A Tale of a Failed Social Engineering Attempt

In computer security you hear a lot about Social Engineering, and for good reason. As far as computer security goes the human being really can be the weakest link, knowingly or unknowingly. And if your curious on examples or stories of social engineering I recommend the book " The Art of Deception" edited by Kevin Mitnick.


However, not all social engineering has to be for technical reasons or even technically related. I say this because up until a couple of days ago, that is really how I generally thought about it. Granted I realize that social engineering is something that anyone can use for any reason. But as someone who lives and breathes computers, I tend to forget that there are things outside the world of binary computations.

Here in Portland, the last weekend of July is host to the Oregon Brewers' Beer Festival. And for the last three years I've volunteered as a server. The way the festival works is you buy a 12oz mug (pictured below). If you look at the mug you can see about the last 1/3 of the cup has a different shape than the top two thirds. That change is the taster line at 4 oz. And at the festival you pay one dollar to fill up a particular beer to that line. If you want a full cup of beer its four dollars. And to help with making sure that all of the servers are honest, instead of the transactions being done with money, the transactions are done with wooden tokens worth a dollar each.


Now just by the very nature of people, some are going to try and cheat the system. I've dealt with drunk people, and some that were less than friendly, but never someone who was trying to cheat the system, but to be honest until this year I never saw it (or at least I was never aware of it being done to me)

At some point in the evening, a very pretty brunette in sunglasses approached my booth. She holds out her hands, in her right hand is her cup and in her other hand is two tokens. Not saying a word I grabbed one token from her hand and proceeded to fill her cup to the requisite line. I put the cup back in front of her, and expect her to leave. Instead she looks at me and says “I'm sorry, can I get a full cup please?”. At which point I say “Sure, I just need three more tokens from you.” So she digs into her purse and proceeds to pull out two more tokens. And says, “Here you go.”

“I'm sorry, I your still one token short.”

“What about the two tokens I gave you to begin with?” This is where the actual trap sprang. Being I'm not actively paying attention for this, just kind of on auto pilot, I second guess myself. And try to remember what happened before, just to make sure that I only took one token. And I remember that I do and say, 

“Your right, but I only took one token from you. So your still one token short.”

“Are you sure?”

Taking a quick second to verify then I say, “Yup and when it comes to beer I don't fuck around.”

At which point she sighed, and proceeded to reach into her purse to grab me another token. At which point I handed her her glass, and she walked away.

Now I must be honest, I didn't recognize this attempt at subterfuge until after the interaction was over. While I was going through it I was trying to make sure I was correct with what I was saying. If it was a more sophisticated attack, she might have gotten away with it.

I will say that after going through this experience, I'm more aware of how easy it is to succumb to social engineering. And now I also have a bit of compassion and sympathy for those people to get socially attacked like this but are not aware of it till maybe after it happens to them.

Comments !