Real-World Social Engineering Crime

Classic:

Late on Monday, two thieves used a swipe card to drive a van up to Easynet’s Brick Lane headquarters. Once inside they began loading equipment into their van. They were watched by two security guards — one was doing his rounds and the other watched by CCTV — but both assumed the thieves, with their legitimate swipe cards also had a legitimate reason to take the kit, according to our sources.

EDITED TO ADD (11/25): Here’s another story (link in Turkish). The police receive an anonymous emergency call from someone claiming to have planted an explosive in the Haydarpasa Numune Hospital. They evaculate the hospital (100 patients plus doctors, staff, visitors, etc.) and search the place for two hours. They find nothing. When patients and visitors return, they realize that their valuables were stolen.

Posted on October 24, 2006 at 2:13 PM36 Comments

Comments

jayh October 24, 2006 3:24 PM

Look like you belong there and you can get away with an awful lot.

My father was one of those who would wear a jacket, white shirt and tie even to shop at the discount store; countless times customers and even employees assumed him to be a manager.

McGavin October 24, 2006 3:25 PM

I’m sure the guards noticed the activity and thought that something was strange, but…

To the guards, the risk of suffering the hassle and embarrassment of a false positive outweighed the low risk of the cardswipers actually being thieves.

Mark James October 24, 2006 3:44 PM

Something like happened at my university years ago. Some people showed up and started loading computer equipment into a truck. The security guards even helped them load it.

They also took down license plates, and descriptions of the people. They were arrested a few days later.

Steve October 24, 2006 4:12 PM

It was about thirty years ago but…
department store in my home town. Fronted onto pedestrian access area. A couple of guys drove a large white van to the front of the store (in the pedestrianised area) and went in wearing coveralls and carrying clipboards.
The clipboards had lists of various white goods. They got store staff to help them load the van and then drove off with their loot.
They must have had some inside knowledge of some kind to carry it off but carry it off they did – literally…
Wetware failure…..

No Neck October 24, 2006 4:13 PM

Bruce, you are a connoisseur of crime. This was a funny story in some ways. I wonder how far the thieves had planned for the situation in which they were rumbled?

Ben K October 24, 2006 4:45 PM

There is an old story, perhaps apocryphal, about two guys who walked out of the NY Abercrombie and Fitch with a canoe on their heads. It was so blatant that no one stopped them. Supposedly, they only got caught when they went back for the oars.

Sammy The Surfer October 24, 2006 5:02 PM

I could practically hear Nelson saying “HA ha”

When I worked in a hotel, there was a guest who walked into the lobby, picked up a large potted plant and walked out with it.

Tim October 24, 2006 5:12 PM

A similar thing happened at an old workplace of mine. We would often have clients wandering around the building, so nobody batted an eyelid when a guy managed to get in and sat around drinking coke from the free drinks machine. He then went into one of the meeting rooms and walked out with the large plasma display that was in there. Someone actually held the door open for him.

Shortly after that we had to start wearing photo id badges at work…

On a related note, I hear that looking like a builder with a reflective jacket and a hard hat will get you into most places without being challenged.

Rob Mayfield October 24, 2006 5:13 PM

Most apocryphal stories have a basis in truth somewhere in the past. One I heard involved a worker at a plant taking home a wheelbarrow load of scrap on a regular basis (I dont recall what it was, waste of some kind, sawdust, whatever) – this went on for some time before someone realised he was actually stealing wheelbarrows … The obvious answer is often there staring us in the face, we just have to see it.

FormicaArchonis October 24, 2006 6:02 PM

Ah, theft. While I could bore you with stories of regularly being mistaken for the office manager at my previous workplace (I was about the only one there who cared about his appearance, sadly), I’ll bore you with this one instead.

Back when I was just starting high school, I noticed a monitor for a Commodore computer languishing on the floor of the chem lab. It was still there a few years later. The C64 was on the wane, but I was a diehard Commodore geek, and a TV set was never quite as good as a monitor. I asked the principal if I could purchase it (on the cheap) before one of the more observant punks kicked the tube in. Well, I couldn’t, but he said I could borrow it until he asked for it back (hint hint – he was retiring soon and didn’t really care either way). So, at the end of chemistry class not long after, I went and got it. Carrying this rather large object back through the class, of course one of the students said “What’re you doing with that?”

So I said “I’m stealing it, of course.”

And that was the end of it. 30 students and one teacher watched me make my getaway and that was all the resistance to be had.

Not an easynet employee October 24, 2006 6:09 PM

@easynet employee

Sure. Just like Bush never invaded Iraq under false pretense. Just because you’re embarassed about something, doesn’t make it any less true.

easynet employee October 24, 2006 6:43 PM

cough Why should I be embarassed? There was a theft, but it was nothing like what’s described in the Register (which gave us a good laugh today).

W. Man October 24, 2006 6:51 PM

@not an easynet employee

a “false pretense” that actually seems to be becoming more true again as the real truth is uncovered (documents are found and translated).

Don’t be an idiot next time by bringing politics into a discussion about crime and security… stupid cheap shot crap. Discuss the story or stay away!

Roy October 24, 2006 8:01 PM

Regardless of the veracity of the article, the vulnerability is nonetheless real. I used to regularly enter, move about, and leave installations of the US Marine Corp, US Navy, and US Army, and nobody ever looked at my identification — over a span of eight years. Apparently I looked like I belonged wherever I was. I’d also dealt with CHP, Sheriff’s Office, and the local PD, yet I was the only person who ever saw my ID.

Anonymous October 24, 2006 8:45 PM

@Roy

Apparently you haven’t attempted to enter a USMC installation recently. Regardless of your appearance, they ask for ID, compare it to you, inspect your vehicle, note the tags (electronically at a lot of places now) and inspect your vehicle’s registration. Even when you’ve been going in and out for years.

Nobby Nuts October 25, 2006 1:17 AM

“search the place for two house”

Hours? Or were they looking for Dr and Mrs House? <<

Well, it was translated from Turkish!

Inge Henriksen October 25, 2006 2:40 AM

Some years ago some criminals would just take a van and drive up to stores and take racks of cloaths etc., since they were wearing overalls the clerks would think that they had a valid reason for doing so 😛

csrster October 25, 2006 3:29 AM

Around here any phillipino or somali woman who wanted to could get access to anything just by putting on an overall and carrying a mop. They must be very law-abiding people because I’ve never heard of it being done.

RG3 October 25, 2006 5:02 AM

I know of a time when two men turned up to a BBC studio in overalls and a truck and stole a grand piano in full view of a load of BBC employees…

bob October 25, 2006 7:22 AM

All variations on the fable of Gillespie and the King – look like you what people expect to see, and you have the keys to the city. Speaking of which, in these days do visiting dignitaries get the PIN to the city instead of keys?

@csrster: cool. where’s here? I mean just generally.

T October 25, 2006 7:54 AM

I’ll bet you could pull off the scam without a swipe card. Drive up the gate in a delivery truck, and say you have to make some drop-offs and pickups. The guards will probably let you in. Your “drop offs” will be fancy boxes suited for the occasion (VCR, widescreen TV, etc…) but filled with useless deadweight. And then you just make the pickups and leave…

Mr Pond October 25, 2006 10:45 AM

Regarding the incident in Turkey – one would have thought that the police that searched the hospital would have noticed the presence of anyone, particularly since the presence of anyone in the building should have stood out light the proverbial sore thumb given the prior evacuation…?

Yes, the thieves could have hidden from the people carrying out the search, but what does that say about their level of competence? If they failed to find people-sized things, what chance would they have had at finding a possibly concealed explosive device?

RvnPhnx October 25, 2006 11:49 AM

@Mr Pond
That somebody would have trouble hiding in an otherwise empty (of people) hospital would actually surprise me more. Heck, even one full of people. Lots of rooms, closets, large rolling equipment carts….. Oh, and the noise of the place–even when empty….. Wear the right shoes and other clothing and just disappear.

Curious October 25, 2006 1:59 PM

@W. Man

Please provide a URL to an article from a major news organization reporting on the “real truth being uncovered.”

Not looking to discuss it, just looking for it because your allegation is brand new to me.

James October 25, 2006 7:21 PM

This happened to me in the past few months.

I watched the ~20ish kid living with the neighbors two doors down load a variety of stuff into a car and thought little of it – it was the season, and he was the age, to be headed to college.

Turned out he’d been ejected from the house after a domestic dispute and was robbing the house.

If I’d known of the ejection, I’d have phoned the police; but in effect his long presence and a plausible assumption about his activity constituted a spoof of any security my looking out the window might have provided.

jerith October 26, 2006 10:19 AM

I used to have the opposite problem at my university. I would have all the correct paperwork, signed by the appropriate people, including serial numbers, etc. to bring my PC onto campus and take it away again.

If I was ever seen carrying it, I would be subjected to half an hour of grilling and interrogation despite following all their procedures. Their solution? Let them know a week in advance so that they could tell everyone. What’s the point of having signout procedures in that case?

Terri Nielsen-Rogers October 31, 2008 10:11 AM

I caught an unfamiliar nurse going through my husband’s belongings in our private hospital intensive care unit at University of Utah Medical Center. She looked startled and quickly left the room. I immediately reported her but she was never caught.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.