A reader of this blog recently wrote to me and described a suspicious encounter:
In Dublin, I noticed a tall young man in a green sweater keeping pace behind us, regardless of our window shopping. I turned down a busy side street, and he turned with us. We turned back to our original route, and the fellow with the green sweater appeared to be gone. Then I noticed that the same man was again following us, with the sweater rolled up and behind is back. I suddenly turned and said, “Good morning. How’s your day going so far?” The fellow said “Fine,” and then turned and walked off.
—Vern (and Pattie) Leming
I like the way Vern confronted his green sweater suspect. What he did is actually what many police and security officers do. It’s called aggressive hospitality: a friendly encounter meant to indicate “I see you, I’m watching.”
At a street festival, for example, police want to prevent incidents. When they spot a known suspect lurking, or an unknown person exhibiting suspicious behavior, they may confront the person with a friendly question: “Enjoying the festival?” or “Don’t I know you from somewhere?” A security guard at a theme park or in a mall will do the same. “Have you lost someone?”
Walmart practices the same principle to stem shoplifting. Called the “10-foot rule” there, store employees greet every customer who comes near them. If employees suspect shoplifting in progress, they offer to help the customer with his shopping.
Hotels and resorts also engage in aggressive hospitality. While guests notice a friendly staff greeting them at every turn, thieves, rogues, and transgressors lose their anonymity and feel watched.
Richard Buske, Security Manager of Nordic Hotels, takes this philosophy a step further. All staff members at his hotels are trained in security matters. All are taught to be observant and are praised for alerting management to suspicious behavior. Security is considered a team effort to be conducted in a friendly, positive manner.
I’m sure it sounds obsessive to mention the necessity of onboard watchfulness when you fly. The likelihood of theft while on an aircraft is low, granted; but it’s unpredictable, and that’s the problem. If you’re carrying valuables, say cash, jewelry, even credit cards, you may as well continue with your precautions. The risks are to the carry-on items you can’t see: those in the overhead compartment can be ransacked practically under your nose—or above your nose. Those under the seat in front of you are vulnerable if you sleep or leave them while you get up. [Read Kayla’s experience, below.] I want to stress that these are low-probability scenarios, especially if you’re not traveling alone. Your degree of precaution must harmonize with your comfort level and the value of the items you carry.
Sadly, suitcases are occasionally compromised while in the airlines’ possession. The odd unscrupulous employee needs only the moment of opportunity. It’s well-known that most luggage locks are next to useless. Keys are generic, and even combination locks have certain pressure points which free latches.
Halliburton
Bob and I believe in hard-sided luggage. The ones we use are aluminum, made by Zero Halliburton. They’re not for everyone, being both heavy and expensive. But when our bags were forced with a crowbar or other tool somewhere on the nether tarmac of the Miami airport, the locks and hinges held tight. Shiny scars in the seam, as if gnawed by a metal-eating mouse, were the only evidence of serious tampering.
Who’s throwing your luggage around?
As we watch our silvery Halliburtons trundle off toward baggage handlers in Lusaka, in Santiago, in Mexico City, filled with sound and video equipment or perhaps with our favorite shoes from Florence, we’re eternally grateful for and confident in their sturdy locking mechanisms. Even more so after trying desperately and failing to break into our own locked suitcase when it jammed once in London.
Of course bags like these do call attention to themselves and an argument can be made for using inexpensive luggage. One world-traveling couple we met swore by the cheap stuff. After repeated thefts from their Louis Vuitton cases at Heathrow airport, they resorted to department store brands, buying new bags every year or so. A small price to pay, they say, given the cost of their trip and value of their belongings. That’s their argument, but I don’t buy it. I say buy the best bags you can find and afford and use their locks [whenever possible].
“Kayla,” a 15-year-old girl, told me how her wallet was stolen on a cross-country flight. Her mother and sister supported Kayla’s story. The thief was a 35ish woman sitting next to her. In the middle of the flight, the woman bent down and pretended to be digging in her purse. But Kayla felt something and looked, and could see that the woman was digging in her (Kayla’s) purse. Kayla said she was too scared to say anything. The woman got up and went to the bathroom. Kayla checked her purse and found that her wallet was gone. She told her mother. Then she and her mother told a flight attendant. The flight attendant found the wallet in the bathroom, missing only Kayla’s cash. Kayla was still too afraid to say anything to the thief. When the plane landed, the woman just left.
Loot ‘n scoot: Through my police friends, I learned of another devious M.O. resulting in theft from hotel rooms. The thief simply poses as a guest. Wearing pool attire, she enters a hotel room that has a housekeeping cart at the door, as if she’s just returning to her own room from the pool. She tells the maid that she forgot her key, starts looking for it, and dismisses the maid. I suppose her beach bag is big enough for all the goodies she grabs, and she scoots out in her swimsuit looking as innocent as can be.
Maid left hotel room open and empty.
In another version, a female thief gets a nearby housekeeper to open a hotel room door because she’s carrying a heavy load. She may or may not have spotters on the lookout for guests returning to that floor.
Hotel security
In both cases, the security of our belongings is in the hands of the maids. How well are they trained? How much discretion do they have? When should they break the rules in order to be nice? When should they bend the rules in anticipation of a nice gratuity? What about temporary workers during the hotel’s high season—do they receive as thorough training? How many of us have approached our room only to find that we forgot our key, or the key doesn’t work, and a nice service staff member volunteers to let us in?
Hotel policy is one thing; compliance is another. How do you react when you find that your key doesn’t work (for the third time), the front desk is far away (giant hotel), your feet hurt and your arms are full and you’re dead tired, and the maid with a master key says “I’m sorry. It’s for your own security.”?
The burglars described in the recent police bulletins were females of average height and weight, 50ish and blonde. Nicely generic. The maid may believe she’s seen the impostor; and perhaps she has. Should she risk offending the “guest”?
Perhaps the maid should be required to ask the name of the guest and match it to a list. Yeah, a list on a clipboard left on the cart, that the thief’s accomplice copped a glance at. Perhaps the maid should be required to snap a photo of the guest “for your security.”
As a very frequent hotel guest, I have many times returned to my room to find the door left open by housekeeping staff “just for a minute” while they run to do something else. This always infuriates me, as there’s usually a laptop or two left out, as in the photo here, not to mention other valuables. But this is simply housekeeping error, and with proper training, can be corrected. The impostors described above are skilled social engineers, harder to protect against.
Bruce Schneier is currently blogging from SHB09, the Second Interdisciplinary Workshop on Security and Human Behavior, at MIT. I doubt if discussions covered “tricking hotel maids,” but what a complicated and interesting subject. I would have liked to be a fly on the wall there. Instead, I can read articles by the presenters.
We flew from Anchorage to Homer on Alaska Airlines flight 4878, operated by ERA Aviation. No TSA. No screening; none at all. Liquids? Okay! Weapons? Whatever you want! Just check your large roll-ons and climb aboard, big boots ‘n all.. 20 seats. Open seating, open cockpit.
So you’ve made it through security. Does that mean you’re in a secure area? Not secure enough to relax your attention. Thieves have been known to buy multi-leg plane tickets and work the gate areas in each airport, never needing to pass security after their initial entry into carefree-land.
You wouldn’t look twice at the couple sitting back-to-back with you in the departure hall. Smartly dressed, stylish bags, composed manner: they look like frequent international travelers—and they are. The troupe arrested in Paris’ Charles de Gaulle Airport were not French, but South American. They, and other sophisticated gangs of thieves take the same international flights as their victims, stay in the same hotels, and attend the same trade shows, sporting events, and operas. “They’re clever, don’t take chances, and do a lot of damage,” a French police officer said. “They keep the cash and sell off everything else—credit cards, passports.”
“These gangs systematically comb all major international airports on both sides of customs,” said an undercover police officer at Amsterdam’s Schiphol Airport. “They often fly between five or six airports on round-trip tickets,” explained the crime prevention coordinator for the military police there.
A presumption of safety prevails past security.
Many airports around the world have installed camera surveillance, which has cut theft of bags and theft from bags. In Cape Town, for example, while an inbound visitor stood at a car rental counter with his luggage behind him on a trolley, a thief simply lifted one of his bags, popped into a men’s room, changed clothes, and walked out with the stolen property. After leaving it in a waiting car, he returned to the baggage hall to scout for more goodies. It was all caught on tape.
Trains between concourses are another area where personal property goes missing. On these, as well as in airport shops and restaurants, one must maintain vigilance. This is especially difficult for people who don’t travel often and live in small towns where safety is almost a given. Thieves home in on relaxed attitudes like heat-seeking missiles.
What works: keep physical contact with your property.
“Did you know you’re wearing mismatched shoes?” a well-dressed Englishman said to our friend, Brooks, at London’s Heathrow airport one day.
Brooks was talking on his phone, frantic at finding out that he was supposed to be at London’s other airport, Gatwick. He locked eyes with the stranger. “I am not!” he said, refusing to be distracted. “And you’ll not succeed in grabbing my briefcase!”
Brooks had become security-obsessed hearing our tales.
“Pardon me, then. But you are.” The man walked away, intentions defeated, whatever they were.
Brooks finished his telephone call, feeling rather smug that he’d thwarted a thief who’d tried to distract him. Then he looked down at his shoes, only to see one tasseled, one buckled loafer.
Everyone knows not to leave bags unattended in airports and, lest we forget, we are relentlessly reminded by annoying announcements. Bag-stealing strategists are devious, though. Even if you aren’t looking away from your things, you may be connived into doing so. Questions by an apparently confused or puzzled foreigner touch our good-natured core and we want to help. A moment’s distraction is all an accomplice requires. Who would suspect that the pretty girl asking to borrow your pen is merely a diversion as her colleagues snag your bag?
Or, here’s a good one: you’re suddenly paged. Who would page you at an airport, possibly a foreign airport, or a stopover? Who even knows you’re there? You rush off to find the white courtesy phone, befuddled and worried. The accented voice on the line sounds unclear, yet urgent. You may be asked to write down a number, requiring some gymnastics while you extract a pen and find a scrap of paper. Have you looked away from your briefcase? Have you lost physical contact with it? Where is it, anyway?
Earlier, the thief had examined the object of his desire, your bag. Its luggage tag informed him of your name. The strategist paged you. He distracted you. He created his own plausible situation. Or, as Bob would say, he created a shituation.
TSA
Airports give the illusion of safeness, especially now with increased security. The swirling crowd of dazed travelers, lost or rushed or tired, makes a perfect haystack for the needle-like thief. Your bag might disappear before you even get inside, in all the curbside commotion. Long, tedious, check-in lines can be disorderly madness in some airports, inducing inattention when you need it most.
Computers and purses disappear, too, at airport security checkpoints. Guards have their hands full keeping order at the chaotic bottlenecks, and they’re watching for bigger fish than bag thieves. Don’t assume they’ll safeguard your bags.
Practically every television news program has shown this ruse. The scam occurs just after you’ve put your items on the belt. Before you walk through the metal detector, a stranger cuts in front as if in a hurry. The equipment buzzes and he has to back up and remove his watch, his coins, something. Meanwhile, you’re trapped in limboland and your bags are free-for-all on the so-called secure side.
If you’re traveling with another person, make a habit of this: one person goes through security first and collects her and your bags as they appear. The other waits to see that all bags go fully and safely into the x-ray machine, and watches the belt to see that it isn’t reversed, leaving your items vulnerable on the other side. If you’re alone, wait for any crowd at the checkpoint to pass, if you can, or be alert to anyone who barges in front of you after you’ve let go of your things.
As a very frequent flyer, I can understand that 12,000+ laptops are lost each week in U.S. airports. What’s shocking is that, according to a study, only 33% of laptops that make it to lost-and-found are reclaimed. My first thought is: insurance fraud. Lose it, claim it, get a new machine.
The point of the study, though, is really data loss, theft, and abuse. Who cares about the hardware? Wouldn’t it be fascinating to know how many of those never-claimed laptops sitting in lost-and-found actually contain sensitive data? And when was the machine last logged into? After the loss?
Having lost a few precious things myself (a special scarf, an autographed book), I know how impossible it is to contact airport lost-and-found, and the runaround you get if you luck out and reach a human. “You have to contact the airline,” “just file a report online,” “the airline controls those gates,” etc. Hopeless.
And I hate to say it but, I’m convinced that airplane cleaners reward their thankless jobs by the old “finders keepers” law. How else to explain a book left between the window seat and the wall, gone without a trace five minutes after I disembarked? Losers weepers.
Who's alert after suffering the human maze?
I just re-read the study, Ponemon Institute’s Airport Insecurity: The Case of Missing & Lost Laptops.
I had first read it back in July when its stats were thoroughly discussed on Schneier’s site. One of my own comments there is “no departments try to return property. Look at all the staffing cuts. Who’s the first to go? An individual might try to return something, but not a department. Even if you know you left something on a plane, even if you report it a minute after you get off, you can kiss it goodbye.”
Most laptops are lost at the security checkpoint—no surprise. People think the area is full of “security” personnel, and that makes their stuff secure. Many times, I pick up my own computer, then Bob’s. No one notices or cares that I picked up two machines. No one questions me whether I have two in my arms at once, or pack up mine and walk off with another.
While the report’s stats are interesting, I think the “Recommendations and Conclusions” are unrealistic. They suggest you allow enough time, as if you haven’t just run between terminals as fast as you can to make your “airline legal” but still-tight connection. They suggest you carry less; hey, we carry what we need, and what we don’t trust the airlines (or TSA) with in checked bags. They suggest you think ahead and have a mental strategy at security. That works—as long as you aren’t in a sleep-deprived fog from flying 14 or more cramped hours and now you don’t know if it’s morning or night. And as long as everything at the checkpoint goes smoothly, which is never certain. Someone cuts in front of you and delays you from getting to the other side, where your stuff sits vulnerable. A bossy TSA agent disrupts your strategy because he wants it done his way. TSA needs to rescan half your stuff and your items are spread out all over.
I have long had a strategy. I lay down my things—always the same things—in a strict order. This allows me to pick them up on the other side and reassemble everything quickly and logically. Every once in a while, that bossy TSA employee will rearrange my things, or hold back some of them in order to re-run someone else’s. This tampers with the otherwise reliability of my strategy.
I like two of the study’s recommendations. One is obvious, to label your laptop so you can be easily contacted. The other mildly recommends that airports make it easier for passengers to report losses. That would really help. Fat chance.
We met Lionel, an American, while traveling in Dubai.
To a pair of pickpockets in London, Lionel Skidmore looked like an easy target. The thieves mounted a bus, then immediately turned and got off, pushing past Lionel, who was just getting on. Checking and noticing that his wallet was gone, Lionel ran after the perps and demanded the return of his wallet. One thief took off. The other pointed to the ground, where the wallet had been dropped. Nothing was missing from it.
The novel part of this story, to me, is that Lionel’s wallet was deep in his pocket, attached to a chain. Granted, the metal ring attachment was a weak one, according to Lionel, but the pickpockets didn’t know that when they decided to take the wallet.
Many people believe that rubber banding a wallet, as Lionel shows, prohibits pickpockets. Pickpockets tell us otherwise.
This reminds me that there are no rules in pickpocketing; or rather, that there are, but they’re all bustable. For example, how many of you have heard that wrapping a rubber band around your wallet makes it harder to steal? Hands up. Right, I thought so. No, the thieves tell us—a rubber band makes their job easier. It gives them something to grip, and it keeps the wallet closed, preventing corners from catching in the extraction.
It’s easy to think that a wallet on a chain is safe (no comment on the fashion statement it makes). You’d think that pickpockets would move on to an unchained wallet—the vast majority of them. Turns out that the chain makes a handy little extraction tool. And according to Lionel, a long-time chain-user, most chains are cheap, Chinese-made metal with weak attachment rings.
There's always a weakest link. In this case, Lionel's hefty new ring attachment is threaded through a flimsy wisp of dried leather.
Lionel showed us his new, heavy-weight chain-attachment-ring. Looks strong! But it’s threaded through a thin layer of worn, flimsy leather at the corner of his wallet. Easily the weakest link in a weak system. A useless grommet, freed from the loose leather, slides around the ring. Lionel feels his chained wallet is secure. His (false) sense of security allows him to travel the world with confidence.
As we travel the world every year, we interact with organized crime figures, street criminals, and security personnel along the way, observing and absorbing the latest trends in criminal behavior and the latest techniques. Over the past twenty years, I have maintained dialogs and communications with some rather interesting criminal minds on four continents. But talking about security issues and criminal behavior, on the internet or to media in general, is always a dilemma. Yes, it’s useful to reveal the latest scoop about the rogue fringe of society, but by bringing revelations into the open we might tip our hand to the bad guys.
Striking up conversations with criminals usually means we first have to detect them, identify them, and somehow confirm that they really are thieves—unless we have direct cooperation from law enforcement agencies. We’ve developed unique skills in detecting criminal behavior and patterns that we recognize before the crimes take place. Modern crime prevention is often based on similar methods and techniques, and written into algorithms for computer analysis. Yes, they are obviously very different depending on the country where the criminals are active, the type of crimes anticipated, and other cultural factors. In security circles, a common word for this analytical activity is “redflagging.”
Bambi Vincent, Kevin Mitnick, and Bob Arno.
The kick-in-the-pants for this post came from an incident we became privy to in Atlanta last week, while there to address the ASIS annual conference—the world’s largest security convention. Kevin Mitnick, the famous (or infamous) former hacker—is there such a thing as former hacker?—was also there, as a presenter and panel host on Internet abuses. Kevin, always full of new anecdotes and intriguing …˜backend’ stories, is an old friend of ours. It was his exhaustive airport encounter earlier that day (with ICE, US customs, and the FBI) that got me thinking about redflagging, which is what entangled Kevin.
In the past few weeks, two books have been published which both indirectly focus on redflagging, how to isolate a certain behavior from the norm, and then to draw conclusions. This is not exactly science, but reasonable speculation. Behavior is an extension of human emotion; it’s difficult to completely suppress our emotions, and therefore our behavior.
The new books are The War Within: Secret White House, by Bob Woodward, and The Numerati, by Stephen Becker. Both books allude to new and secret formulas used by the U.S. government as well as the private sector, to fight terrorism and crime in general. Woodward’s book speculates about isolating terrorist leaders and taking them out with precise weapons. In his blog, Schneier on Security, Bruce Schneier wagers that Woodward is talking about “tagging.” The speculation centers around new technologies, but we can be quite certain that some algorithms on behavior are reasons for the new successes in the war on terrorism.
Lips
The other book, The Numerati, is not about politics or security developments. It’s about the latest trends in analyzing emerging patterns by drilling through data banks. A good review, “Drilling Through Data,” can be read in The Wall Street Journal, and there’s an interview with the author on NPR. The book discusses security software analytics. The last part of the book covers irregular pattern recognition and Jeff Jonas’ work in the casino industry. A good introduction to the world of Jeff Jonas and his contribution to the security industry is posted in O’Reilly’s Etech Conference pages from March 2008. Jeff Jonas works for IBM (and we assume for divisions of our National Security Agency, in some capacity or another). To get the gist of his talk on casino scams and how to detect crime in casinos using surveillance technology coupled with databases of known criminals, you have to drill further. This is very good reading for those with an interest in irregular pattern recognition.
Neither book sheds any precise information on what we want to know most: what are the security agencies concentrating on when they assemble their “trip wires” for redflagging? And that’s good; why should we let the other side know how they’re spotted?
Forehead
In its most simplistic application, analytics are used in surveillance software in the retail and hospitality industries, and in public places. For example, the scanning of individuals hovering or loitering around an entrance or in a hotel lobby; the number of seconds a cash register’s drawer stays open in a store; how the hands of the employee at that cash register move; the angle of the hand holding the credit card (think portable skimmers).
All of which is just foreplay to the real issue: the behavior of terrorists. What speed or pace and how do they walk when approaching a target? How does a female terrorist behave differently from a male? How do they behave when stopped or challenged? And most important, what about their face reactions? Can a telephoto video scanner pick up micro-expressions and can the latest research by people like Dr. Paul Ekman and Mark Frank map these movements with accuracy?
Fake smile.
For some interesting current examples of micro-expressions, watch again the recent Sarah Palin interview on ABC Evening News with Charles Gibson.  The moments for interpretation come at three minutes and 59 seconds, when Charles Gibson asks her if she has ever met with foreign heads of states. More of the same expressions when Gibson asks whether Russia was provoked to go into Georgia, five minutes and 13 seconds into the interview. And finally, at eight minutes and 34 seconds, at the question about the Bush Doctrine. Whether the clenching, lip protrusion, closing of eyes, and swaying can be interpreted as precise proof of one thing or another is up to the students of Paul Ekman.
Redflagging as a form of profiling is controversial. My points above illustrate how complex and far-reaching the conclusions may be to our society. I have not even touched on the privacy angle, the national security aspects, and what the bad guys can do to counteract the revelations made by media on the latest security innovations. Ultimately it comes down to the old argument: what do we keep secret (for national security) and what do we allow the public to know in order to protect privacy and maintain open political dialogs?
My objective today is to draw attention to the constant need to fine-tune information analytics. It is the lack of qualified experts drawing useful conclusions, which has triggered all kinds of recent mishaps, near financial ruin, and security lapses. This article is not meant to start new political discussions on security secrecy or privacy protection. Others who specialize in advancing and protecting both viewpoints are far more qualified.
[The facial features above belong to confirmed criminals, photographed during interrogation.]
For a cross-country flight, I packed a lunch of deconstructed sandwiches. Slices of homemade walnut bread, a handful of arugula, a tomato, and a repurposed deli-container full of homemade crab salad. The crab salad was moist with mayo, lemon, and chopped apple. Spreadable, if not quite liquid, mostly filling an 8 oz container.
I didn’t expect it to pass security, so I was ready with Plan B: I’d back out of the security area, construct the sandwiches, and try again with the less-dense contraband.
So I’m pushing my carry-on along to the scanner belt when the TSA man on the x-ray calls for assistance. “Log-jam,” he says.
“They’re moving now,” I say, having straightened someone else’s bag. Mine goes through.
“I’m just trying to keep her busy [wink],” the TSA agent says, jerking his chin toward his colleague as she inspects the flow of bags.
I lock eyes with him. “Good strategy,” I wink back, and he doesn’t even glance at the screen as my bags sail through, crab salad and all.
