Schneier on Security
A blog covering security and security technology.
« Major Vulnerability Found in Diebold Election Machines |
| "The TSA's Constitution-Free Zone" »
May 12, 2006
Thief Disguises Himself as Security Guard
Another in our series on the security problems of trusting people in uniform:
A thief disguised as a security guard Tuesday duped the unsuspecting staff of a top Italian art gallery into giving him more than 200,000 euros ($253,100), local media reported.
The thief showed up Tuesday morning at the Pitti Palace, a grandiose renaissance construction in central Florence and one of Italy's best known museums, wearing the same uniform used by employees of the security firm which every day collects the institution's takings.
After the cashier staff gave him three bags full of money, he signed a receipt and calmly walked out.
Posted on May 12, 2006 at 6:10 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
When giving someone a quarter million US, you would think that they would check the person's ID against a known-couriers list or something... wow
One does expect the cashier people to be less cautious when being confronted with the same guy for a period of say 20 years during which all has worked out fine. But the guy being a total stranger to the museum guys should have made them a lil' bit more thoughtful.
Maybe he read Bruce's blog. This time the "real" thomas crown affair. :)
Headline should read "Security" rather than "Museum".
While in school, I had a job at a hotel to balance the books for the day. We did not have any procedures to verify anything, other than the daily balance sheet. One night the night shift security guard for the hotel (the real one), came up to be and said the manager wanted to audit the cash drawers. It sounded strange, but since I wasn't as suspicious as I am today, I gave him the drawers. 1/2 hour later am I wondering when I will get the drawers back. The morning shift is going to need them. So I called the manager and asked when I am going to get them back. He had no idea of what I was talking about. Then we realized the guard decided to make this his last night on the shift and disappear.
That's when I realized I should always "trust, but verify". ;)
Oh, ya I should also state, the hotel went cheap on the guard. Instead of hiring a service which has bonded guards they hired someone directly (unbonded). Last I knew about the situation they never found the guy. I am sure he had fake info when they hired him. Shows you really don't save money when you go cheap on your security.
Uniforms are easy to fake. Procedures tend towards a depressing commonality. Even those businesses that use courier lists with pictures and signatures (which should be everybody!) don't always refer to them.
This is also why there are floor limits, over the counter limits, and over the street limits. To limit the losses if any one take goes awry.
The only answer is to shift some of the burden from the institution to the employee. ("If you give the money to the wrong person, it'll come out of your check . . . ")
Fighting crime is difficult. Often, the responsibility of catching / stopping walk-outs is placed on the waiter. If they suspect something, they're supposed to tell management. (But they can't chase the people into the parking lot.)
Guess who pays when the customer walks? That's right - the waiter.
I'm a security guard. I have been transferred (not fired, I'm contract so I get transferred to a new account if the client is unhappy) for doing my job. Last time was when I stopped a guy drafting (walking in behind someone with an access card) and he got upset. The client security director told me that I was doing my job, but that they were moving me anyway because the juy was upset.
No big deal. I worked two other accounts for a while, then moved to another, then had to go take care of my sister for a while, and now I'm back at the same security company.
Generally the security guards will do the best job you allow them to do. If you transfer them for doing their job, they will shrug and stop doing it.
But if you discipline one guard for doing their job AND you discipline some other security guard for not doing their job, you have some severe liability problems.
What I'd like to know is how soon the exact same approach will again work on that same Museum. I think it is unlikely that they will change their security procedures in a way that necessarily precludes this type of attack. They may tell their staff to check the guard's ID and not to give the money to a new guard without verifying that ID ... but after a time the staff will become lazy, newer employees will not be given the same instructions, and the attack will work again.
Even if you tell the staff to verify the guard's ID, you've only moved the problem over a slight distance (unless the security company has unforgeable IDs, some kind of mechanical verification method, and a highly secure ID distribution infrastructure.)
I wonder what movie he watched to get the idea?
He probably reads this blog. "It's all Schneier's fault, for giving these criminals the idea!"
(those are sarcasm " "s).
It is always the human element of Security that fails, intrusion is an aquired and developed capacity, but our most cotidian and predictable customs and duties may actually be creating an invisible open path for deception.
Yeah, the moral i think about these kind of acts is that people are beginning to see a uniform as a form of authentication. I agree that the "asume" that the person is wearing a uniform conform the guidelines and they will be treated so. It is in fact as stated above: the human factor. Relying on mere uniform should produce problems and in this case and many other it happened. In my country (NL) we had simmilar experiances where thiefs where dressed like cops, and they took the wallets of tourists and hold people and gave them tickets which they had to pay upfront. The sollution? i cannot think of one otherwise of proper (better) authentication. Anyone other ideas?
>> Even if you tell the staff to verify the guard's ID, you've only moved the problem over a slight distance (unless the security company has unforgeable IDs, some kind of mechanical verification method, and a highly secure ID distribution infrastructure.)
Nothing is unforgeable. I can make an ID which is very difficult to forge, however, and fairly cheaply. (Even more difficult if you don't let someone get a good look at it, except when verifying a guard's identity -- and certainly never let it near a scanner.)
The mechanical verification method is to compare the picture on the ID to the person's face.
The highly secure ID distribution infrastructure is handing it to the guard after they pass all of our background checks . . . (sighs)
You make some excellent points. By the way, welcome back. :)
Maybe the guy handing over the money was getting paid off. good story Bruce
he have also a true matriculation-number of another security guard (same company)
Wow, a quarter million dollars a day is a nice revenue stream for a museum.
This story is now Six months old - can not find anything over the Internet about any arrests having been made -ever.
Does anyone have an update?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..