

Ask HN: How can I learn about social engineering exploits? - lunchbox

I recently read <i>The Art of Deception</i> by Kevin Mitnick [1], and watched the BBC show <i>The Real Hustle</i> [2]. As someone who has a natural tendency to trust people, I'm interested in learning more about the underlying principles that social engineers and con artists employ, and seeing well-executed examples, from phishing to guy-on-the-street scams.<p>Question for security-savvy HN readers: what websites or books on this topic would you recommend? (For example, I like reading the links Schneier [3] occasionally posts about ingenious schemes he comes across.)<p>In case it's of interest to anyone, I'll post in the comments a compilation of the most frequent tricks &#38; lessons I learned from the full series of <i>The Real Hustle</i>.<p>[1] http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/0471237124<p>[2] http://video.google.com/videoplay?docid=25386750441983070#<p>[3] http://www.schneier.com/
======
lunchbox
As promised in my post:

 _Most common tricks used in "The Real Hustle":_

1\. Fake an appearance of authority (wear a uniform, get a sign, etc.)

2\. Get a shill/accomplice.

3\. Get people to make exceptions to routine security measures based on
extenuating circumstances.

4\. Get people distracted or nervous

5\. Use social conditioning to prevent people from speaking out (e.g. taboos
against making a scene in public)

6\. Appear to concede something of your own (give someone fake collateral)

7\. Give the mark a motive to be surreptitious (e.g. get the mark to commit a
crime)

8\. Make people think there's an information asymmetry to their advantage
(e.g. pretend not to know how much Euros are worth, thus making the person
think they're ripping YOU off)

9\. Put the mark under time pressure.

10\. Use easily obtainable information for authentication. (e.g. eavesdrop on
the person)

11\. Do a verification of authenticity, but then cause an interruption that
lets you swap back to counterfeit. (e.g. show someone the laptop you're
selling them, but at the last moment swap it out of the bag for a block of
wood)

12\. Cause a plausible emergency situation that voids the usual authentication
mechanisms. For example, put an "out of order" sign on a bank deposit box and
stand to collect people's money.

13\. Fake credible signals. For example, people are willing to believe what
they overhear while eavesdropping on you, since they don't realize they've
been set up, and therefore don't think you have any reason to be dishonest.

14\. To increase trust, give the mark a token sign that you're following
security guidelines: "sorry, I'm not allowed to accept money from you. Please
call this number instead."

15\. Make an offer you know they'll refuse, but that enhances your credibility
nonetheless. (e.g. offer to authenticate yourself in a way that would
inconvenience them, such as having them call a number and wait on the line.)

16\. Stores/restaurants don't let you leave without paying, but they're more
comfortable if someone in your party sticks around. Befriend an innocent
bystander and make them complicit by giving the business the impression that
you know the person.

 _Protecting against scams:_

1\. Always keep your valuables in a hard-to-reach location

2\. Require credible authentication! If someone calls, ask for a number to
call them back.

3\. If you can't get credible authentication, take a picture. Get the conman's
identity. They should be happy to give you more info. Or put them in a
surprise situation that will throw their scam off guard.

4\. For a game or proposition bet: ask "Is there a trick?"

5\. If an out-of-the-ordinary event happens and you get your attention drawn
to something, keep in mind that it could be a scam.

6\. Bargains rarely come looking for you, unless there's a catch.

7\. Remember: Situations that look like coincidences are easy for conmen to
set up!!!

~~~
GrowWebs
I just came across a podcast yesterday on this very subject:
<http://www.social-engineer.org/framework/Podcast>

I've only listened to one episode so far (Episode 010 - Social Engineering
Past, Present and Future - Released 14 June 2010) but these guys are behind
the social engineering contest at defcon that got all that attention
(<http://news.cnet.com/8301-27080_3-20012290-245.html>). Also, they had a lot
of veterans who were quick to share battle stories. A very enjoyable listen
(plus tons of link suggestions, books, etc).

------
fakelvis
You may have seen this, but a while back Schneier pointed to a study (pdf)
conducted by Frank Stajano [1] and Paul Wilson [2]:
<http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-754.pdf>

The study looks at the recurring behavioural patterns con artists use to
exploit victims and concludes that there are seven psychological principles
they exploit.

I summarised them here: [http://www.lonegunman.co.uk/2009/12/02/seven-
psychological-p...](http://www.lonegunman.co.uk/2009/12/02/seven-
psychological-principles-con-artists-exploit/) They are:

1\. _The distraction principle_ While you are distracted by what retains your
interest, hustlers can do anything to you and you won’t notice.

2\. _The social compliance principle_ Society trains people not to question
authority. Hustlers exploit this "suspension of suspiciousness" to make you do
what they want.

3\. _The herd principle_ Even suspicious marks will let their guard down when
everyone next to them appears to share the same risks. Safety in numbers? Not
if they’re all conspiring against you.

4\. _The dishonesty principle_ Anything illegal you do will be used against
you by the fraudster, making it harder for you to seek help once you realize
you've been had.

5\. _The deception principle_ Thing and people are not what they seem.
Hustlers know how to manipulate you to make you believe that they are.

6\. _The need and greed principle_ Your needs and desires make you vulnerable.
Once hustlers know what you really want, they can easily manipulate you.

7\. _The Time principle_ When you are under time pressure to make an important
choice, you use a different decision strategy. Hustlers steer you towards a
strategy involving less reasoning.

I recommend reading the full study; it's fascinating.

[1] Of the University of Cambridge Computer Laboratory. [2] Writer and
producer of _The Real Hustle_. Was an IT consultant for twelve years before
moving into entertainment.

------
jeebusroxors
Art Of Deception was a fun read (along with Intrusion). I found it not to be a
guide per se (although it may be billed that way) but the stories are
inspiring and really get you into the mindset.

------
ascuttlefish
Johnny Long wrote an interesting book called _No-tech hacking: A Guide to
Social Engineering, Dumpster Diving, and Shoulder Surfing_ that might interest
you.

