Schneier on Security
A blog covering security and security technology.
« Detecting People Who Want to Do Harm |
| Detecting Forged Signatures Using Pen Pressure and Angle »
October 7, 2009
Hotel Safe Scam
This is interesting:
Since then, his scams have tended to take place in luxury hotels around the world.
Typically, he would arrive at a hotel, claim to be a guest, and then tell security that he had forgotten the combination code to his safe.
When hotel staff helped him to open the safe, he would pocket the contents and make his escape.
Doesn't the hotel staff ask for ID before doing something like that?
Posted on October 7, 2009 at 1:07 PM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Common problems make for quick solutions? I can imagine a lot of people forget their safe combinations.
And no, that's not a good excuse :)
@: Doesn't the hotel staff ask for ID before doing something like that?
Probably most do. But, since they are unlikely to call the police when someone says "my ID is in my room, I'll go get it" then never comes back, there is really no consequence in trying. The 1 in 5, 10, etc. hotels that don't check makes it worth it, especially the luxury ones.
I think it has to be blamed on customer service. I imagine at a luxury hotel the customer is right more often than not and so the default reaction is "Yes, sir. My pleasure, sir."
I also imagine that people who frequent luxury hotels are not security professionals (heck, they had to make their money *somewhere*) and thus don't feel unjustly treated when *not* pestered for ID.
Those who would harangue the staff for failing to demand proof of identity must be far, far outnumbered by those who would harangue the staff for a 'needless hassle.'
With a predictable outcome on policies.
Erm, guys. You don't need their ID you just need them to describe what's in the safe before you open it. Same as for lost property etc.
"Doesn't the hotel staff ask for ID before doing something like that?"
We bought a car with a "Security coded radio".
Months later, after a flat battery, my wife called up the dealership and got them to tell her the unlock code with nothing more than a name and license plate.
"customer service" (known as "user friendliness" in computing) trumps "security" every time.
@scott: "I also imagine that people who frequent luxury hotels are not security professionals (heck, they had to make their money *somewhere*) and thus don't feel unjustly treated when *not* pestered for ID."
I think you make a good point. These are people used to being butt kissed and acquienced to, but seldom, if ever, questioned. ("Can I see your ID, Mr. Trump. If that's you're real name.")
Pair that mindset with the fact that I doubt the police are ever called when someone can't produce ID, as I pointed out in my previous post, and the outcome is predictable.
Unfortunately, the hotel would probably have to infuriate 50 egos by questioning them for every 1 ego infuriated over his stuff stolen.
As with many circumstances, incentives doth not line up with desired outcome.
"Doesn't the hotel staff ask for ID before doing something like that?"
All the points about the default responses of staff in luxury hotels are correct, but my experience is that the security staff who unlock your safe are usually a bit more circumspect. That said, they can usually be got around through social engineering. Of course depending on the exact protocol, you may be able to tell one person that your ID is in the safe in the expectation that another person will unlock it without having got the message.
Incidentally, in most hotels, if you go to the front desk and say you've lost your key to room 1234 they will ask you for your name and ID and check the registration but if you go to the same desk with any old key from the same hotel and say your key to room 1234 doesn't work they will simply give you a new one.
"But after serving just two months of his sentence, he persuaded prison authorities to let him go to a dental appointment unaccompanied, and never returned."
An outside appointment? Unaccompanied? Is this normal prison practice in the UK?
"Erm, guys. You don't need their ID you just need them to describe what's in the safe before you open it. Same as for lost property etc."
Nope, that won't fly. If I've got $10K sitting in my hotel safe, I'm most definitely not telling hotel staff that it's there.
It seems to me that if the thief is also willing to commit assault and/or battery, then the "describe the contents" approach will not work.
> An outside appointment? Unaccompanied? Is this normal prison practice in the UK?
Absolutely not. Most prisons will have their own (or a circuit) dentist.
External hospital appointments do happen from time to time. A prisoner will be handcuffed to one officer, and accompanied by a second one (who has the keys to the handcuffs).
Exceptions will apply to open prisons, but he'd be unlikely to be in open conditions after just two months.
Some people are gifted, and can talk other people (even trained security staff) into just about anything....I know of one UK prisoner who talked the prison escort van driver into dropping him off at the nearest railway station rather than returning him to prison from a court appearance. (He was later recaptured).
How does he get into a room in the first place? More social engineering?
What happens if the safe is empty - it has to have happened sometime?
Yep, many hotels ask for ID. But any good con artist knows that, and is prepared. Here's how. First, they've obviously targeted a "whale," or some other wealthy hotel guest. They've followed him to learn his room number. They go to the front desk and, giving the guest's room number, ask for a printout of their charges to date. Bingo. They've got the name and address of the guest now. Next job is to whip out a fake ID, right in their car in the parking lot. Sounds like a lot of trouble, doesn't it? But look at the payout. There's more to the scam, described in my book, Travel Advisory: How to Avoid Thefts, Cons, and Scams. http://bit.ly/VDcSz And on my blog, http://bobarno.com/thiefhunters.
Boy, did I learn of an amazing hotel safe scam a few days ago. I'm about to post on it.
I've stayed in probably 30 hotels my entire life, and not once used a hotel's provided safe. Exactly how does this guy explain to hotel staff when they get in to the room only to find the safe open, or empty? How many times do they let him say "whoops, I meant that other room down the hall."?
"shit.. I had $1500 in cash and an EOS5 in there. I wondered why I couldn't get the combination to work. Someone must have got the code to the safe". You have no idea how fast hotel staff disappear when you start complaining that something has been stolen.
Indeed he's a very good smooth talker that gets him everywhere he wants.
Now, sorry to tell, but I've always found certain cultures prone to be "social engineered", they just don't have that innate ability to smell the trick that's coming to ram them, that's why I'm not surprised this happen in the countries the article lists
BTW, have you guys watched nine queens?
It's worth to watch
IME luxury hotel employees _never_ ask for ID from the guests... especially those who claim to be in "comfort" or better rooms. It's too risky for them, because if someone they ask for ID is cranky and reasonably well-connected, they lose their job. Period.
On leaving prison to pop off to see the dentist: This is nothing compared to how things used to be. From Wikipedia on the Fleet Prison: "But prisoners did not necessarily have to live within Fleet Prison itself; as long as they paid the keeper to compensate him for loss of earnings, they could take lodgings within a particular area outside the prison walls..."
From the article: "His first reported con took place in 1993, when he was discovered on the runway at Miami airport claiming to be a 13-year-old orphan who had hung on to the plane's landing gear on a flight from Colombia."
If this was widely reported, he might well be responsible for deaths of people who tried to emulate his supposed feat - it is not a survivable experience.
You check into a luxury hotel, go to your room, open the safe, close the safe, (yes, the safe remains empty) head out for the evening. Meanwhile, you have a friend perform this scam. Return to your room, open the safe and start complaining about your stolen valuables worth tens of thousands.
Hello. I found a word in the Voynich manuscript I know what I mean, at least in Castilian. The problem is that the photos I have of the manuscript lose definition when enlarged and I see the characters for the equivalence. Do you have a copy of the Voynich manuscript that I can see better?, Where can I get a copy of the manuscript?
Greetings and thanks in advance.
I wonder what would happen if you tried to have the staff arrested as accessories to the crime?
My mother told me if I wanted something I should always ask politely. It's amazing what people will do for you if you adopt this approach.
"Doesn't the hotel staff ask for ID before doing something like that?"
Not nearly as often as they should. I stay in hotels something like 100 days a year. Occasonally, I'll misplace my key or something like that. It's pretty rare that the desk staff ask anything more than for a name and room number.
Re customer service agents not being security-minded people:
That's fine. They don't have to be. I'd be terrible at a customer service job, they're allowed to be terrible at security.
But the people who can open the safe *should* be. The hotel should be set up so the "yes sir Mr. Trump" guy behind the desk has no access, only the security manager does. And he can be as grumpy and hardnosed as necessary.
The problem isn't bad training of the front desk workers, it's bad hotel management.
Social engineering is the best way to defeat security today. And it's also a critical component to *designing* security.
I travel ~200 days a year a stay in all sorts of hotels - from the run-of-the-mill **ariott to the Astoria. I get bored easily, so quite often I will tell the front desk that I forgot my key (even though I have it)... My 'research' is roughly 50% of the time they don't ask for I.D. or anything beyond a last name and room number - 10% of the time they don't even ask for a name.
Data has been 'collected' over the last 5 years or so from all over the U.S. and Europe. In Europe they ask more than in the U.S. (unless your staying at a place that takes your key when you leave for the day). In the U.S. they ask for I.D. less on the east coast than they do on the west coast.
Yup, something that Kevin Mitnick describes in "The art of deception".
I think this should be seen as a simple risk management problem: what is the cost of asking for ID (dis-satisfaction, complaints, ...) compared to the cost of not asking (sometimes you have to pay for the stolen goods). One single very dissatisfied customer hurts less your reputation than thousands of slightly annoyed ones.
Once I had an issue with a bank that did insufficient signature verification at the desk. They reimbursed the illegitimate withdrawal, saying this costs less than systematical exhaustive verifications.
Check out youtube and see all the videos of hotel type safes being bounced or slapped or rubber hammered open. the selonoid is spring loaded and can be bounced out of lock.
I would have thought they need ID.
How did the thief get into the room? Say they forgot their room card inside as well as the safe combination so the staff let him into both?
recently on a cruise, the door card stopped working and was confenscated at the door when coming back onto the boat from an excursion. When going to the front desk they issue a new one with out asking for information or ID. The only saving grace I can think of is there is a picture on file with the cards so if they are paying attention they should be looking at the picture before handing over the new card to me.
I also had a concern that they confenscated the old card at the door. "they" being a "trused" staff member says the card does not work and that when they issue a new one, the old will stop working. I wonder how many people go right to the front desk for the new card and how many use their room mates card to get into the room to settle in before getting it replaced? I am sure their methods work and no one would confenscate a working card, it just made me think a little and ask at the front desk what happens to the old cards.
People who frequent this blog are interested in security but often overlook costs. Consider how many people manage to lock themselves out of their hotel rooms; it has to happen several times a day. Now consider how often a con artist is going to pretend to be someone else and get into a room by deception. Also consider that the con artist can't disguise his or her face; there's a clerk who knows exactly what he looks like.
So you decide to impose a hard-ass security policy, to make it really hard for someone who's locked out without his wallet (therefore with no ID) to get into the room. If you manage to annoy several regular business travelers so that they pick some other hotel the next time, you might have been better off allowing the occasional theft to succeed.
Security isn't a goal in itself: the goal of a business is to maximize profit. Maximizing security is often not the correct approach to maximizing profit.
"Doesn't the hotel require ID?"
Yes, they do.
But ID is a real security flaw. In this particular case, the scammer went down to the front desk, said "I'd just like to check what I've got billed to my room so far", at which point they only asked for room number.
Apparently this particular gentleman, from the info on the charges statement, made a driver's license with his picture and the appropriate info in under 20 minutes.
Let's also not forget that this particular guy is an absolute master of the social engineering hack. I read an interview with a police officer who had interviewed him at one point. The cop (who speaks fluent spanish) asked him if he spoke english, and he replied, "would you like american english (in an USA accent) or (in an upper-class british accent) the king's english?"
So we shouldn't be surprised that someone that skilled at social engineering can do this.
I've found that hotels, particularly luxury ones, are more than happy to let you into your hotel room without so much as an ID check.
I was on a business/training trip in Malaysia a few years ago with a few colleagues, staying in a luxury hotel near the city. They went clubbing in KL whilst I decided on an early night. Knowing what they're like, and knowing that they had their eye on the duty-free grog I'd bought, I put the safety lock and chain on the door before i went to sleep (something I'd recommend anyway).
Sure enough, about 4am I got a drunken phone call, so told them "politely" to .... off. Next thing I heard was another phone call, so I ignored it. Then I heard the hotel's concierge trying opening the door with a master key with their voices saying "yeah i'm Simon, i've lost my key, think i left it in the club". Next I heard was the concierge saying "I think there's a problem with the door, i'll call maintainence" at which point i got up, opened the door and told the concierge to ignore them.
Of course they got a telling off the next morning, but i don't think they even check in cases like this :(
A really good luxury hotel will be able to let you into your room without an ID check because they (and their video system) saw you at the front desk when you checked in. But that's getting rarer and rarer.
(Other facilities do this kind of thing as well. A relative of mine once walked into the lobby of a quasigovernmental organization where a member of her immediate family worked, and was more than a little taken aback to be greeted by name by a completely unknown security person.)
> Doesn't the hotel staff ask for ID
> before doing something like that?
It takes enormous strength of character to consistently follow such security rules in real-world conditions. Not one person in a hundred can keep it up through an entire career.
Maybe the *first* thousand times or so he'll follow the rules, sure. But eventually he's going to get *tired* of checking ID every *single* time somebody forgets their password, key, safe combination, whatever. So then one time the place is busy, and the customer is irritated and standing there waiting impatiently, and the *other* customer over there is waiting also, and the poor employee was *supposed* to finish his shift and go home twenty minutes ago, only he can't get away from the desk because of all these stupid *customers* needing *help*, but he asks the guy for ID anyway, because it's the rule, but the guy says he left his ID in his room, clear up on the fourteenth floor, and have you seen the line for the elevators? So he's standing there arguing, and he's getting upset, and people are waiting, ...
Most people will eventually snap under this kind of pressure and break the rule, and once an employee has violated the security policy once, and nothing bad happened, the temptation to do it again (and again, and again...) is remarkably strong.
On the one occasion I have forgotten the code to my hotel safe (or at any rate, the one I was sure I had used, failed to open the safe), the procedure was as follows:
1. I had to wait for a specific manager who was authorised to do resets; he took about 15 minutes to turn up. You will see in a moment why.
2. I had to let that manager into the room with my key.
3. The code-resetting manager was armed with a laptop with a USB cable which plugged into a slightly-hidden USB port on the safe. After plugging it in, he seemed to faff about for ages (well, two or three minutes) before it was reset, when one might reasonably expect this part of the process to take less than a second.
4. During the faffing about phase, he engaged me in conversation about my previous visits to the same hotel chain.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.