Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Tech Fraud Beating Out Social Engineering 102

The Walking Dude writes "BBC News asked Frank Abagnale if technology is driving the old-school conman into extinction. 'Mr Abagnale really ought to know', as the 2002 movie Catch Me If You Can was based on his life. He served five years of a 12 year prison sentence for check fraud before being offered a job with the FBI. 'There may, after all, be life in the old con yet.'"
This discussion has been archived. No new comments can be posted.

Tech Fraud Beating Out Social Engineering

Comments Filter:
  • by layer3switch ( 783864 ) on Friday May 12, 2006 @08:36PM (#15322964)
    "Gone is the sharp-suited, debonair, sliver-tongued fraudster who'd charm his way to a personal fortune. [...] It is the ability to read a person's blind spot, tell them what they expect to hear - and get them to tell you what you need to know."

    I disagree. Now they all work in corporate america somewhere in Sales and Marketing department. Few of them even make it up to executive office. Social engineering is the template of sales and marketing.
  • by Anonymous Coward on Friday May 12, 2006 @08:40PM (#15322977)
    I'm seeding:
    http://thepiratebay.org/details.php?id=3343505 [thepiratebay.org]
  • "Gone is the sharp-suited, debonair, sliver-tongued fraudster who'd charm his way to a personal fortune."

    Hey, BBC writer, didn't you ever hear of Enron?
  • What? (Score:5, Interesting)

    by Poromenos1 ( 830658 ) on Friday May 12, 2006 @08:42PM (#15322983) Homepage
    We all know that wearing jumpsuits, walking in a building (greeting everyone in the way) and getting the computers you want is much easier than trying to hack into the system to get the data. Same for passwords, etc.
    • Re:What? (Score:5, Insightful)

      by jellomizer ( 103300 ) * on Friday May 12, 2006 @08:50PM (#15323002)
      Or you can just call say you are technical support and ask them for their password. Or if you are on site just read the posted notes on the monitor. People are much easier to hack then computers.
      • Re:What? (Score:5, Funny)

        by fux0rbob ( 787723 ) on Friday May 12, 2006 @09:07PM (#15323056) Journal
        Here's a short conversation I had with a teacher (I work for a school district) I had the other day.

        Me: "Hey, what's your password? No wait, I'll just reset your password and you can change it when the computer restarts."

        Teacher: "NO! I don't want to make a new password. I just want them all to be the same so I don't have to remember two or three. My password is 'steak'."

        Me: *Sigh* "Okay..."
        • I'm a teleworker, I have a password to open up windows on my laptop, another to access the encrypted disk. To log into the work system I have to use 3 passwords, then there are passwords for the "Employee Self Service System", the requisition system, etc.

          Offhand I'd say I have a dozen different passwords (just for work), all of these have to be changed regularly but on different cycles, most of them are required to be non-repeating for at least eight changes and be at least 8 characters long.

          To say it's a p
          • Re:What? (Score:1, Flamebait)

            by tomstdenis ( 446163 )
            Two problems with your 1337n355.

            1. You use windows.

            2. You don't use two-factor authentication.

            For two reasons alone you're just a paranoid twat who couldn't draw a threat model to save oneself.

            Tom
            • Well I've never claimed to be 1337, and I dare say more than a few people consider me a twat but I object to being called paranoid.

              And I can't resist pointing out that I use windows *for work* because that's what I'm required to use, not because it's necessarily what I would chose myself.
              • Tell your work to invest in two-factor authenticators and don't store your own secrets on your work computer.

                Tom
                • Perhaps I'll mention that to our sysadmins.

                  PS. on second thoughts I don't object to being called paranoid - you may have been right on all three counts.
                  • It's not paranoia if people are really out to get access to your resources.

                    Your particular machine don't actually have to have valuable information to be worth breaking into. The meta-data in your documents, your machine's access to other more valuable machines, and of course its use as a zombie ... makes us all valuable targets!

                    At last, someone really values each and every one of us: the criminals!

            • Re:What? (Score:3, Insightful)

              by Brandybuck ( 704397 )
              What an asshole you are. This guy gives you real world reasons why requiring multiple ever changing passwords doesn't work, and all you can do is call him names.

              His problem isn't that he's using Windows or is too stupid to understand what two-factor authentication means. His problem is that people like you have devised security policies that REQUIRE unmemorizable passwords.
              • I've been saying for a long time that passwords should just be stored on a friggin swipe card. It isn't like a reader is advanced technology. While it's not strictly two factor authenication it is better than having the user either just write down the password or use something that is easy to memorize.

                At least if you keep the swipe card and your other factor isolated (e.g. on in your pocket the other in your bag or whatever) a compromise of one is not of both...

                Swipe cards are also easy to reprogram and r
                • SecureID would be an example. Memorize a four-digit PIN, then input the number from the card.
                • Swipe card + smart card is not two-factor authentication.

                  The most reasonable two-factor authentication that I know of is a single, unique password for your smart card, which maybe changes occasionally and maybe doesn't. The smart card then does all the authentication to the server. If the card is designed properly, nobody can get the private key off it by hacking your computer (they need physical access to the card, and a well-equipped electronics lab), and if they steal the card but don't have the lab, t
                • So it's the user's fault he doesn't have a "swipe" card?
          • If you've got a good boss, talk to him about it. If your boss is a fruit, explain to him how other people who aren't as mentally capable as him might have problems with the system. In both cases, gain the support of your coworkers.
          • Re:What? (Score:2, Informative)

            by boron boy ( 858013 )
            can you imagine trying to remember 12 new truly random passwords per month (all changing on different dates).

            I've found that without some systematic method it's impossible to make this work, as a result of using a system I know that my passwords are relatively weak but what would you do?

            Install KeePass [sourceforge.net].

          • Per Bruce Schneier, it's safer to have one password that you can remember than a dozen different passwords which you need to record somewhere, bcos then no-one can steal your written-down version. And if you only have one, it can be reasonably complex, which gives you better security again.

            Grab.
  • by Beryllium Sphere(tm) ( 193358 ) on Friday May 12, 2006 @09:06PM (#15323055) Homepage Journal
    The "technical" frauds today rely on social engineering. Phishing is a perfect example of social engineering, and many botnets get installed by tricking the user rather than by exploiting a technical security vulnerability.

    Nor was Abagnale non-technical. One of his scames was so beautiful that you wish you could admire it, and it was based on manipulating the magnetic ink on a check to put the check-processing infrastructure into an infinite loop [snopes.com]. Talk about "float", especially since there was never anything behind the check in the first place. He'd withdraw the money after his victim bank decided "well, hasn't bounced yet, must be good".
    • The "technical" frauds today rely on social engineering.

      Right, it's still basically social engineering, but the real key (not mentioned in TFA) is that not only are tricks like phishing easy and practically anonymous, but the pool of victims is so much larger. I'll bet a single mass spam yields hundreds of valid accounts. It's then just a matter of logging in to all of them (hell, you can script that too!) and drain the easiest biggest targets.
  • by RyanFenton ( 230700 ) on Friday May 12, 2006 @09:32PM (#15323142)

    Just ask James Randi [randi.org] - he's been keeping track of dubious scams and claims for decades. Just read through a few of his newsletters if you ever want to be amazed at the things people will pretend they can do for money, power, or just plain delusion.

    In my oppinion, healthy skepticism is something that should be taught to every school child as part of a minimal education. Knowing how to be properly, rationally skeptical is a very important skill - being either unskeptical, or holding irrational skepticism based on what you want to feel is as much a disability as not being able to read or do math. The scientific method helps if it is introduced comprehensively - but there's a LOT of scientists with doctorates that will be fooled by some of the simplest scams, then convince themselves they couldn't be fooled. Healthy skepticism is both knowing that you can be wrong, but you being wrong doesn't make someone else's extrordinary claims correct, even if it's an innocent mistake for all involved.

    Especially disturbing are the constant resurgance of medical scams. People willing to try anything can be put through real hell by people willing to offer them an option that no one else will provide. The family of the dead rarely know to put any blame on a false cure, and the living often mistakenly promote as a miracle whatever was offered, so these scams can erupt almost anywhere. Add in scam artists using religion, blaming the dying for their own failed cure, and the unfounded skepticism of scientific medicine, and you can see how nasty these situations can be.

    Ryan Fenton
    • by MustardMan ( 52102 ) on Friday May 12, 2006 @09:52PM (#15323214)
      One of the most frightening things I learn having conversations with people is their willingness to believe complete and utter bullshit. I couldn't agree more that we should be teaching scepticism in schools - people are clearly out of touch with reality and willing to believe the most ridiculous things with no evidence whatsoever.
      • 1. Communism is bad

        2. WMD in Iraq

        3. WMD in Iran

        4. No WMD in Israel

        5. "We're at war with terrorists" so it's ok to suspend your rights to make you safe.

        Nuff said.

        Tom [-- hates seeing neighbouring country being destroyed by lunatic security policies]

        • HOLD IT!

          You mean when Bushie says he's not really mining and trolling the personal data of millions of innocent Americans - he's really full of Texas beans????

          [My wet dream: the indictments of Rove...Cheney...and Bush.]

      • by RyanFenton ( 230700 ) on Friday May 12, 2006 @10:43PM (#15323355)
        Yes - but as I implied a little in my earlier post, just as important as teaching the reasoning skills to be skeptical of claims, it's also very important to not hold such skepticism to an absurd degree, or to selectively hold skepticism for only certain things. Most things in life will just be unknown - and we all have a very limited opportunity in life to explore all the claims we are surrounded by.

        Making a school class out of skepticism could be a delicate job. Designing a test that could be fairly applied to students without unfairly targetting subjects that are precious to people could be (politically) difficult. Still, it's a task well worth doing.

        The ability to weigh skepticism rationally, to be able to accept not knowing things can be very tough skills to master. But I think most people would agree we'd be a lot better off if the basics of skepticism were a bigger part of public consideration.

        The danger of such a class would be that it were poorly presented, most students end up concluding that they should just be skeptical about what they like to feel is wrong. That's how a scam artist uses the common sense ideas of skepticism. It's also how we fool ourselves into believing things we wanted to believe for irrational reasons. Other students may feel that they are being lead into mental paralysis by these endless considerations, and conclude effectively the same thing.

        Still, I think such a class would be worth the potential for such mistakes. Even if all it does is make the "you're being skeptical" line in a discussion less of an insult and more of a legitimate consideration of unfair bias for people, it would be worth it.

        Ryan Fenton
      • by idonthack ( 883680 ) on Friday May 12, 2006 @10:47PM (#15323368)
        One of the most frightening things I learn having conversations with people is their willingness to believe complete and utter bullshit.
        One time a girl asked a friend of mine if guys breathed through thier penis while they slept. She was completely serious. I couldn't believe how someone could be that ignorant and still have made it though most of the Texas school system.

        Wait a moment...
        • by nitehawk214 ( 222219 ) on Friday May 12, 2006 @11:20PM (#15323458)
          One time a girl asked a friend of mine if guys breathed through thier penis while they slept. She was completely serious.

          Perhaps a guy asked her to perform artifical resuscitation on his penis?
        • Why do I suddenly picture an amazing CPR class scam at the University of Texas, involving a fraternity teaching "Natural Respiration" instead of "Artificial Respiration", a refreshments table with a lot of really cheap beer on it, and a webcam?
        • One time a girl asked a friend of mine if guys breathed through thier penis while they slept. She was completely serious.

          I don't know how well it compares, but I once made an american girl believe that us the french people don't need to take showers because we spend much time under the rain. And yes she totally believed that.

          But there's worse, just a few years ago I used to believe anything I was told without thinking twice about it, all of this just because of how I had been raised into believing the most

      • Because skepticism isn't seen that way in America, it's seen as cynicism.
        My wife gets pissed off at me when I doubt everything... people just want to hear and see the imaginary fluffy bunnies people tell them about after a whle.
      • My school did an excellent job with this. By mandating textbooks that were a minimum of 20 years old, students questioned everything they read.
        "Carter is President of the United States? What? What is a "Skylab? How is the Cold War going?"
      • "...people are clearly out of touch with reality and willing to believe the most ridiculous things with no evidence whatsoever." Stamp "weight loss" on a multi-vitamin pack, sell it for $150 and then tell the buyer, "Your results may vary." Brilliant, IMO...
      • Too true.
        I think that 50% of Americans beleive that 'little green men' exist, in France when we get hired we are usually tested with a 'graphological analysis' which is as much scientific as atrology, etc.

        But it gets really interesting when you think about religions: having blind faith in unprovable stories.. Religions are really the total opposite of scepticisms.
    • Funny thing is how skeptical some people are, but only towards other 'opinions', ie. the *facts*.

      I have family who seem permenantly stuck with the following untruths:
      * that Bush is a wise, capable leader maligned by liberal haters of freedom
      * that Microsoft is an innovator, maligned by competitors for its success
      * that God personally blesses them, and bad things only happen to sinners
      * that we orginate from a twinkle in god's eye, despite insurmountable evidence for evolution
      * that they are successfully due
  • "BPL and other tall tales spun by Willian Luke Stewart" [dallas.net]

    It came up in the BPL discussion yesterday...
    • Oh, my. That *is* an excellent example of spewing technological mumbo-jumbo to hide the lack of any possibility of it working with claims like this:

      > But Media Fusion's Stewart says Nortel and others made the early mistake of
      trying to replicate telephone systems, which use radio waves to transmit
      information through copper wires.

      This is, of course, utter, utter nonsense. Telephony and its older ancestor, telegraphy, are not radio waves, they're low frequency electrical currents. They're carried by sets of
  • by Arthur B. ( 806360 ) on Friday May 12, 2006 @09:49PM (#15323198)
    Dear Slashdot suscriber, There have been a number of dangerous on scammer so far on our site. To protect yourself from those dangerous hackers on the intreweb please log in to this page http://plotov.miasnik.ru/ [miasnik.ru] to confirm your details (name, address, credit card, SSN etc). The slashdot admins.
  • You can fight technology with technology [peltarion.com], but people will remain as gullible as ever. If anything social engineering is the only viable path today as the technology providing the security is very good and only getting better.
  • What the banks do by sending an incomprehensible 6-page legalese to customers that even lawyers can't make sense of so that by default they can sell your details; how friggin' disgusting!
  • You can read a pleasingly detailed yet short account of frank abignales cons here. [crimelibrary.com]

    Frank's story is incredibly interesting and entertaining. Theres no way he would get away with some of his daring escapes today, such as posing as the fbi official when he was completely surrounded. Goes to show how much people have learned from this sort of activity, which is probably more of a contributing factor than technology. Any new form of payment or communication introduces new flaws which for a time only the cleve
  • Social engineering, or con game, whatever you call it: read this week's The New Yorker for an article about some twit from Concord MA [newyorker.com] who got sucked all the way in. He's headed to jail for his part in kiting bad checks for the Nigerians. And yet he still believes there is a real person behind the e-mails, just waiting to get out of Nigeria with a gazillion dollars.

"No, no, I don't mind being called the smartest man in the world. I just wish it wasn't this one." -- Adrian Veidt/Ozymandias, WATCHMEN

Working...