorting large sums from foreign visitors. In South Africa, pseudo-cops are stopping drivers and pedestrians, requesting wallets in order to see identification or “search for contraband,” then absconding. In Stockholm, thieves impersonating police lured seniors into give up their PINs at ATMs in the name of “controlling withdrawals.”

This strategy seems to have exploded recently, or at least is being recognized for what it is, or at least making it into the news.

In my book, Travel Advisory: How to Avoid Thefts, Cons, and Street Scams, I categorize thieves as either opportunists or strategists. Fake police are a specific type of strategist. They’re operating in small U.S. towns and cities as well as abroad. And it’s easier than ever to gear up for the job with fake badges and uniforms.

THE DUPLICITOUS STRATEGIST

The strategist elite are those who make participants of their victims. Like the Palma claveleras, they’re in your face with a story. Their only goal is to walk away with your wallet. Consummate con artists, they’re the slipperiest, wiliest, and most difficult to detect. Garbed in a counterfeit persona designed to gain your confidence, they lay bait and entrap their prey: usually the unsuspecting traveler.

Fake Police = Pseudo Cops

These strategists concoct ingenious schemes. Who could avoid falling for what happened to Glinda and Greg? They were walking in a foreign park in—well, it could have been anywhere, this is so common—when a gentleman approached them with a camera. He asked if one of them would mind taking his picture, and the three huddled while he showed them how to zoom and where to press. Suddenly two other men arrived and flashed badges. The man with the camera slipped away while the two “officials” demanded to know if the couple had “made any transaction” with him. Had they changed money with him illegally? They would have to search Glinda’s bag; and they did so, without waiting for permission.

fake police

“It all happened so fast,” Glinda told me a few days later, “I knew something wasn’t right, but I didn’t have time to think.” The “officials” absconded with Glinda’s wallet, having taken it right under her nose. In variations on this theme, the pseudo cops take only cash saying it must be examined, and they may even offer a receipt. Needless to say, they never return and the receipt is bogus.

On first impression, the pseudo cops’ scam is believable; their trick requires surprise, efficiency and confusion: they don’t allow time for second thoughts. Theirs is a cheap trick, really. They depend on a fake police shield to gain trust; they can’t be bothered to build confidence with an act. Authority is blinding, and that’s enough if they’re fast. It’s a thin swindle, but it works.

Excerpt from Travel Advisory: How to Avoid Thefts, Cons, and Street Scams
Chapter Seven: Scams—By the Devious Strategist

© Copyright 2008-present Bambi Vincent. All rights reserved.

Hotel security in the hands of housekeeping staff

hotel security
Hotel Security: Can you identify this thief?
Can you identify this thief?

Loot ‘n scoot: Through my police friends, I learned of another devious M.O. resulting in theft from hotel rooms. The thief simply poses as a guest. Wearing pool attire, she enters a hotel room that has a housekeeping cart at the door, as if she’s just returning to her own room from the pool. She tells the maid that she forgot her key, starts looking for it, and dismisses the maid. I suppose her beach bag is big enough for all the goodies she grabs, and she scoots out in her swimsuit looking as innocent as can be.

Hotel security: Maid left hotel room open and empty.
Maid left hotel room open and empty.

In another version, a female thief gets a nearby housekeeper to open a hotel room door because she’s carrying a heavy load. She may or may not have spotters on the lookout for guests returning to that floor.

Hotel security

In both cases, the security of our belongings is in the hands of the maids. How well are they trained? How much discretion do they have? When should they break the rules in order to be nice? When should they bend the rules in anticipation of a nice gratuity? What about temporary workers during the hotel’s high season—do they receive as thorough training? How many of us have approached our room only to find that we forgot our key, or the key doesn’t work, and a nice service staff member volunteers to let us in?

Hotel policy is one thing; compliance is another. How do you react when you find that your key doesn’t work (for the third time), the front desk is far away (giant hotel), your feet hurt and your arms are full and you’re dead tired, and the maid with a master key says “I’m sorry. It’s for your own security.”?

The burglars described in the recent police bulletins were females of average height and weight, 50ish and blonde. Nicely generic. The maid may believe she’s seen the impostor; and perhaps she has. Should she risk offending the “guest”?

Perhaps the maid should be required to ask the name of the guest and match it to a list. Yeah, a list on a clipboard left on the cart, that the thief’s accomplice copped a glance at. Perhaps the maid should be required to snap a photo of the guest “for your security.”

As a very frequent hotel guest, I have many times returned to my room to find the door left open by housekeeping staff “just for a minute” while they run to do something else. This always infuriates me, as there’s usually a laptop or two left out, as in the photo here, not to mention other valuables. But this is simply housekeeping error, and with proper training, can be corrected. The impostors described above are skilled social engineers, harder to protect against.

Bruce Schneier is currently blogging from SHB09, the Second Interdisciplinary Workshop on Security and Human Behavior, at MIT. I doubt if discussions covered “tricking hotel maids,” but what a complicated and interesting subject. I would have liked to be a fly on the wall there. Instead, I can read articles by the presenters.
© Copyright 2008-2009 Bambi Vincent. All rights reserved.

Bob Arno on competitive intelligence

Slovenia Twitter-bird?
Slovenia Twitter-bird?

I (@bobarno) recently wrote about my reluctance to use Twitter and the pros and cons of sharing information with everyone who might be a follower. Not about the benefits of twittering, which I fully appreciate and understand, but about my own reservations and the extent of my own involvement. My concerns were competitive intelligence repercussions, and maybe my own desire to be as spunky (in a tweet) as I try to be on stage.

Well, this is obviously a timely subject matter, faced by many busy executives. In the last couple of weeks conversations with like-minded entertainers, speakers and bookers have all raised similar concerns. On May 27, Molly Murray-Threipland (who often writes about twittering in The New York Times), made the observation that it isn’t teenagers who are the largest tweeting group, but the 45 to 54’s.

Just three weeks after I wrote my own blog post, Business Week (May 21) dedicated its main theme, cover page, and several articles to the same issues. The two lead stories were Learning, and Profiting, from Online Friendships and Web 2.0: Managing Corporate Reputations.

In Managing Corporate Reputations, Gina Poole, vice-president of social software programs and enablement at IBM—that’s right, her life centers solely on how to train and harness IBM’s employees’ twitter posts—said, “You’re building your social reputation, so you don’t want to be a frivolous or an uninteresting person,” and the article summarizes “while many see Twitter as a place to indulge one’s inner self, IBM wants employees to “add value” in all their online postings.” Of course that’s seen from the perspective of the corporation and its concern of corporate image and identity.

kevin-mitnick-quote

On being perceived as mundane versus a source of brilliant repartee with deep content, take look at Kevin Mitnick’s tweets. Kevin (@kevinmitnick), one of the world’s most famous or infamous hackers, depending on your point of view of anyone who has served time in “the box” (prison-slang for a full-board vacation, courtesy of the U.S. government), twitters occasionally and has many followers. Kevin is an astute …˜social engineer’ (maybe one of the all-time best), a great observer of human behavior, and equally funny (privately at least); but Kevin does not share his latest skill sets or pen-testing exploits in his tweets. A follower (of Kevin’s) recently complained: “You never tweet anything interesting! Just your travel schedule. Tell us what you’re working on. something! Unfollow.” Kevin replied “Sorry I don’t meet your expectations of tweeting interesting stuff meniscuss—maybe i should tweet your passwords—hehe.”

Of course what they really want is some insight in “hacking” so that they can do what Kevin does, for fun or profit. High-profile pen-testing is a murky world and probably very profitable for those with the ultimate knowledge base. The hackers at the top of the food-chain have strong relationships, globally, with the …˜bad guys.’ Is it conceivable that Kevin, or someone like Kevin would tweet: “in St Petersburg today hanging with Dmitri Androsov & the Hell Knights Crew, & we’re working on some cute BackTrack exploits.” Not a chance! Acknowledging sources, or anything that would let your readers deduce your ‘deep’ friends would have to be restricted.

That’s like me asking a pickpocket in Barcelona Continue reading

Scams at restaurant tables

Busy waiters at outdoor restaurants.
Busy waiters at outdoor restaurants.

A restaurant table is a good place to be had. The latest in low-tech scams happened last month in Hoboken, NJ, when a man appeared tableside to collect cash after diners had received their bills. He took their money and walked out the door. Pretty clever.

Why didn’t the customers question the new face? I can answer that, as one who visits restaurants some 200+ days a year. Sometimes we just don’t pay attention to who’s serving us. We’re seated by a host, served water by a busboy, solicited by a sommelier, finally the waiter comes, and sometimes we’re greeted by a manager. The meal might be a business meeting which demands our attention more than faces.

Last week, I had a long, late lunch at Postrio in Las Vegas. When our waiter’s shift ended, she did what customer service people call a “warm hand-off:” she introduced us to the waiter who would continue with us. She could have just left, and when the replacement waiter showed up, we’d have just accepted him.

So the Hoboken bogus waiter simply took advantage of our innate trust. He manipulated his victims by presenting himself as the person they expected; he didn’t even have to say anything. Hand out, money in, bye-bye.

So what did the restaurant do when the customers told the real waiter that they’d already paid someone else? Management did not make them pay again. Which invents an entirely new scam: diners claiming they already paid the bill (even though they haven’t). Perhaps the bogus waiter plans that as his next trick.

In the case of the bogus waiter, the victims were not out-of-pocket due to the goodwill of the restaurant management. Other potential losses while dining out:

© Copyright 2008-2009 Bambi Vincent. All rights reserved.

Social engineering—is it time to curtail trust?

Judy Stevens, who has more than 270 identities.
Judy Stevens, who has more than 270 identities.

A couple of scumbags have been casing neighborhoods in Las Vegas, preying on elders. They chat up residents, pretending to be a former resident or a relative of a neighbor. They ask questions and gather information. When they’ve learned enough about someone elderly on the street, they approach the senior armed with facts and trivia—enough to garner the senior’s confidence. In every case, the bottom line is that they need money. The money’s not for them, of course; it’s for one of the neighbors, who is in a costly (fictitious) emergency situation, something medical, or maybe legal. The two solicitors are merely good samaritans.

Rick Shawn, who has more than 1,000 identities.
Rick Shawn, who has more than 1,000 identities.

Classic social engineering. This pair of con artists has bilked 19 known victims in Las Vegas, all over age 73, out of tens of thousands of dollars. It’s likely that they’re connected to similar incidents in Arizona and California; it’s probable that many other victims exist, unaware they’ve been scammed, or embarrassed to come forward.

It sounds like a couple on a crime spree, but it’s much more than that. From our intensive workshop with NABI, we know that this is organized crime. Assistant district attorney Scott Mitchell called them gypsies. Most likely, they are members of one of the families called Travelers. These families move from town to town as they pull their scams, often on the elderly. They have a large repertoire, including sweetheart swindles, pigeon drops, fake lotto schemes, and home repair. Many of these are combined with plain old burglary.

The Travelers are organized crime families. So organized, that when they find a particularly gullible victim, they pass his info to the next family members scheduled to roll through that town. Then, even if the victim realizes that the roof repair or driveway resurfacing job was shoddy, he won’t recognize the brother or cousin who offers to paint the house with leftover paint from a job down the street, or the sister collecting funds for the sick man a few houses down.

'My dog is accused of eating neighbours chicken Plyz help with bail.' Don't be tempted.
'My dog is accused of eating neighbours chicken Plyz help with bail.' Don't be tempted.

These fraudsters go to extremes in order to impersonate a good samaritan. Through social engineering, they manipulate their victims with a realistic story, bamboozle them with bullshit, dupe them, and exploit them. It always ends one way: the victims’ money in the Travelers’ hands. The two pictured above go so far as to drive their victims to their banks or ATMs.

These two have been arrested and are being held, as of this moment, at Clark County Detention Center in Las Vegas. Travelers are known to have lawyers on retainer and bail money at the ready. Although the two are considered flight risks, they may bail out on the condition that they wear GPS ankle devices.

Actually, that’s not likely. I just spoke with Lieutenant Bob Sebby, Las Vegas Metro, who said that 15 additional victims have been confirmed. Metro is asking other victims to come forward.

bv-long

Bob Arno on “Lie to me”

Two pickpockets looking for a victim.
Two pickpockets looking for a victim.

I watched the first two episodes of Fox Network’s new television program Lie to Me, whose main character is loosely based on Paul Ekman, the world’s foremost expert on facial micro-expressions and how to spot when someone is lying. This is an intriguing, new subject to the majority of us. Call it a sexy science. Who wouldn’t like to immediately realize when his mate or partner is fibbing or deceiving him? And wouldn’t we like to ask our financial advisors: “have you ever swindled or cheated any of your previous customers?”

The bad guys, too, want to know how to manipulate their expressions when asked “where were you on the night of April 18?” Will this program suddenly shed light on surveillance and interrogation techniques that have previously been shrouded in mystery? It’s said that Paul Ekman is or has been working for the NSA. It’s confirmed that he’s involved in the structure of a limited program for TSA, in which screeners are supposed to detect irrational behavior in passengers that could indicate terrorist activity, signaling the need for additional and deeper screening of their luggage.

Dr. Ekman has spent a lifetime studying micro-expressions. What’s the chance Continue reading

Kevin Mitnick redflagged

Bob Arno and Kevin Mitnick.
Bob Arno and Kevin Mitnick.

At the Atlanta airport last week, a limo driver stood holding a sign marked “Bob Arno.” Next to him stood another driver holding a sign marked “Kevin Mitnick.” You remember Kevin Mitnick, the young hacker imprisoned for five years, released in early 2000. Remember the “Free Kevin” campaign? The guy who popularized the term “social engineering”? Kevin calls himself a non-profit hacker, since he hacked into computer systems for the fun and challenge, and gained nothing of significance.

We knew Kevin would be in Atlanta—we were all there to present at ASIS, the huge security industry conference. But Kevin was flying in straight from a job in Colombia, so we didn’t expect to arrive in sync.

First we social-engineered his driver to learn where Kevin would be staying. Same hotel as us. Then the chatty driver said that Kevin had been due in two hours ago. Huh. We left a note with the driver inviting Kevin to dinner later and left.

The airport parking attendant held us hostage. Our driver had given him the parking ticket, but he wouldn’t raise the barrier to let us pass. Something was wrong with his computer, he said. We waited. After five minutes, we requested our ticket be returned so we could go to one of the other booths, which were all empty. No car was behind us, either. The attendant refused. Bob got out of the car and demanded the ticket back, fed up with our driver’s polite style of dealing with this ticket moron. No luck. The man kept his head down in his glass booth, impervious. Neither logic nor threats worked, and it was twelve minutes before we were allowed to exit the airport parking.

We caught up with Kevin several hours later, and he told a hold-up tale that made thoughts of our little delay evaporate completely. U.S. Customs had detained him and questioned him about his many trips to Colombia.

“I have a girlfriend there,” Kevin said.

“Have you ever been arrested?”

“Yes.” Kevin couldn’t lie to federal agents.

“What for?”

“Hacking.”

“Were you hacking in Colombia?”

“Yes, but that’s my job. I was hacking for a company that hired me, to see if their system is secure.”

As Customs officers began examining Kevin’s luggage, his cell phone rang. It was his girlfriend in Bogota, hysterical. Meanwhile, an officer lifted Kevin’s laptop. Kevin wasn’t concerned about it. He routinely wipes his hard drive before crossing borders, shipping an external drive containing his data to his destination. Everyone in the field of information security knows the Department of Homeland Security’s new policy:

Federal agents may take a traveler’s laptop or other electronic device to an off-site location for an unspecified period of time without any suspicion of wrongdoing, as part of border search policies…

“FedEx called,” the girlfriend said in her poor English, “they found cocaine in the hard drive!”

Kevin’s face went white and was instantly drenched in sweat. He wondered who could have put cocaine in his hard drive: his girlfriend? the packing/shipping storefront where he dropped it off? He assumed, understandably, that the hard drive seizure somehow prompted this Customs search.

“What are you doing here in Atlanta?” the Customs officer demanded.

“Speaking at the ASIS conference, moderating a panel on internet abuses. Here, I’ll show you.” He took the laptop and launched Firefox, intending to open the ASIS keynote web page. First, he hit “clear private data” and glanced at the officer, who instantly realized his own stupidity. The officer snatched back the computer.

HID card spoofer.
HID card spoofer.

Other officers pulled suspicious items from Kevin’s bags. Out came another laptop, which they started up, thinking they’d found gold, unaware that they’d need a password and dongle to access the real guts of that machine. Then they pulled out a large, silvery, antistatic bag and extracted its weird contents.

“They thought they found the mother-lode,” Kevin told us, able to smile in retrospect. And we could imagine why, looking at the thing.

“What’s this, huh?” the agent smirked. Like, how are you going to explain this one away? We gottcha now!

“It’s an HID key spoofer,” Kevin explained to a blank face. “Like your ID card there. You just wave your card at the door to go through, right? I just need to get close to your card and press a little button here. Then I can go through, too. This thing becomes a copy of your card key.”

“Why do you have it?” the officer demands accusingly.

“Because I demonstrate it at security conferences like ASIS.”

Somehow, Kevin kept his cool throughout four hours of grilling. When he was finally allowed to use a phone, he called an FBI agent who was to be on the panel he’d be moderating, and the FBI agent cleared him.

Having lost so much time, Kevin declined our dinner invitation, since he needed to prepare for his presentation. After listening to his long tale, Bob and I headed out to dinner alone. We found the French American Brasserie—quite worth raving about. http://www.fabatlanta.com/ Although we both ordered moules marinière, hardly a test for a brasserie, we enjoyed the meal thoroughly, along with the decor, ambiance, and service.

Kevin had been red-flagged, of course. He found out later that Customs knew nothing of the cocaine in his hard drive. He also found out that there wasn’t any cocaine in his drive. There may have been a few grains on the outside of the package, but it came from Colombia, right? Still, the drive had to be ripped open to determine that it was drug-free, and it wasn’t clear whether or not the disk itself had been damaged.