Slashdot Mirror
Social Engineering in the Workplace
An anonymous reader writes "Could a total stranger walk out of your business with thousands of dollars in merchandise without your knowing? Even worse, could they manipulate you into helping them each step along the way?"
I love it. Load it up, the very first line of the page is "SlashDot defense provided by Nexcess.Net"
There's forethought, with some free advertising thrown in.
|>
Here be Dragons
This is a great read! One has to wonder: Isn't it much easier to social-engineer ones way into a system than the "hacking" approach?
,something with the Australian customs office. And there is the now really famous French guy who used to simply walk in on high level government events and get his picture taken.
How hard can it be to get usernames/passwords this way? And since we are in linux-land here: I would bet that more than half of the sysads here would open up their systems to the first pretty girl that would walk along their cubicle. Obviously she cannot be too pretty as that would be VERY suspicious.
There are plenty of stories going around about people just walking into a server room, and taking a few servers home with them. We even had one of those on slashdot here a few months ago
But the world is probably safe: Somehow good social skills and good technical skills are mutually exclusive...
I work tech support at an isp, and after reading Kevin Mitnick's "The Art Of Dection", I've had a keen eye for situations were social engineering could be going down, the thing is if policy dictates that you respond a certain way, you do so reguardless. The funny thing is how much more helpful other internal departments are if you use some social engineering techniques. Sometimes the billing dept. will help a save desk agent more than techsupport; sometimes a field rep. gets less lip than tech.support to escalate an issue. Guess it goes to show any tool can be used for good or evil.
For entertainment, the people one of my friends work with started showing costco cards to the security instead of their id's. They tired of this as none of them ever noticed. Also, they've got such a poorly implimented network with so many different passwords, it's actually a pseudo-policy that they have them written down near their workstations. Once more many of them have local administrator access to their workstations. It's hard to imagine what people so motivated might walk off with.
I worked at a finacial institution, with doors that can only be opened with swipe cards, these were on each floor.
We were visited by a deaf woman (we assumed she was deaf from her speech, and her hearing aides, we learnt from the police that she was really deaf and was wanted in connection with other thefts) who was only just barely communicating that she was selling raffle tickets in something, no one knew sign language but let her in anyway assuming someone had let her in the building.
She used the time during lunch when most people werent at their desks to take wallets, go through draws or whatever, for some reason i was having lunch there, being the cheap bastard I am, I didnt buy a ticket, but my co-worker did.
For some reason I stood up to look at the woman operating from the otherside of the room, she looked a bit strange, she looked back so i sat back down. We found out later that she had her run of about 3 or 4 floors before someone challenged her being there.
It was also a running joke for us asking the co-worker who bought a ticket if she had won anything yet...
Be you Admins? nay, we are but lusers!
Thats just it though. The way he engineered it, they NEVER would have known that he was the one who stole those computers. They would have been looking for some disgruntled employee taking some stock home after closing up, or accounting/inventory miscalculation, or ANYTHING other than him. He presented himself to be an employee with a legitimate reason for taking those computers out of the store.
He presented a possible occurance, and explained it twice. Once to the stock boy, once to an assistant manager. Neither of them bothered to take a look at the "official papers" that he had folded up in his breast pocket, and he claimed that he had gotten those papers and authorization from accounting. Yet no one checked his story.
This is the goal of social engineering. To use the system so that you can get what you want without raising suspicions.
Lets just say, for arguments sake, that they did a full store inventory within the next 3 months, and found a discrepency. Where would you start investigating it? You wouldn't know when it happened. You wouldn't know how it happened. And because of how he pulled it off, no one would ever remember him. He blended in so well, and so convincingly, that by the time they finished their shift, they wouldn't have even been able to remember what he looked like. He was completely forgetable, and no one would have been the wiser. And if he was seen walking out of the store with a pallet full of computers by a video camera (assuming they kept tapes for that long), they would have seen him approached by an assistant manager who let him walk out of the store with the merchandice! And again, that is where the social engineering would have continued to work, anyone reviewing said tape would have seen him being checked out by the assistant manager, assumed the assistant manager was doing his job, and that there was a legitimate reason for him to take those computers out (even though the reviewer never heard the conversation). And 10 to 1 odds, the reviewer wouldn't even check with accounting to see if anyone was authorized to take 5 computers out of the store that day.
I haven't lost my mind!
It is backed up on disk...somewhere...
That's just what they had in the military place I used to work. I notice that most larger offices and places with sensitive information are starting to use turnstyles and keycards, which amounts to the same thing. No badge = no entry. Forget your badge? You can get a 1-day pass at the security desk, but they will check your face against a photo on file, and require ID. Having reasonably good yet uncumbersome security is not that hard to implement for low-level security (i.e. against thieves). Problem is: many companies only pay passing attention to security (physical as well as electronic), and think one rent-a-cop at the door is sufficient. Also becoming more commonplace... These days, the most popular target for thieves is laptops. Easy to carry, valuable, and it's the one piece of equipment the guards will expect people to carry out.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
It happened on a Saturday.
White panel truck with appropriate lettering pulled up to corporate headquarters. Man wearing logo'd shirt gets out and approaches security guard, papers in hand. He is supposed to remove typewriters for cleaning, and is supposed to come back Sunday to return them. Papers are signed by an executive of that company.
[ uh-huh. right name, but *that* executive has never even seen the papers. Its just a signature. ]
Guard is cautious. Needs to call and check. Truck driver agrees to wait. Executive out of town. Guard says no-go. Truck driver says fine, just sign here that I showed up. Your company still must pay the $5000 fee for weekend overtime service as per the contract. ( Shows contract details to guard ). No biggie to me. ( Guard gets ansy. A lot of money, What's his boss gonna say about losing more money than his monthly pay just because he wouldn't let another man do his work? ). The guard refused to sign anything. The truck guy notes down his name from his badge, notes it on his form, looks at his watch again, dates and signs the form, and asks the guard to let 'em know he was there. Leaves the guard a business card, and mentions that the next available window to do the cleaning work on a weekend is about 3 months away. Another fee will be assessed for the next service. He tells the guard he has 50 people at his plant right now ready to clean typewriters, and when he gets back, he has no work for them, so he will pay them their four hours Union wage for showing up and send them home.
The guard is really sweating now. He doesn't know exactly what to do, but he doesn't wanna find out he screwed up the company something fierce by keeping someone from doing their job, so he relents. He even helps load the truck!
We never saw those typewriters again.
The truck? Bogus plates. Plain white panel truck with vinyl stick on lettering. Run of the mill truck. The guy even had shelves in it made in such a way so he could load up the completely full. Seeing how professional the truck was equipped for the job impressed the guard and reassured him that everything was indeed on the up-and-up.
The forms? Yes, lots of forms! Every typewriter was duly noted on its own form..serial numbers and all! Obviously our con-guy had gotten a hold of an inventory list, because every form indicated where the typewriter was. Why even a copy of each form was even left with the guard! The only traceable signature was that of the guard. There were other signatures on the forms, but no one ever found out who the actual signers were.
Come Monday, Management was very puzzled and disturbed over the missing typewriters.. a little over a couple hundred of them. There were investigations. There were lots of phone calls to the non-existent phone numbers, people, and attempted visits to the addresses referenced to in those oh-so-professionally done forms.
Yup, some clever guy invested in a couple hundred dollars worth of "movie props" and walked out with several hundred thousand dollars worth of nearly brand new IBM typewriters.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Social engineering isn't rocket science -- it boils down to exploiting the trust that exists between people. Smart-alec geeks and slashdotters seem to take pleasure in pointing out how stupid victims of social engineering are. Granted, many social engineering schemes are successful due to mere ignorance. But is it inherently stupid to trust people? Here's the problem: there are costs and benefits to an environment in which people don't trust each other.
.5% if it means being free of stifling bureacracy and draconian security. Given that, trusting each other is a choice we make because the risks it entails is, on the balance, worthwhile.
Yes, this Israel fellow demonstrated very well what happens when people trust each other too much, but what happens when you take it to the other extreme? You end up with stories about like Walmart where employees are locked in to prevent theft and can't call an ambulance when the forklift rolls on them. Some might think that it's worth compromising on a theft rate of, say
That's why, for example, hotels generally don't ask you to show ID when you claim you've lost your room key. If they did, they'd suffer more lost business than the cost of insuring against the occasional theft of a guest's belongings.
Everything is a compromise.
RFID tags on the merch. They realize it was stolen 2 months ago, check the logs to see exactly what time the tag left the door, and then look up the CCTV footage at that exact moment. Game, set and match.
I'm not sure someone could walk out of my business with thousand dollars in merchandise, as I work at MacDonalds.
If your store has a night shift like ours did (no managers), I virtually guarantee that someone could turn up with a white van and steal a whole set of vats. Our guys would have drained it for you and helped you put it in the van.
In the McD's I worked at, we started inexplicably losing a few boxes of chicken nuggets a day. Management couldn't figure it out (surprise surprise), but it was obvious what was happening.
I realised straight away that it wasn't going through the kitchen (even our managers would check the transfer paperwork, every time). Then I worked out that, with the freezer door wide open, nobody could see the fire exit. I pointed this out to the shift manager - and the pompous bastard searched me then and there. For months afterward, he would regularly pull me into the office and rifle through my rucksack.
The lesson I learned from this was: If you discover a hole in the system, you either (1) keep your mouth shut, or (2) keep your mouth shut and exploit it. (Or, I suppose, (3) tell someone who will, um, appreciate the information.) Telling the bastards in management is too much trouble.
Besides, I wasn't going to risk my job, even that job, over a few measly nuggets. Putting a JCB through the wall and ripping out the deposit safe was more my style. :)
Footnote: that bastard shift manager went on long-term sick-leave. Our regional manager took our store manager to dinner, and who do you think was the waiter? He got fired from both jobs, as I understand it. Sweet.
The issue of social engineering is taken so seriously here that there is a dedicated team whose job it is to attempt to compromise the network by any means possible. Their electronic attempts are generally significantly less successful than the attempts that include a human element. Because this is a large scale organization with multiple shifts of employees that rarely overlap, seeing strange faces is par for the course. The "red" team takes advantage of this during shift turnovers, and will attempt to follow people through passcode protected doors and use a USB flash device on an unlocked workstation once inside to compromise the network. We as employees are told to challenge anyone who passes a secured doorway without keying in, and lock any unlocked workstation we find (or report it to security).
Overall, I would say our electronic countermeasures are significantly more successful at defending the network than our human ones, so the security team takes social engineering very seriously.
At our local Best Buy, the people at the door pretty much only stop you if they think you're carrying something out and they didn't see you at the checkout lane. I notice this all the time.. if I'm exchanging something, frequently I'll be stopped and they look at the receipt. But if I stop at the register first because I'm also buying something else at the same time, they never stop me. I imagine it would be simple to just walk out with a hard drive or two if I bought something else, first, telling the cashier that I had made an exchange earlier (explaining the extra package that he/she isn't scanning.
Disclaimer: It's not something I'd EVER do, but it's the pattern I noticed because I do, in fact, buy a lot of shit from Best Buy (and conversely, have to exchange a lot of malfunctioning electronics)
They can try to change everything they like, but i know who they are talking about. This story is about walmart. Having worked for them at one time in their electronic department i can tell you this level of ignorance is the rule and not the exception.
I remember that people returned a vcr in a xbox box, bricks in a tv box, run out the door with computers, and the list goes on. Most of the time when i was working we caught these people, or didn't because i couldn't find a manager fast enough to stop them ( you as an employee weren't allow to confront them). Also i remember an incident where 10 people distracted every employee on one side of the store and made off with $8000 of printer cartridges ( the cartridges were on anti-theft peghooks too). There were days i was expected to watch 4-5 departments by myself, basically 1/3 of the store, and there was many thefts.
I was actually fired for speaking up about it. Oh well not my problem now.
A Fatal OE Exception has occurred, Sig will now reboot.
IF they keep a video archive that long.
However, you are correct. If they could find out when (very important), they have other tools at their disposal to investigate with. CCTV being one. With it, they could track the guy as he walks in, canvases the place, goes in the back to the break room, finds a uniform, and his "official document", goes to the warehouse, runs his act, gets his merchandice, walks through the store with the merchandice, stopped by the assistant manager, and finally through the front door.
Unfortunately, all of this costs money. And businesses are all about keeping as much of it as they can. No one is going to spend thousands of dollars to purchase a security system capable of archiving months or years of security cam footage unless they have been hit hard enough to justify it.
While your theory is wonderful, the realities of the situation make this to be as close to a perfect crime as possible today.
Since we are talking RFID, let me throw this one out at ya. Lets say that the store has RFID readers all throughout their warehouse and store. Once a day (say midnight after all sales reports have been completed), the readers in the building send a "pulse" asking all RFID tags to report in. Inventory is taken on a nightly basis, and compared to sales reports with a discrpancy report printed for management to look over when they arrived the next morning. All automated, and done on a very timely manner. Management asks the appropriate team leaders to double check the discrepancies, and if anything turns up missing, it is handed over to security for them to review - best possible response time, less than 48 hours. Anyone can archive tapes for that long.
The possible situation listed above would help out a lot, but I still fear that such a solution is 2 to 5 years out. As well, there are many other concerns and problems that would have to be handled. For example, when a RFID leaves the building, how do we know the item it is attached to has been paid for?
I haven't lost my mind!
It is backed up on disk...somewhere...
That's why, for example, hotels generally don't ask you to show ID when you claim you've lost your room key.
I used to travel a lot for work, and I've been to a lot of hotels, all over the country. All hotels nowadays use swipe cards or something along those lines, and if you lose your card, yes, you show ID to get back in. I've lost my card on a number of occasions (usually only to find it later hidden in the depths of my wallet) and they *always* prove that you are who you say you are. Some places are satisfied with a driver's license, but some require you to show the credit card you used to pay for the room, so they can compare the numbers in the computer to the numbers on the card.
Maybe if you stay in a place that allows non-credit card transactions, but I haven't seen a place that'll take cash for a hotel room for years and years...
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
He even has a HOWTO on what to do when you're being slashdotted on his other site.
Big computer trade fair in Germany. Big three letter US computer company.
Right after it is over a big truck pulls up, a couple of people get out and start loading everything (computers, decoration, even prototypes and engineering samples) onto the truck. Everybody helps them. Some paperwork and inventory is checked. They leave.
30 minutes later the real truck arrives...
Isreal may have done a slick job at getting the computers out of the warehouse, but I wonder if he would be so good at social engineering if he was trying it at a place he didn't work for. Knowing all of the procedures and stuff definitely helps.
Not that you don't have to be aware of employees or ex-employees who are trying to game the system, but being able to SE someplace you're familar with is an order of magnitude easier then trying to scam someplace else because you know all the right internal buzzwords and procedures.
Cheers,
=Blue(23)
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
I got into two power stations with no ID - in both cases because I was wearing overalls with a badge bearing the name of the former owner of the power plants (sold in one case, renamed in the other - but the same company in both cases). In both cases I was not working for the company owning the plant, but as a contractor. In one case I got the ID after going into the plant, in the other case I never got the ID since it was a one off visit.
Both times there was a security guy that I had never met before on the gate. I just walked in as if I belonged there, and it's just as well for everyone that I did have a legitimate reason to be there (and needed to go inside to get the ID to go inside).
The most dramatic theft I heard of at a workplace I was at was a diesel backup generator the size of a shipping container. It was located fifteen metres off the ground. The theives had to move a crane, get the generator, load it on a truck and drive out on the only road past the security gaurd on the gate and down the narrow neck of a peninsula.
Customs at Sydney Airport, Australia had a couple of guys turn up and remove most of the servers over the course of many hours one night. That one still hasn't been solved, despite the intelligence community and two police forces getting put on the job - since it was after 9/11.
After I got my bachelor's I took a temp job with a caterer, just picking up stainless chafing tables and the like.
One assignment was cleaning up a Christmas party at a big pharmaceutical company. While the guards were carding employees, they let me drive unasked onto the factory grounds in my unmarked van. I drove to the building, wandered around until I found my department, carted it into the freight elevator and loaded the van. This stuff was in boxes used for antidepressants. I walked through the warehouse that cached these antidepressants. I could have taken a few extra boxes.
NO ONE questioned me. Then again, I have ordinary looks and a casual air.
I was soon hired by this same company to do real work. I snigger at the security precautions.
From the site. Smart in some ways, dumbass in others. Who the hell puts their database ON their webserver? Yeah, it may be a bit faster in some ways, but insecure and non-scalable in most others.
-
ping -f 255.255.255.255 # if only
I'm studying abroad in China and that's how things work here. It's really annoying. Every time I bring a friend to my dorm room I have to spend five minutes filling out a complicated visitor registration form and showing ID. I could see the point if my friend was a stranger, but I've been living here for four months and the security guards already know my best friends by name, since they visit every single day. But their orders are to follow visitor registration procedures blindly without thinking, thus anyone that they can recognize as a non-resident must register on entry.
The really silly thing is that these rules don't prevent unauthorized entry at all. There are simply too many people living in the dorm for security to memorize them all, so most visitors walk right in without bothering to register. Only the most frequent visitors, which are probably the lowest security threats, are actually forced to waste time registering.
From this experience I can definitely see that blindly following a set of procedures to thwart social engineering is not necessarily the way to go, and can actually weaken security. Plus, I've found that such suspicion doesn't make for a very nice living environment.
Manufacture in China
Good story, kinda reminds me of a couple of my past experiences.
Just out of High School I'm a gofer at a major chain hardware store, it's holiday season (without a doubt, best time to social engineer) and because it's so busy, I'm stuck helping load customers vehicles with bulk merchandise at a usually closed side door.
A guy backs up a station wagon up and comes up to me (the youngest looking employee in the store) waving a "receipt" and saying he's here to get his pallet of Presto Logs. So being young and dum... errr... I mean, eager to help out, I went over to my very busy "dickish" "boss" and asked what to do, his curt reply was "Get him the logs, I'm busy.", and then he rapidly walked away toward the front of the store.
So I got a pallet jack and moved a whole pallet of Presto logs across the whole store to this side door, and proceed to load up his station wagon till it was sagging badly in the rear, but I got 'em all in.
The poor guy was in a BIG hurry because his wife was at another store and he had to go get her since her car had broken down, and he had a bad back so he couldn't help me load the boxes of "logs", but I loaded that whole pallet of "logs" into his station wagon in record time.
And not 30 seconds after he drove off than another guy drives up in a pickup truck wanting his pallet of Presto logs!
Well, I had just loaded up the last pallet of Presto logs...
Thats when I knew I'd been had...
Luckily, I'd asked my loser boss, and he had to take the heat, but that was a BIG lesson for me in Social Engineering.
Move ahead several years to 1977, I'm working for a private interconnect (TELCO) company in SillyCon Valley. We don't have company uniforms, or even name tags, really low budget, but we do have tool belts and butt sets (linemans test set), we had to buy those too.
So I'm one of the company's troubleshooters and we had many high tech clients, one of which is where I was making some changes to the state of the art TDM PBX our company sold and installed Waaaay better than anything MaBell had at the time. Merlins... what a joke.).
My boss (a "real" boss, yaaaa.) arrived unexpectedly to give me some good news (a raise!) and as we were leaving the building I joked that I could go anywhere I wanted with only my toolbelt and buttset.
My boss gave me the look and then smiled and said "no way".
Mistake...
We happened to be in a large room full of desks looking at a wall of glass, behind which was the computer room, you know, raised floors, BIG banks of BIG six foot tall computers with BIG reels of tape slowly spinning away, heavy duty air conditioning, guys in white lab coats! The whole deal. And the only door in/out was protected by an armed security guard.
Nobody had noticed us yet as they were all busy doing their jobs, and I looked at the computer room and said to my boss "Wait here and watch." He got an unsettled look on his face but didn't stop me as I calmly but purposefully walked straight toward the door with the guard.
I noticed that the guard was alert and saw me coming, so I was all ready to talk my way into the computer room, but as I got close enough to talk, he just opened the door for me! I said I needed to check out something and would be right out as I was calmly (yeah, right!) walking by him into the "secure" computer room.
The white lab coat guys totally ignored me even though there were NO phones in that room! I walked through the whole large room, looking at all the cool computers and stuff and attempting to look "official".
I finally got my fill of sightseeing and went back to my boss, who by now was angry at me, but I pointed out that no harm was done, and I had made my point to him. He forbade me to ever do it again, anywhere, but when we got back to the shop I was a big hit for my "ballsy" behavior and he was bragging about it and laughing like crazy.
Yeah... social engineering... it can work.
One VP took a picture of his dog and pasted it on a badge. Next morning flashed it at the guard and walked through with no problem.
I got laid off a few years ago when the call center I was working for was relocated. That was, of course, the moment that the security guys were supposed to start actually checking the ID cards that we'd been required to wear ever since we'd been hired.
So I traded cards with my friend Ron. It's touch to imagine two people looking different -- I'm 6'6", pasty white, with a shaved head. Ron (at the time) was about 6'2, dark-skinned black man with dreads.
Security never noticed.
--saint
Couple of guys show up in a white van. Go into the school and start loading up some rather valuable antique wooden chairs.
Student arrives. 'Can I help you take those chairs out ?'
A couple of students helped the criminals load up in double-quick time. Needless to say, several thousand quid's worth of chairs were never seen again.
I worked in a record store in college, and had a woman try the "I bought this and I want to return it, but I lost my receipt" scam. It turns out she had picked the one video off the shelf that I had special-ordered for myself, only for it to arrive in VHS when I had wanted 12" laserdisc.
Ooops!
The cops were there in 15 minutes, while I stalled the thief, pretending to look up the original sales sheet (there are sometimes advantages to using a paper-based system). The lady skipped on her bail, so I never got the chance to testify against her.
Chip H.
When I was in the army as an intelligence analyst at an air force base, we had to go through a fancy turnstile every morning where an air force guard would take our badge, look at it, look at our face, look back at the badge, then give it back and let us through. One day my roommate and I were walking down the hall inside the secure building when a master sergeant stopped us, pointing out that our badges were switched. We'd long suspected that the guards at the gate just went through the motions of checking faces, but this proved they weren't looking AT ALL, because I am white and my roommate was black! We brought this to the attention of the major in charge of security. THe guards were a lot more diligent thereafter.
If a job's not worth doing, it's not worth doing right.
Article mentioning 50% of people not noticing that they're talking to a different stranger after being interrupted.
;).
;).
Anyway why it's easy:
1) Most people are trusting and not paranoid.
2) Most people are too busy doing their main jobs.
3) Most people aren't observant.
4) Most people aren't very smart.
5) It's hard to be polite to people especially customers while at the same time be suspicious/wary of them. For most businesses it's better to err on the side of politeness. Let insurance etc take care of the other stuff. Remember if customers don't buy anything coz you pissed them off, the creditors come and take everything
6) High staff turnover is bad for security - makes things even harder - as a worker you can't stop every new face you see whilst trying to get you job done so that you don't lose your job. By the time you get around to training newbs about security they're already on their way out - you're lucky if you even managed to finish training them how to do their main jobs.
7) The people who aren't easily fooled aren't cheap and plentiful. Plus they probably got sacked or changed jobs coz they weren't easily fooled by management
A couple months back I bought a couple DVDs from Future Shop - Yes, I payed for them - but the de-magnetizing thing didn't do its job.
Walked through the door - Alarms went off - but just for the hell of it I kept walking like I didn't notice (Yes, I DID pay for everything). Just one of those things where you want to see what happens.
Both sets of automatic doors still opened for me, I think I heard one clerk yell out "Sir! Sir!", and that's it.
Calmly walked through the parking lot, nobody followed me.
Even went back to the very same shop the very next day to pick up a PS2 game, and nobody said shit to me.
...Also, I didn't know Buggalo could fly.
No, the security guard did not get fired.
As far as I know, everyone considered he did the best he knew.
But, from what I could tell, ever since then, the guards were kept very well informed about anything that involved equipment moving, and this incident was never forgotten, and used to illustrate just how sneaky and well-prepared thieves can be.
Even twenty years later, me, as well as probably everybody who worked in or around that company, remembers the whole charade like it happened yesterday.
Nobody blamed the guard for doing his job. He did the best he could, tried his very best to be helpful. A typical example of how that company did things.
If anybody is gonna get any heat, its gonna be the guy who arranges for something to happen and fails to let it be well known to everyone - especially the guards.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
Where I grew up, noone locked their doors, and garages stayed open even when people went out to the store. Did people loot? NO! Such an act would be so immoral it would be unthinkable.
Just because some asshole can convince a store owner that they can carry a bomb inside doesn't mean all stores should start searching people they way they do in airports.
Rather, teach people stealing is bad, and set community standards that discourages lying scammers that try to steal from stores and that try to sell them "security" from made-up problems.
This guy's FUD is going to destroy that community.
Sometimes I have to wonder what could happen if I were a malicious individual.
Things that tend to happen:
1. I wear my ID with blank side showing. I get asked for help in any store, regardless of whatever uniform standards in place. If qualified, I generally will assist, but then people are surprised to find out that I don't work there.
2. I am in an automotive dealership (not exactly a very innocent place). I need to copy a few dozen pages from a service manual. I ask where I can do it, and I am advised to use the copier in the showroom. Now, this is a networked copier that also happens to be the printer for ALL customer paperwork (credit apps, driver licenses, insurance cards, you name it) that's associated with a vehicle sale transaction. Now, I basically monopolized the copier for over 40 minutes, and I was asked if there is something wrong with the machine and what would it cost to have it moved away from public sight by the dealership's GM. At this time, I was wearing my usual generic logo shirt and a blank ID. I explained I wasn't there to service the machine. I also advised him of this risk. The risk is simple - sniff the network and an access point.
I can't count how many times I walked into restricted areas by mistake and never got asked any questions. The logo gear I wear can be purchased from any corporate store on the web that allows its customers to promote the company by wearing its logo on a hat and shirt.
The public is conditioned to white piece of plastic and any logo as a universal access device.
The world is really lucky I am not malicious.
Leonid S. Knyshov
Find me on Quora
Having gone through security on an air force base, I do know they check, for the most part, expecially after 9/11. I grabbed my ID out my wallet just before the gate and flashed it and the guard told me something along the lines of "Yeah, so?" and promptly got a quizzical look from me. I looked at the badge and realized it was my driver's license and then pulled out my military ID.
Having said that, the AIr Force has teams whose job is to infiltrate bases and test the defenses. They use no military equipment to do so, only commercially available items. Unfortunately they are often quite successful. Social engineering is a big part of what they do. Being military members they know what to expect and how to use that to their advantage.
Usually it involves knowing when to intimidate (act important or dangerous) and when to seem in need of aid (act unimportant or not dangerous). Other choices are possible, but those two are the big ones. In other choices/environments, it could require bribery skills, a well-worn social engineering technique.
Our founding fathers removed the guys in charge. Be American. Vote incumbents out.
Our Boss steals. To do that, it is necessary to have a high turnover in employees, so no one can remain on the job long enough to "catch on" to what he is doing. To that end, he tries to p**s off the employees on a daily basis, to help the turnover along. It works, mostly. Hasn't worked with me, however. The owner lives in another city, so we do not have the supervision/control that a local owner would provide, so our local boss is able to line his pockets. We don't need anyone from the outside to come in and steal, we have our own one to do all that.