Thief Disguises Himself as Security Guard

Another in our series on the security problems of trusting people in uniform:

A thief disguised as a security guard Tuesday duped the unsuspecting staff of a top Italian art gallery into giving him more than 200,000 euros ($253,100), local media reported.

The thief showed up Tuesday morning at the Pitti Palace, a grandiose renaissance construction in central Florence and one of Italy's best known museums, wearing the same uniform used by employees of the security firm which every day collects the institution's takings.

After the cashier staff gave him three bags full of money, he signed a receipt and calmly walked out.

Posted on May 12, 2006 at 6:10 AM • 25 Comments


MattMay 12, 2006 7:08 AM

Haha, perfect!

When giving someone a quarter million US, you would think that they would check the person's ID against a known-couriers list or something... wow

jmcMay 12, 2006 8:10 AM

One does expect the cashier people to be less cautious when being confronted with the same guy for a period of say 20 years during which all has worked out fine. But the guy being a total stranger to the museum guys should have made them a lil' bit more thoughtful.

@nonymou5May 12, 2006 10:14 AM

While in school, I had a job at a hotel to balance the books for the day. We did not have any procedures to verify anything, other than the daily balance sheet. One night the night shift security guard for the hotel (the real one), came up to be and said the manager wanted to audit the cash drawers. It sounded strange, but since I wasn't as suspicious as I am today, I gave him the drawers. 1/2 hour later am I wondering when I will get the drawers back. The morning shift is going to need them. So I called the manager and asked when I am going to get them back. He had no idea of what I was talking about. Then we realized the guard decided to make this his last night on the shift and disappear.

That's when I realized I should always "trust, but verify". ;)

@nonymou5May 12, 2006 10:18 AM

Oh, ya I should also state, the hotel went cheap on the guard. Instead of hiring a service which has bonded guards they hired someone directly (unbonded). Last I knew about the situation they never found the guy. I am sure he had fake info when they hired him. Shows you really don't save money when you go cheap on your security.

AndrewMay 12, 2006 11:30 AM

Uniforms are easy to fake. Procedures tend towards a depressing commonality. Even those businesses that use courier lists with pictures and signatures (which should be everybody!) don't always refer to them.

This is also why there are floor limits, over the counter limits, and over the street limits. To limit the losses if any one take goes awry.

The only answer is to shift some of the burden from the institution to the employee. ("If you give the money to the wrong person, it'll come out of your check . . . ")

Chase VentersMay 12, 2006 11:40 AM


Fighting crime is difficult. Often, the responsibility of catching / stopping walk-outs is placed on the waiter. If they suspect something, they're supposed to tell management. (But they can't chase the people into the parking lot.)

Guess who pays when the customer walks? That's right - the waiter.

wkwillisMay 12, 2006 11:47 AM

I'm a security guard. I have been transferred (not fired, I'm contract so I get transferred to a new account if the client is unhappy) for doing my job. Last time was when I stopped a guy drafting (walking in behind someone with an access card) and he got upset. The client security director told me that I was doing my job, but that they were moving me anyway because the juy was upset.
No big deal. I worked two other accounts for a while, then moved to another, then had to go take care of my sister for a while, and now I'm back at the same security company.
Generally the security guards will do the best job you allow them to do. If you transfer them for doing their job, they will shrug and stop doing it.
But if you discipline one guard for doing their job AND you discipline some other security guard for not doing their job, you have some severe liability problems.

RCMay 12, 2006 12:36 PM

What I'd like to know is how soon the exact same approach will again work on that same Museum. I think it is unlikely that they will change their security procedures in a way that necessarily precludes this type of attack. They may tell their staff to check the guard's ID and not to give the money to a new guard without verifying that ID ... but after a time the staff will become lazy, newer employees will not be given the same instructions, and the attack will work again.

paulMay 12, 2006 12:44 PM

Even if you tell the staff to verify the guard's ID, you've only moved the problem over a slight distance (unless the security company has unforgeable IDs, some kind of mechanical verification method, and a highly secure ID distribution infrastructure.)

Pat CahalanMay 12, 2006 1:24 PM

@ Trent

He probably reads this blog. "It's all Schneier's fault, for giving these criminals the idea!"

(those are sarcasm " "s).

Marcelus BerryMay 12, 2006 3:17 PM

It is always the human element of Security that fails, intrusion is an aquired and developed capacity, but our most cotidian and predictable customs and duties may actually be creating an invisible open path for deception.

JungsonnMay 12, 2006 3:47 PM


Yeah, the moral i think about these kind of acts is that people are beginning to see a uniform as a form of authentication. I agree that the "asume" that the person is wearing a uniform conform the guidelines and they will be treated so. It is in fact as stated above: the human factor. Relying on mere uniform should produce problems and in this case and many other it happened. In my country (NL) we had simmilar experiances where thiefs where dressed like cops, and they took the wallets of tourists and hold people and gave them tickets which they had to pay upfront. The sollution? i cannot think of one otherwise of proper (better) authentication. Anyone other ideas?

AnonymousMay 12, 2006 4:26 PM


>> Even if you tell the staff to verify the guard's ID, you've only moved the problem over a slight distance (unless the security company has unforgeable IDs, some kind of mechanical verification method, and a highly secure ID distribution infrastructure.)

Nothing is unforgeable. I can make an ID which is very difficult to forge, however, and fairly cheaply. (Even more difficult if you don't let someone get a good look at it, except when verifying a guard's identity -- and certainly never let it near a scanner.)

The mechanical verification method is to compare the picture on the ID to the person's face.

The highly secure ID distribution infrastructure is handing it to the guard after they pass all of our background checks . . . (sighs)


You make some excellent points. By the way, welcome back. :)

KMay 13, 2006 5:14 PM

he have also a true matriculation-number of another security guard (same company)

securityNovember 24, 2006 5:36 AM

This story is now Six months old - can not find anything over the Internet about any arrests having been made -ever.

Does anyone have an update?

Clive RobinsonSeptember 29, 2015 5:04 AM

@ Moderator,

"Wyoming..." above is comercial spam.

It looks like the spamers are timing their attacks to US very early morning, so as to give time for the Google bot etc to have gone past but before they are likely to be deleted... "evolution in action".

ModeratorSeptember 29, 2015 9:11 AM

@All - Thanks for the heads-up on spam comments; tips from readers are very helpful. I suspect the timing of the late-night posts has as much if not more to do with the time difference between the U.S. and India/Pakistan as it does the evolution of spamming technique. 3:00am in New York or Minneapolis is the middle of the work day in Bangalore or Karachi.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.