Social Engineering Diamond Theft

Nice story:

In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp's diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.

[...]

Mr Claes said of the thief: "He used no violence. He used one weapon -- and that is his charm -- to gain confidence. He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were.

"You can have all the safety and security you want, but if someone uses their charm to mislead people it won't help."

People are the weakest security link, almost always.

Posted on March 19, 2007 at 3:42 PM • 22 Comments

Comments

nzrussMarch 19, 2007 4:44 PM

I don't think I'll read the linked article.....

... I'll just wait for the movie.

SpiderMarch 19, 2007 5:29 PM

Bruce, I think I'll have to disagree with you on this one. The weakest link in this case was not human but their security design. The vaults essentially allow any one trusted person to access anyone else's property. Its like giving me access to read everyone's gmail mail, just because I also have an account.

ThomasMarch 19, 2007 5:47 PM

"""He used one weapon -- and that is his charm -- to gain confidence."""

Let's see the TSA try to ban that!

Oh, wait, they're already doing all they can to make people as grumpy and un-charming as possible...

Matt from CTMarch 19, 2007 5:53 PM

And sadly, George Clooney will probably net more money and work for less time making the movie then the actual jewel thief did :D

Smee JenkinsMarch 19, 2007 5:59 PM

@Spider: You do have access to read everyone's Gmail mail! Just enter their username and password into the login page! It's no different from the safety deposit box, just put in the key and twist...

As to where the username and password come from: same technique. Show up at Google HQ with some chocolates. Of course, they do get free gourmet food, so it might not work as well...

diamond geezerMarch 19, 2007 7:10 PM

The story said nothing about storing a squid in his locker and returning when it had emptied the neighbouring lockers.

AnonymousMarch 19, 2007 8:05 PM

I wonder if Bruce could pull-off the same trick? Maybe with a shave and haircut...2 bits.

KevinMarch 19, 2007 8:15 PM

I agree with Spider -- the fault was in a vault design where anticipatable human error could allow one trusted individual to gain access to other customer's stones.

The story lacks details on what exactly the "electronic access key" and "originals of keys" exactly means to security, but it does seem their physical security was lacking.

SpiderMarch 19, 2007 11:16 PM

@Smee

They gave him a key to a common safe, where they thought he was storing his valuables. Thats like giving me root privileges on gmail's servers. Heck, even Microsoft has learned not to give users of their own computers that much power.

supersnailMarch 20, 2007 2:56 AM

"Key to common safe ..." etc.

Just to clarify what the standard setup is for these security deposit vaults is:-

You have a strong room which is generally "open" during business hours.

In the strong room are lots of little safes.
Each safe contains a metal box, and each safe is opened by two keys. One in kept by a bank employee, one kept by the client.
To access you goodies you go with the bank employee into the vault he opens one lock with his key, you open one lock with your key, you then remove your metal box and take it to another private room where you are left alone until it is time to lock your goodies away and the procedure is reversed.

For convince the bank employees key works on all the safes the clients key should only work on his safe.

It would be fairly easy to fines some time alone to get a copy of the employees key, how he managed to get copies of the other clients key would seem to require some social engineering at genius level.

I think he deserves his 28 mil. lets see if he is audacious to get his share of the movie rights as well.

gregMarch 20, 2007 6:32 AM

Someone has to be trusted in any security system. Always. Thats why DRM doesn't work. Its assume a invalid trust model.

Prodedues could reduce the problem but never remove them. I would think that some of the bank works voliated basic operating procedures (giving the key to a non-emplyee).

The || in DRM is that even with tamper resitant HW. You can still record the sound/movie from the speakers/monitors (I won;t go into quality issues, but they too can be solved.)

Banks have ussally been open to the "clasic" mafia class of attacts. Under this threat model trusted entitys become untrusted. Its real hard to solve.

FPMarch 20, 2007 10:12 AM

Maybe the raided diamond cutters' safe deposit boxes were delieberately unlocked.

The cutters could decide to not lock their boxes to allow access to many people without bothering to pass the key between them. The cutters could have trusted the bank staff to not abuse their master key, and to allow access only to people that are personally known to the staff.

This is just a hypothesis that would explain the theft in light of the setup described by supersnail above.

SpiderMarch 20, 2007 10:28 AM

@supersnail

Ok, thanks for clearing that up. I don't have much experience in diamond vaults ;)

That is impressive.

bmcmahonMarch 20, 2007 11:41 AM

Sounds like it's time for the "Month of Wetware Bugs" (MoWB). Betcha we could easily come up with 30 for April if we all try.

derfMarch 20, 2007 12:28 PM

HAH - banks. New Orleans had a few banks with their "safes" underground. How "safe" is that? When the inevitable happened, yes - they flooded.

The measures in place to get your sodden insurance papers after the hurricane? Guards with uzi's, limited number of people allowed into the formerly flooded vault, and illegal Mexicans with hair dryers to help you de-waterlog your precious documents (paid for by the banks, of course).

Rob CarlsonMarch 20, 2007 12:58 PM

I believe FP has it right

In the safe deposit boxes I have experience with, the "self serve" boxes are just like every other box except they have an employee key broken off inside the mechanism.

I can't see any reason why a customer couldn't ask to do it the other way around too.

joseMarch 20, 2007 8:51 PM

really is so wonderfull this notice because the diamonds always are dirty and cover of blood of the poor workers in diamond mines , enter this site

www.apollodiamond.com

and see the new synthetic diamond of the future who you can pay friends.

joseMarch 21, 2007 7:57 AM

really he deserts the money, he is one genius, I dont promote robbery but , please it is amazing , and the volume stolen dont make soo much damage to the economy of a few jew jewelers in antwerp, please, they have money by the sufer of the poor workers in diamond mines in sudafrica and...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..