It can be easy to consider how understanding social engineering is used for offense; that is using it to get people to do things using social manipulation. It isn’t always so obvious that the understanding of social engineering is used for defense; identifying when someone else is trying to socially engineer you. Perhaps even less recognizable is that social engineering can be a back and forth game of chess. While many of us know examples of social engineers talking there way past security, or talking a person into clicking a link, perhaps fewer of us know examples of a ‘defender’ who identifies they are being socially engineered and making moves against the person they are interacting with. What does this look like?
Think of a scenario where you are a front desk employee at a hotel. An individual comes up to you and says they lost their room key and left their ID in the room. It’s likely that if you travel often you have either been in this situation or have seen something similar play out. Most likely it’s an honest attempt by a hotel guest to get into their own room, but it could be a malicious actor trying to gain access to someone else’s room. Let’s assume that Bob is staying in this hotel. Bob has a laptop that Jane wants to get her hands on. Jane knows that Bob is in town for the conference he is going to speak at and saw him leave the hotel without his laptop. Jane goes to the front desk and, pretending to be Bob’s wife, tells the employee at the counter that she lost her room key. What kind of security measures are in place?
Generally, she will be asked for the room number and the name on the account. Obviously Jane could have followed Bob to see where his room is located but the front desk might note that there is only a single person in the room. If Jane is lucky, there are two people registered to the room so her actions look less out of place. Either way, the employee might ask for ID. Jane can either use fake ID or say that she forgot it in the room. “But Tom, no one falls for fake ID” I can hear some of my readers saying. If you think this then you haven’t seen some of the IDs I have. When I worked 6th Street in Austin, TX, I was notorious for spotting fake IDs without having to run them against NCIC/TCIC (records databases for law enforcement). This came through years of practice and a lot of time spent studying what a real ID is and what it isn’t. The point is that fake IDs are inexpensive and will pass the muster against the vast majority of people checking them. It’s also important to note that when we think fake ID what do we think they are used for? Getting minors access to alcohol or for identity theft. We don’t think of fake IDs being used to show a fake name to gain access to Bob’s room at a hotel. The employee doesn’t think this either unless they have been trained on or considered the possibility. In many examples of this kind of operation, Jane gets a new keycard to the room and can access whatever she wants while Bob is away, all while Bob has no idea it has even happened. Bob’s laptop is compromised and he potentially never even knows it happened. Imagine this same scenario with an estranged ex-partner that has ill intent.
So how does this scenario look when the hotel has a few simple security measures in place or if the employee is aware of the possibility of this kind of social engineering attack? Let’s play this again. This time, Jane comes to the front desk and asks for a replacement room key. The hotel policy is that all adults staying in a room must have copies of their ID in the system during check-in and an eye-level security camera takes a recording of all guests as they check in. Ignore for this article the security measures and data retention / destruction that must be in place for this system to function. When the employee punches in Bob’s room number, he can quickly and easily see security camera footage of Bob during check in, can see that there is no one else on the room, and see that Jane does not belong. What if Bob checked in with his wife and Jane is impersonating her? Again, the employee can see on the security video that Jane is not the other female and can see that her fake ID does not match the one presented by the the spouse. At this point, our employee goes from defense to offense.
Understanding that Jane is likely trying to fraudulently get into Bob’s room, our trained employee hits a button to quietly call security to the front desk. The employee goes through the motions of pretending to make a room key for Jane to keep her there. It does often take a few minutes to make a clone key and things can always go wrong and have to be redone. Our employee is now on the offense, trying to stall without being obvious and keep Jane where she is until security can arrive. All of this is happening while Jane thinks she is still the one on the offense. One of the keys to this kind of back and forth is that everyone is in character and must remain in character until it’s time to end the charade. In this case, it might be that the employee continues to play the character of someone who is helping Jane until security confronts her and the employee can drop the facade.
Hopefully this shows one potential attack to be aware of and helps explain the potential chess-like nature of social engineering. “But Tom, if I’m Bob how can I avoid someone doing this to me?”. You can always ask the front desk to put a note on your account for 100% ID check and verifying ID numbers, or a passphrase, etc. I don’t know if they will check these things but it’s worth a shot.