Slashdot Mirror

← Back to Stories (view on slashdot.org)

Social Engineering in the Workplace

Posted by michael on from the plain-white-van-goes-a-long-way dept.

An anonymous reader writes "Could a total stranger walk out of your business with thousands of dollars in merchandise without your knowing? Even worse, could they manipulate you into helping them each step along the way?"

10 of 316 comments (clear)

  1. Re:Human Limits of Security by dilweed · · Score: 5, Informative

    Correction: He wasn't wearing a suit. He was wearing a black polo and khakis, aka the casual corporate uniform.

    It's been said that with a hard hat and a clipboard you can get into nearly any building. This is just another example of that taken a step further.

  2. Re:"social engineering" is the easy way. by 91degrees · · Score: 3, Informative

    How hard can it be to get usernames/passwords this way?

    I read about early hackers in "Approaching Zero" (by Brian clough & Paul Mungo) It's been common practice amongst hackers since the 80's or before. I hope that since then companies have learned to train their staff to check people are who they say they are. However, lots of money has been lost by people being tricked by email into going to fake bank websites and entering their personal details. It's more or less the same thing.

  3. Funny but true. by Anonymous Coward · · Score: 2, Informative

    Homeless people near my university used to pass themselves off as grad students to steal scrap metal to sell to those who deal in such things. To pull this off, they left their carts near exits to the building, and proceeded as normal.

  4. Re:Stupid by TinheadNed · · Score: 5, Informative

    Well, because while the warehouse guys and shop flunkies can come and go on a weekly basis, nobody, NOBODY ever gets to pay with the money. Two people are normally required to do the counting, and then it gets put in the safe.

    Also, while moving merchandise round is done everywhere in broadly the same way, the cash routines are normally more tightly fixed and less easy to predict. Also, the money has to be counted nice and carefully as the cashiers need to check they haven't screwed up during the day.

  5. Second Slashdotting--Drupal by Brian+Puccio · · Score: 4, Informative

    Actually, it's his second slashdotting, and his CMS, Drupal, has an anti-slashdotting mechanism built in--caching.

  6. Re:social engineering is useful at work. by Henrik+S.+Hansen · · Score: 2, Informative
    Kevin Mitnick's "The Art Of Dection"

    That would be The Art of Deception (not an affiliate link).

  7. It's more than that. by Anonymous Coward · · Score: 1, Informative

    A con is an appeal to a persons estimation of you as a person. You want them to like and trust you.

    Social engineering is appealing to a persons sense of obligation to serve another authority, and to seem the part.

  8. Re:Human Limits of Security by Anonymous Coward · · Score: 2, Informative

    The federal government / armed forces aren't immune to this. I used to work at a building next to a Military Entrance Procesisng Center. (This was post 9-11). One of my buddies was a recruiting officer there. They have a strict policy that everyone gets 'stickered' if they don't have a government ID -- they basically plaster a barcode on you. (Inventory tag -- Recruit, Wet Behind Ears, 1)

    One time when I was visiting, I had my employee badge on -- which was the same approximate size as the government/military IDs in use at the time (This was just before the two-sided biometric cards came out, and this facility used HID cards as internal photo badges and swipe cards.) I had it on a neck lanyard, and it had flipped around so the printed side was facing my chest. The elisted man asked his officer if he needed to sticker me, and the officer glanced over, said "no, he's got an ID..." and passed me through the security gate with directions on how to get to my buddy's desk ... no escort or anything, and they didn't even ask me to flip the badge around so they could see the photo.

  9. Trust AND Fear by Titusdot+Groan · · Score: 4, Informative
    The best way to combat social engineering is to have policies in place AND allow people to enforce them. The second biggest hurdle is security people afraid of some uppity VP getting upset because you aren't giving him "special consideration".

    If the minimum wage plus a couple of bucks guard can prevent the blustering VP of Operations who forgot his security pass from entering the building WITHOUT repercussions AND the guard knows it; you have a chance of social engineering not working.

    There's a probably apocryphal story of one of the von Siemens being stopped from getting into one their own buildings by some old German guard. The punch line is the old guy saying "Yes, I admit you LOOK a lot like von Siemens and you PROBABLY are von Siemens but without papers you are not getting into this building". von Siemens thought about it for a while, settled down and gave the old guy a big bonus. The story was passed around to everyone as how security should be done.

  10. Re:Low-paid employees are complicit by weiyuent · · Score: 2, Informative

    After a lot of hand-wringing and head scratching we concluded that the reason they are stealing is because they feel that at $6 an hour, the company is stealing from them.

    Time to revisit this Fortune Magazine article again.

    Synopsis: Costco suffers much less stock shrinkage than Walmart because it pays its employees well and treats them nicely.