Foreword - Social Engineering: The Art of Human Hacking (2011)

Social Engineering: The Art of Human Hacking (2011)

Foreword

Security is a puzzle with two sides. From the inside, we look for a sense of comfort and assurance. From the outside, thieves, hackers, and vandals are looking for gaps. Most of us believe our homes are safe until one day, we find ourselves locked out. Suddenly, our perspective shifts and weaknesses are easily found.

To completely understand any kind of security it is essential to step outside of the fence, in essence locking ourselves out, and start looking for other ways in. The problem is that most of us are blinded to potential problems by our own confidence or our belief that strong locks, thick doors, a high-end security system, and a guard dog are more than enough to keep most people at bay.

I’m not most people. In the last ten years I have pulled more cons and scams than anyone in history. I’ve beaten casinos, faked sports events, fixed auctions, talked people out of their dearest possessions, and walked right past seemingly unbeatable levels of security.

I have made a living exposing the methods of thieves, liars, crooks, and con men on a hit TV show called The Real Hustle. If I’d been a real criminal I would probably be rich, famous, or dead—probably all three. I have used a lifetime of research into all forms of deception to teach the public just how vulnerable they really are.

Each week, along with Alexis Conran, I pull real scams on real people who have no idea they are being ripped off. Using hidden cameras, we show the audience at home what is possible so they can recognize the same scam.

This unusual career has resulted in a unique understanding of how criminals think. I’ve become a sheep in wolves’ clothing. I’ve learned that, no matter how impossible something might seem, there’s almost always a clever, unexpected way to solve the problem.

An example of this is when I offered to show how easy it would be to not only steal a woman’s purse, but also to get her to tell me the PIN to her ATM or credit cards. The BBC didn’t think it was possible to accomplish this. When we presented this as an item for The Real Hustle, the BBC commissioner wrote “will never happen” beside it and sent it back. We knew it was entirely possible because different versions of the same scam had been reported, where victims of theft were talked into revealing their PINs in several clever scams around the UK. We took elements from different scams to illustrate exactly how someone might be duped into giving someone else complete access to their bank account.

To prove our point we set up the scam at a local cafe. The cafe was on the top floor of a mall on Oxford Street in London. It was relatively quiet as I sat at an empty table wearing a business suit. I placed my briefcase on the table and waited for a suitable victim. In a few moments, just such a victim arrived with a friend and sat at the table next to mine, placing her bag on the seat beside her. As was probably her habit, she pulled the seat close and kept her hand on the bag at all times.

I needed to steal the entire bag, but, with her hand resting on it and her friend sitting opposite, she was beginning to look like bad news. But, after a few minutes, her friend left to find a restroom. The mark was alone so I gave Alex and Jess the signal.

Playing the part of a couple, Alex and Jess asked the mark if she would take a picture of them both. She was happy to do so. She removed her hand from her bag to take the camera and snap a picture of the “happy couple” and, while distracted, I casually reached over, took her bag, and calmly locked it inside my briefcase. My victim was yet to notice the empty chair as Alex and Jess left the cafe. Once out of sight, Alex headed quickly for the parking garage.

It didn’t take long for her to realize her bag was gone. Instantly, she began to panic. She stood up and looked around, frantically. This was exactly what we were hoping for so, I asked her if she needed help.

She started to ask me if I had seen anything. I told her I hadn’t but convinced her to sit down and think about what was in the bag. A phone. Make-up. A little cash. And her credit cards. Bingo!

I asked who she banked with and then told her that I worked for that bank. What a stroke of luck! I reassured her that everything would be fine but she would need to cancel her credit card right away. I called the “help-desk” number, which was actually Alex, and handed my phone to her. She was hooked and it was now up to Alex to reel her in.

Alex was downstairs in the van. On the dashboard, a CD player was playing office noises we had downloaded from the Internet. He kept the mark calm, strung her along, and then assured her that her card could easily be canceled but, to verify her identity, she needed to enter her PIN on the keypad of the phone she was using.

My phone and my keypad.

You can guess the rest. Once we had her PIN, I left her with her friend and headed for the door. If we were real thieves, we would have had access to her account via ATM withdrawals and chip and PIN purchases. Fortunately for her, it was just a TV show and she was so happy when I came back to return her bag and tell her it was all a fake scam. She even thanked me for giving her bag back to which I replied, “Don’t thank me. I’m the one who stole it.”

No matter how secure a system is, there’s always a way to break through. Often, the human elements of the system are the easiest to manipulate and deceive. Creating a state of panic, using influence, manipulation tactics, or causing feelings of trust are all methods used to put a victim at ease.

The scenario outlined here is an extreme example, but it shows that, with a little creativity, seemingly impossible scams can be pulled off.

The first step in becoming more secure is simply conceding that a system is vulnerable and can be compromised. On the contrary, by believing a breach is impossible, a blindfold is placed over your eyes as you run full speed ahead. Social Engineering is designed to provide you with invaluable insight into the methods used to break seemingly secure systems and expose the threats that exist in the largest vulnerability, the people. This book is not a guide for hackers—they already know how to break in and are finding new ways every day. Instead, Chris Hadnagy offers those inside the fence an opportunity to take a look from the other side, the dark side, as he exposes the thinking and methods of the world’s most malicious hackers, con men, and social engineers.

Remember: those who build walls think differently than those who seek to go over, under, around, or through them. As I often tell my audiences, if you think you can’t be conned, you’re just the person I’d like to meet.

Paul Wilson

October 2010