Hacker News new | past | comments | ask | show | jobs | submit login

As promised in my post:

Most common tricks used in "The Real Hustle":

1. Fake an appearance of authority (wear a uniform, get a sign, etc.)

2. Get a shill/accomplice.

3. Get people to make exceptions to routine security measures based on extenuating circumstances.

4. Get people distracted or nervous

5. Use social conditioning to prevent people from speaking out (e.g. taboos against making a scene in public)

6. Appear to concede something of your own (give someone fake collateral)

7. Give the mark a motive to be surreptitious (e.g. get the mark to commit a crime)

8. Make people think there's an information asymmetry to their advantage (e.g. pretend not to know how much Euros are worth, thus making the person think they're ripping YOU off)

9. Put the mark under time pressure.

10. Use easily obtainable information for authentication. (e.g. eavesdrop on the person)

11. Do a verification of authenticity, but then cause an interruption that lets you swap back to counterfeit. (e.g. show someone the laptop you're selling them, but at the last moment swap it out of the bag for a block of wood)

12. Cause a plausible emergency situation that voids the usual authentication mechanisms. For example, put an "out of order" sign on a bank deposit box and stand to collect people's money.

13. Fake credible signals. For example, people are willing to believe what they overhear while eavesdropping on you, since they don't realize they've been set up, and therefore don't think you have any reason to be dishonest.

14. To increase trust, give the mark a token sign that you're following security guidelines: "sorry, I'm not allowed to accept money from you. Please call this number instead."

15. Make an offer you know they'll refuse, but that enhances your credibility nonetheless. (e.g. offer to authenticate yourself in a way that would inconvenience them, such as having them call a number and wait on the line.)

16. Stores/restaurants don't let you leave without paying, but they're more comfortable if someone in your party sticks around. Befriend an innocent bystander and make them complicit by giving the business the impression that you know the person.

Protecting against scams:

1. Always keep your valuables in a hard-to-reach location

2. Require credible authentication! If someone calls, ask for a number to call them back.

3. If you can't get credible authentication, take a picture. Get the conman's identity. They should be happy to give you more info. Or put them in a surprise situation that will throw their scam off guard.

4. For a game or proposition bet: ask "Is there a trick?"

5. If an out-of-the-ordinary event happens and you get your attention drawn to something, keep in mind that it could be a scam.

6. Bargains rarely come looking for you, unless there's a catch.

7. Remember: Situations that look like coincidences are easy for conmen to set up!!!




I just came across a podcast yesterday on this very subject: http://www.social-engineer.org/framework/Podcast

I've only listened to one episode so far (Episode 010 - Social Engineering Past, Present and Future - Released 14 June 2010) but these guys are behind the social engineering contest at defcon that got all that attention (http://news.cnet.com/8301-27080_3-20012290-245.html). Also, they had a lot of veterans who were quick to share battle stories. A very enjoyable listen (plus tons of link suggestions, books, etc).




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: