Crime

 

Image from Pixabay

Last week, as you could read in the previous Security (b)log, I stood in front of a group of girls from high school. This week I was invited by the next generation: the Tax and Customs Administration’s Young IT Auditors, whose annual YIA day was themed cybersecurity. The “young” turned out not to refer so much to the age of the participants, but to how long they have been in the auditor profession. And let me put it this way: this audience was still familiar with Facebook. Fortunately, I had not tailored my presentation to an overly young audience (-;

In this Utrecht conference room I talked about current developments, among other things. Lately I have been reading more and more worrying stories from the US about sickening criminal activities. Like this story. A woman receives a call from her son, who tells her that he has had a traffic accident and that he will hand over the phone to a police officer, who will tell her more. The officer tells her that her son caused the accident, which injured a pregnant woman, and that he is taken into custody. He announces that a lawyer will call her to discuss further proceedings.

A little later the lawyer calls. The son is in deep trouble, but it is possible to get him released on bail. If the mother gives $15,000 in cash to a courier arranged by the lawyer, her boy will not have to spend the night in jail. And she shouldn't tell the bank what the money is for, because then they would ask questions. No sooner said than done.

In reality, that mother did not receive a call from her son at all. It was a deepfake, in which artificial intelligence was used to create a new text with the same voice based on an existing sound recording (thanks to social media). So the mother did hear her son's voice, but he had never spoken those words himself. It was necessary to quickly hand over the phone to the officer to prevent a conversation between mother and son. And that lawyer, who called a little later, was of course not a lawyer at all, but just as much of a criminal as the fake cop.

In the above story we see a number of elements from the theories of Robert Cialdini and Ian Mann*. Cialdini says people obey authorities. Now I wonder to what extent this is true in the Netherlands, but in many countries people will indeed quickly believe that they are really dealing with an authority figure, even if it is only on the telephone. It’s just a matter of striking the right tone. Mann tells us that people are gullible. That can work both ways. On the one hand you would like to receive the reward that an African prince promises you if you help him free up a particularly well-filled bank account, on the other hand you naturally become stressed if it your child seems to be in trouble and you eagerly believe what all kinds of people tell you. Moreover, Mann says, being consciously incompetent also makes you docile: if you know that you have no knowledge of certain matters (such as an arrest), you will easily follow someone who at least radiates that he is an expert in that area.

In another story, someone received a call from the FBI saying she had been a victim of identity theft. Because fraud had been committed under her name, her bank assets would be frozen. To ensure that she could move on for a while, the helpful officer offered to put a large part of her savings in a safe bank account that would remain outside the confiscation. That money also had to be delivered in cash and you guessed it right: the money disappeared. And there was no case of identity theft whatsoever.

IT played no role at all in this case, but the criminal did act as if that was the source of the misery, because that’s how identity goes. The following case also had no IT background, but that could easily have been the case: an 81-year-old American was extorted, and when the Uber ordered by the criminal drove up to pick up “a package” (with the money), he shot the driver dead, under the assumption that she was part of the plot.

If you ever find yourself in such an unreal situation, try not to act on your emotions. Ignore instructions not to involve anyone, but ask someone you trust for help. Be alert if it suddenly becomes about money; try calling your son first to check whether he really has had an accident. Some may find it a bit scary, but in our family we can, by mutual consent, see where everyone is in an app. That would be of great help in such a scary situation.

* Robert Cialdini, Influence: The psychology of Persuasion, 1984; Ian Mann, Hacking the human: Social Engineering Techniques and Security Countermeasures, 2008

 

And in the big bad world...

This section contains a selection of news articles I came across in the past week. Because the original version of this blog post is aimed at readers in the Netherlands, it contains some links to articles in Dutch. Where no language is indicated, the article is in English.

• deepfake detection tools do not always work accurately.
• criminals threaten to publish a database containing criminals.
• the Russians attack Western infrastructure.
• of course you have to choose the right target.
• Traffic lights also infringe on your privacy. [DUTCH]
• Telecom employees are offered money to participate in SIM swapping.
• a British computer divorced the wrong couple.
• a Dutch ID wallet is being developed. [DUTCH]