Schneier on Security
A blog covering security and security technology.
« NSA at RSA |
| Lessons in Key Management »
April 22, 2009
Sometimes the basic tricks work best:
Police say a man posing as a waiter collected $186 in cash from diners at two restaurants in New Jersey and walked out with the money in his pocket.
Diners described the bogus waiter as a spikey-haired 20-something wearing a dark blue or black button-down shirt, yellow tie and khaki pants.
Police say he approached two women dining at Hobson's Choice in Hoboken, N.J. around 7:20 p.m. on Thursday. He asked if they needed anything else before paying. They said no and handed him $90 in cash.
About two hours later he approached three women dining at Margherita's Pizza and Cafe. He asked if they were ready to pay, took $96 and never returned with their change.
Certainly he'll be caught if he keeps it up, but it's a good trick if used sparingly.
Posted on April 22, 2009 at 7:04 AM
• 43 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
You know, Bruce, sometimes I don't know which side you're on ;-)
A similar scam is to pose as a valet parker for a restaurant that doesn't offer valet parking. It used to be easier to do, when "valet parking offered, $5" signs were uncommon.
The other curious point would be what the restaurant did. For $90, I'm not sure if everyone would actually call the police. And many restaurants may well take it as a theft from them and not make the patron pay again. Meaning that the converse crime that the guy can revert to once he feels that he's getting too well known is to go to restaurants, eat a meal, and when they come for his check say "The other waiter already took it, but he never brought back my change!"
I wonder if he hangs out at the restaurant for a bit and waits for a table to receive their bill first.
A clean cut looking kid scammed my in laws out of $10, using an ID and everything. The kid tried it again 30 miles away, and used the same technique and sob story on my wife, same ID, same name, etc. My in laws didn't know they were scammed until the same kid had the misfortune of targeting my wife 30 miles away. Who subtly called the police while her friend talked to the kid. Were it not for the fluke of targetting the daughter of a previous victim, no one would have known they were scammed.
Restaurant scams like this may have happened times that are not known. Someone hands them a few bills and says "keep the change" and then leaves thinking they paid. They restaurant chalks it up to a dine and dash, the customers think they paid, and the scammer is not even considered.
I'm thinking along Lazlo's lines in that, without catching the actual crook, I have to wonder if this isn't itself just a twist on the dine-and-dash. Seems pretty risky, though, because it's possible the premises are video recorded, and if they police get called you're also on the hook for filing a false report.
But, really, who hands money to a stranger like that? I don't know how restaurants work in NJ, but around here I either pay the person that's been bringing my order or I pay at the register. Other than the majority of the bill being alcohol, I can't see why anyone would fall for such a scam.
I remember a similar scam from an episode of the british TV show "The Real Hustle": The phony waiter goes around the pub asking if someone has change for a 50 (or other denomination). When he gets the money, he tells the victims that he'll be right back with the large note. Can be repeated multiple times if the place has separate rooms or is noisy enough.
Try catching re-runs of that show, it has a number of good scams even if many of them only work on a small scale. The actors pull off these scans for real and tape it all on hidden cameras.
It would depend entirely on the restaurant.
In higher end or smaller restaurants, you may have a single waiter who helps you throughout the meal. But at larger, busier, more crowded restaurants, you may not see the same waiter twice. Different waiters bring drinks, bread, clear appetizer plates and bring new ones, bring food, bring dessert menus... you could be serviced by a half-dozen different people. And while one of them may bring the check, they may not pick it up, the host staff may come pick up the check. In places like that, you really never know. If I'm not sure, I keep an eye on the guy with my cash and ensure he's heading to the registers and not out the door.
ImpossiblyStupid & TS:
It's been my experience at several local chain restaurants that one person will seat you, and another will take your order. The person who presents the bill will often say, "... and I'll be your cashier when you're ready."
Additionally, I've seen servers go on break, but stop by your table to say, "I'm going on a short break. This is , and they'll be taking care of you in the meanwhile."
It seems to be a relatively simple scam to foil, with the last line of defense being a diner who is paying attention in the first place, and not treating their server like dirt.
Even "better" would be if they were paying with a credit card.
@Chris: "Even "better" would be if they were paying with a credit card."
Probably not. He would then guarantee someone would be on to him and the card would quicky be monitored for fraudulent transactions. The cash would be much better.
What the report doesn't show is how many times he did this where the customers left thinking they paid and the business blamed the customers for not paying.
"It seems to be a relatively simple scam to foil, with the last line of defense being a diner who is paying attention in the first place, and not treating their server like dirt."
I have nothing to add except I think "Hobson's Choice" is a great name for a restaurant.
2 women $90, 3 people at a pizza place $96. Even with drinks, that seems very, very steep.
Brett: it's Hoboken, NJ, just across the river from Manhattan, it's pricey. Plus the "pizza place" is more of an Italian restaurant than a pizza joint. (They have good food, I've eaten there.)
I think this story raises an interesting question in how we have changed the way we approach crime and security. As technology permeates nearly every part of our lives, does it make catching the “low-tech” criminal more difficult? People are assumed to have a minimum “technology footprint” – credit cards, cell phones, computers (with traceable IP addresses), etc. With all the emphasis on technology as both a method of committing as well as solving crime, does it make it easier for an individual who lives “under the radar” to commit crime and slip through cracks?
There is a simpler scam that was worked by a guy in London for about five years.
He would write a note to the restaurant saying what a good meal he'd had with his wife, and mention that unknown at the time the waiter had droped some small item of food on his wife's dress (or on his trousers etc).
Usually the restaurant would send a small sum of money to cover the dry cleaning bill.
He only got caught because he made a mistake in writing to a restaurant that had been closed for a while.
Turns out he was getting something like thirty successfull hits a week avaraging around 300GBP (about 500USD). Which if you work it out backwards out was the equivalent of around 22,000 a year when the average wage in London was 18,500...
As Bruce notes small simple scams can go a very long way, especialy if you don't make mistakes.
I don't know if the dress described in the article matched other waiters at these restaurants, but a uniform is amazingly convincing in almost any situation.
You don't see any uniforms in restaurants in NYC or surrounding area. There's usually some dress code, but it's not like suburban chain restaurants where they all have to wear the same red/white striped shirt with green suspenders and a big nametag that says "Charlie".
Like I said, it depends on the restaurant, how big, busy and crowded it is. If you've never had to pull aside a busboy and ask "who's our waiter?", you've never eaten in NYC.
And what does not treating the wait staff like dirt have to do with getting scammed? Nothing, nothing at all. It's a social engineering attack, and, all too frequently, it happens to the nicest of people.
People actually still pay cash for restaurant bills of that magnitude? Amazing!
"a hilarious Czech movie comedy" has some nice scenes of Karlovy Vary (Carlsbad).
True story but cannot find the link:
A guy in Italy dressed in an expensive suite intercepted people entering a 5 star hotel and offered to park their car. One guy lost his Mercedes and the Swiss insurance company refused to pay because it was classed as willingly giving away the keys and not as theft.
I've never eaten in NYC. But I regularly eat in San Francisco, and have never had to pull aside a busboy to identify my waiter.
As for the 'treating servers like dirt' it means paying attention to your server, so that their name and appearance registers, or even the basics of their uniform. Or being aware of who else is moving about bringing food and drink, etc.
"2 women $90,... Even with drinks, that seems very, very steep. "
Good grief, which restaurants are you eating at? McDonalds is not a restaurant.
"People actually still pay cash for restaurant bills of that magnitude? Amazing!"
Where I live (Zurich) most locals would pay a restaurant bill under 200 francs (about $160) with cash. Muggers are very rare here so people feel comfortable carrying cash. Forged banknotes do not seem to be a big problem, shops do not do any obvious checking if you pay with a 200-franc note.
In my city (Houston) my wife and I can go out a very, very nice place and pay about $100 for dinner, drinks and such. But on average most nice places (no McDonalds) will cost us about $50 for everything, maybe I'm spoiled.
Pizza on the other hand, with drinks would probably cost us less than $50.
I've eaten in Manhattan, some places are steep some others are reasonable. To me is seems that the closer you get to Wall Streeet to more unreasonable it gets (go figure).
As I said above, I'm spoiled by living in Houston, prices much less.
"Not treating your waiter like dirt" may be an exaggeration, but there's truth in it. I'd've said "don't treat your waiter like furniture." In other words, be aware of your surroundings and the people in it. Look your waiter in the face when s/he comes by, pay attention to whether the same person provides each service, maybe even what the staff wear.
@Tim: what I didn't include in my first post (second overall) is that the valet parking scam almost happened to us. But one in our party asked "I thought you said this restaurant didn't offer valet parking?"
This happened to some friends and me about a decade ago, come to think of it. Largish group, a few people had come and gone, we'd been there a while. The scammer gave some plausible-if-you-don't-think-about-it explanation for why our regular waiter, who'd brought the check, wasn't picking up the cash. A few of us had felt something funny was going on but not strongly enough to not pay the bill… and by the time the false waiter had crossed the crowded restaurant and ducked out the door instead of heading to the till, it was too late to catch him. The restaurant was sympathetic (it may have helped that some of us were regulars) and we filed a police report, but the scammer got away clean that time.
It seems to me that our society is full of minor "security holes" like this one, but they're mostly of the sort that are easy to close if they become significant. This has happened to me *once* in decades of dining out in good restaurants and bad; the restaurant it happened in wasn't used to this kind of scam either. Clearly the loss from this particular scam is tiny. If it happens more often, restaurants and diners will become more aware of it — notice how eagerly people will spread news of new kinds of scams — and a slight increase in caution makes this scam much less likely to succeed. I think this is one situation in which our normal cultural risk-assessment and -mitigation reactions *are* behaving usefully.
Nihil novi sub sole, Bruce. Get yourself a copy of this film, if you can get a hold of one with subtitles in some language you can understand: http://www.imdb.com/title/tt0081730/ That's a comedy just about a guy who did exactly what you describe. It's a 1980 movie and maybe the guy just saw it and thought it's an idea to try. I wouldn't be surprised if he can talk Czech.
Back in the day when slot machines actually took coins this sort of thing happened all the time in Las Vegas. A guy would be dressed nice, have a little gold badge with some name on it and some even carried a two-way radio (or scanner) and he would go through a busy casino telling customers how the change persons were busy and if the customer needed any change he would get it for them. Of course after collecting some money he would walk out the door.
It still works some times when people want bills broken and do not want to leave their machines.
But yet I have been on the floor in uniform and with a tool belt on and with a slot machine in pieces around me and still people come up and say "Excuse me but do you work here?" I do toy with the idea of saying no just to see what their reaction would be.
Just wanted to comment on a low-tech scam that affected me and my family. I lived in Lake Tahoe and worked for a well known electronics retailer that sold Directv satellite systems in 2001. We owned a Directv system ourselves. My then 12 year old step-daughter was dropped off at home alone with my wife expecting to be there a few minutes later, when a man wearing 'nice clothes' and a tie knocked on the door and told her he was there to 'service' the Directv system and just walked into the house got out the old card and put in another card and left. In and out in less than a minute. When I came home I was livid. Not because we lost the card which cost me $99.00 to replace, but because my 12 year old daughter allowed some random man into our home while she was alone in the house. Not sure if anyone still remembers this but Jaycee Lee Dugard was abducted by strangers in Lake Tahoe, CA and as far as I know she's never been found and nobody's ever been arrested for her kidnapping. So what did she tell me as to why she let the guy into the house? "He was dressed just like you, daddy." Long sleeve shirt with a couple pens in his shirt pocket, dress slacks, and nice shoes. The guy did this to a few people in Lake Tahoe, Ca as well as in the Minden/ Gardnerville, NV area. The smart cards were valuable on the blackmarket, because they could be made into 'test' cards which gave the buyer access to all channels without having to pay for them. They were selling for about $200.00 each I think the police told me at the time. The question I want to give to you is. How do you plug these kinds of holes? I can replace money and possessions and get over the embarrassment of being scammed, but what about our children?
There are endless scams based on entrepreneurs who live near some suburban event - fairs, races, sports, etc. - and rent parking in their yards.
Someone with a flag and a sign rents parking for $5 in YOUR yard because you're not home or watching TV and not paying attention. You park cars in front of an abandoned building. I heard of one guy who put a "parking $5" sign in a public parking lot.
I lived in an apartment when I went to A.S.U. and lived near the stadium. I almost came to blows when I came home just before a game and got in an altercation with someone who "saw this parking space first." This was the parking space for MY APARTMENT.
I have a friend who owns a very popular tourist restaurant in Atlanta across the street from public parking. The tourists, however, are not always aware of the parking. Neighborhoods youths regularly perform their own "valet parking" - UNauthorized obviously. it's across the street.
The police refuse to get involved because, although it's clearly trespass, they DO perform a murky service. He has to get the keys back himself before he runs them off. I asked him why he doesn't do his own valet parking the same way and he told me the city doesn't allow a LEGITIMATE business to use public parking this way.
@Leon - Scary story. It highlights the fine line between a scam and a potentially truly serious incident. As a parent of young children, I struggle constantly to teach my children to draw the line between not expecting the worst in everyone and protecting themselves. Fortunately in rural Central Texas, you tend to know the people that belong, but even so if someone acts and dresses like they belong, how often do we (or our kids) let them in first and then think?
Sorry for the slightly off-topic post.
@Leon, who asks "but what about our children?". That is the question many supposedly security conscious people are asking themselves. These people fall prey to salesmen hawking home monitoring, home security cameras, kiddie cellphones, kiddie GPS tracking, and even worse. They will vote for politicians who promise to "protect them" by putting up public security cameras, reading their mail & e-mail, tapping their telephones, and taking away yet more of our freedoms. This is sheer paranoia based upon a poor understanding of risk. Leon, your children are YOUR responsibility first, not society's, just like my child's security is mine.
Every time I hear "but what about our children?" as an excuse for another absurd paranoid and ineffective law or invasion of privacy, I stifle the urge to scream. (You did not explicitly say so, but implied it.) The world has not gotten significantly more dangerous than when I was a child. I did not need a security detail to escort me to my friends' house a few blocks away, and neither does my son. Unlike what the 24-hour All Fear! news media would have you believe, child kidnappers have not suddenly become common. I do not teach my kid to be paranoid and fear everyone. He does not have a cellphone, nor will I strap a GPS tracking unit onto his ankle. I do tell him not to open the door for a stranger. I do tell him to seek out a teacher at school or a policeman or go into a store if he is having trouble away from home. I tell him when we are expecting a a delivery or a repair visit. This is common sense. Try it.
I realize that I cannot "keep him safe" from the world, just like I cannot protect my son every second from random accidents. This is life. Life can be dangerous, but we still have to live it.
@ Leon, Jerry,
Odd as it might seem the best way to protect your children is to let them get hurt (a little).
Human evolution is bassed around the notion that pain/stress gets imprinted on the brain.
It could be argued that it works like the immune system, you get your basic immunity from your mother but after a short while it has to look out for it's self. Otherwise it will either find something else to attack or not be ready when something nasty comes along.
It sounds rough it sounds negligent but with a little thought you will realise it will help your child become a responsable person on the way to adult hood.
I think Clive is right. Chances are Leon, that your daughter will now be much more cautious about letting in strange people into the home because of the unfortunate incident you all went through. Live and learn.
The waiter droped the dinner check off at the table. My friend looked at it and put his credit card in the slot and left it on the table.
A young man, slacks and white shirt (the same garb as the waiters) asked, "Sir may I take this for you now?" He then walked off with the credit card and disappeared.
By the time my friend and the restaurant understood what happened, some electronics had already been charged.
It's interesting (if accurate) that Leon's robber got twice as much for the stolen card as Leon paid to replace it.
I want to thank everyone for their comments regarding my previous post. I was trying to say that I can replace money/ possessions and I can recover from any embarrassment from being scammed. What is NOT replaceable are our children. I am not giving in to the 'nannycam' mentality, but I am very aware of the need to protect my own children. I still have young children of my own. My 3 1/2 year old niece Natalynn Miller was recently murdered on March 22nd in Visalia, CA this year. So I am very aware of the need for parents to take responsibility for protecting their own children, without making them overly paranoid. I think the right to personal privacy is also very important and my background would make it very easy for me to record everything and review it all later. I choose to trust my children.
Sorry this was so off topic, but it is an emotional topic for me at the moment
I am very sorry for your family's loss. I agree with you and Clive. We have to raise our kids as best we can, trust them, and let them grow. My apologies to all for going off-topic.
There were two sets of cards working at the time is my guess.
The "old" cards were valuable due to their hackability, while the "new" cards that replaced them were not.
They swap out the cards ever so often, but it takes time, so the old cards can still be valuable for a while even though their days are numbered.
A $200 card can pay itself off in a few months with TV costs these days.
It happened to me. It was in Parma (Italy), in a restaurant.
I was coming back from the restroom and walking back to my table when a couple asked me something like "may we pay you?" :-)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.