Guest Post – Joe Gray, AdvancedPersistentSecurity.net
What a pleasure to include this awesome guest post by our friend Joe Gray of AdvancedPersistentSecurity.net on the Deception Chronicles. Herein, a tale of a fail…..Thanks JOE!
SOCIAL ENGINEERING: FAILED
Joe Gray
This blog is an account from my perspective of events that I saw at a retail store. Disclaimer: I am in no way, shape, or form – past or present, compensated to endorse any solutions or software mentioned throughout this blog post. Email any questions you have about this or any other topic to blog@advancedpersistentsecurity.net
INTRODUCTION
It’s the day after Christmas and aside from talking about the obvious OSINT implications of people leaving their trash out and OSINT gatherers pilfering for their own gain and profiling, this sequence of events fell into my lap while standing in line at Walmart. To set the stage, it was about 10:30 p.m. on a Monday, the day after Christmas. There were only 2 lanes open (which is jokingly 1 more than would’ve been open during peak hours). The lane opposite of mine is the one that sells tobacco products.
THE PRETEXT
In a blunder of epic proportion, I observed a group of four people, two of which may qualify as what people may call “tweakers” checking out. They had a cart full of random stuff, I did not pay much attention, as it did not seem out of the ordinary – initially. The items mostly appeared to be food. The “non-tweakers” were standing by the cart and the “tweakers” were at the point of sale (POS) system and interacting with the cashier.
When everything had been scanned, the total came to $57 and some change. Again, this is not particularly interesting – yet. When prompted for payment, the male tweaker gave the cashier a story about someone stealing his EBT (Electronic Balance Transfer; also known as ‘Food Stamps’ or ‘SNAP’) card at the self checkout. He then pulled a receipt out of his pocket and told the cashier that he had the card number and info and she could just type it in. The cashier was willing to oblige. She asked a more senior employee and that employee referred her to the Customer Service Manager (CSM).
The CMS arrives and the male tweaker tells him the same story and asks if he can help. The CSM advises him that it is against store and corporate policy. The male asks the CSM to see if the card is onsite in the box or vault that cards left behind are put in. The CSM obliges and returns with the report that there are no cards in the box. The man continues to attempt to persuade the CMS to allow the transaction.
The CSM holds firm. The transaction is cancelled. I check out, story over.
MY ANALYSIS
A few things lacked logic in the whole story and sequence of events. For starters, no one stepped up to get anything from the cart as an emergent need. Secondly, if the card is in fact EBT, it is late in the month for such a transaction. No balance is allowed to be carried over.
The two couples did not seem to know each other well. From the perspective of body language and the way each pair carried themselves, they seemed unlikely to have the same social circles. The non-tweaker couple seemed fairly well put together, while the tweaker couple seemed more impulsive and less “together.”
The story itself did not add up. The story about self checkouts lacks logic as the self checkouts are by the only doors open at this time. There is an attendant at the self checkouts to handle these scenarios as well. I saw what I believed to be a similarity in appearance between the non-tweaker female and the cashier. How would someone be able to steal a card from another person at the self checkout?
While leaving the store, I was parked about halfway down the parking lot. The tweaker couple was parked further away and had just got to their car. They had left the confines of the store after I walked out. The other couple was parked at the very front on the opposite side of the store. If they were buying for friends that went to the store with them, would they have parked so far apart? Not likely.
CONCLUSION
In conclusion, I am glad that the CSM stepped in and stuck to his guns. I recall to when I worked at Walmart in the early 2000s and if I recall correctly, the fraud and social engineering training was negligible. I would venture to say that the same exists today for cashiers. I fear that if this is truly a fraud to monetize public assistance that they will succeed somewhere and soon. I believe that retail employees in positions as cashiers or return associates at places like Walmart, Target, Tesco, Sears, etc. need more in-depth training to better enable the companies to detect and prevent fraud through social engineering.