I probably sound like a broken record these days, but people are my interest right now. And, one of the things I really enjoy about exploring this area is that you get to meet a lot of people, and hear their takes on the people factor and security. So, while none of the following may be new to you, I found it interesting…
(Of note, this information is for my research purposes, and I am posting it here to foster discussion with some of my readers. Realize that there are real consequences to misrepresenting yourself at ID checks, such as being fined or going to jail. Do not try any of this.)
A couple of days ago, I was riding on the train, when a group of women pulled me into a conversation. Something about my shirt. We got to talking about places to go, and the next thing you know we were talking about ID requirements. Turned out, these ladies were college students and not quite legal drinking age, which is often a prerequisite to entering venues in NYC, and this was the motivation behind the attacks to be discussed.
Now it gets interesting. One of the women in this group actually had a stack of real IDs that were all for people of legal age. The IDs were gathered from friends and family (e.g., older sisters), whether given or taken (e.g., “borrowed without permission”). Basically, what these ladies did was figure out which IDs were the best matches for each of the members of the group, and then each of them tried to pass themselves off as legal age using the selected ID. They noted that the height and eye color listed on NY driver’s licenses was entered by the person getting the license, sometimes input into the system incorrectly, and not at all verified by the issuer. They also pointed out that NY driver’s license would note when a person required corrective lenses or contacts, which mattered since wearing (or not wearing) glasses could change appearance and wearing contacts could change eye color. More interesting though, they discussed how legitimate IDs let a place claim that it did its jobs at the door, as the facial recognition process itself was quite subjective (this made me think of plausible deniability – I told the ladies they should consider politics). Their impression of the effectiveness of this attack at getting them passed the ID check was at about 85%.
In order to up the probability of success, the ladies employed two secondary techniques. One technique was having the most adept social engineers of the group conduct the primary interactions with the ID checker. The ranking of such skills was subjective, but it generally came down to being attractive and social. The point of this was to get the checker in the frame of mind of wanting to allow the ladies to enter, which also implied getting the check to want to accept the IDs being presented. This was also used to avoid any signs of nervousness from the group and get them looking the part. The other technique was just memorizing the details on the ID and being ready for small talk with the ID checker (that applied to everyone, not just the primaries used in the first secondary technique) – such interactions were rare, but did happen from time to time. With these two simple measures in place, their impression of the effectiveness of the attack was at about 95%.
Ok, so these college students had a fairly debilitating attack against these subjective facial recognition ID checks, but it was based on obtaining a number of legitimate IDs – could they get rid of this requirement, bypassing IDs all together? Well, I inquired about what happens when they don’t have IDs. Besides noting that obtaining real IDs was “easy” right now and so there was no reason to make the attack more difficult, there were a few other interesting points they made, which applied both with the legitimate ID attack and without.
One of the keys to success they cited was doing their homework (e.g., reconnaissance). Knowing how strict a place was about IDs, knowing what had worked or not worked in the past, having profiles on the different bouncers (e.g., a “mean” to “nice” scale), having affiliations with particular gatekeepers (e.g., being friends with the doorman), understanding their current ID situation (e.g., did most of the group have real IDs? did none of the group have real IDs?) etc. was all involved here. Their social network was particularly important, as this information was shared among their peers and easy to come by knowing the right people (sounded like the hacker community to me).
These women knew exactly who were the skilled social engineers of the group, and those were the people they set loose on the bouncers. With the homework done, it often came down to these people’s skill sets once out there in the wild performing the attack. They actually pointed to a specific member of the group and said she could get in almost every door, sometimes because of contacts, most times because of personality, looks, and manipulation.
These ladies also understood the impact of beauty. Besides the obvious things like flirting with bouncers, they felt that most places were looking to attract beautiful women, because that in turn attracts everyone else, so places wanted to let them in. Also, they were careful to note here that beauty was important even with the legitimate ID attack, as they felt ID checkers sometimes did recognize the IDs were not really theirs, but, because they were an attractive group of women, it was in the place’s best interest to let the ladies in, given the plausible deniability factor.
Anyway, all of this sounded very similar to my recent ramblings, and so I thought it fitting for this blog. These sorts of attacks are not restricted to age verification ID checks by any means, and I even think the general methodology employed here ports to an extent to how to conduct attacks on systems in general.
-
After a long dry spell, the interesting search terms just keep on coming. It’s not a weekend, but so be it –
how+use+ix+wordpress+2.1.1
LOL. This post might be of interest.
Why+does+physical+beauty+threaten+people%3F
You might enjoy this post. Oh, and cool pseudo-fact – people tend to give beautiful people more personal space than not so beautiful people. I ran into a model last weekend and ask them to put it to the test – people flew out of their way when we walked down the street.
does+being+beautiful+go+a+long+way
You too might enjoy this post.
[...] Pointing out interesting searches found in my logs has been a big hit with many of you. (I am waiting for the referrer forgeries.) [...]