Join 3,512 readers in helping fund MetaFilter (Hide)


How to steal priceless jewelry: prank call
June 4, 2008 1:30 PM   Subscribe

Theives bypassed all security systems by simply posing as the security company on the phone These days as a robber dealing with high-tech security systems it seems that it's not about being a hacker or having loads of money to pull off a heist, its about making a phone call, having bear spray, and waiting for a guard to go on smoke break.

How UBC jewelry was stolen from the Museum of Anthropology :

Thieves make one call essentially saying "Oh ya, we are the company in charge of your security systems, tonight we are doing some tests, so when alarms go off, its just tests, so don't worry about it". Security's reply "OK."

The UBC gold jewelry: still missing... Simplicity pays off.
posted by figTree (42 comments total) 5 users marked this as a favorite

 
Isn't this how Mitnick did most of his "hacking?"
posted by Afroblanco at 1:35 PM on June 4, 2008 [1 favorite]


My favourite detail (of many); "Meanwhile surveillance cameras that were still operating captured poor pictures of what was going on inside the museum because of a policy to turn the lights off at night."
posted by Keith Talent at 1:36 PM on June 4, 2008


I'm looking forward to the comments on this on Bruce Schneiers' weblog.

This one is going to end up in all the books as an example....
posted by DreamerFi at 1:57 PM on June 4, 2008


Social engineering is typical identified as the number-one security risk (rather than electronic snooping, etc, to gain confidential info).
posted by KokuRyu at 2:04 PM on June 4, 2008 [2 favorites]


A social engineering exploit paying off big time. Things always break down on the wetware layer.
posted by porn in the woods at 2:04 PM on June 4, 2008


This is similar to the low-tech methodology used in the Gardner Museum heist in Boston, 1990. So basically, while museum security people may have learned something from that, they didn't mention it to the campus cops at UBC.
posted by beagle at 2:05 PM on June 4, 2008


jinx!
posted by porn in the woods at 2:05 PM on June 4, 2008


For those of you like me wondering WTF bear spray is, it's apparently pepper spray intended to be carried while camping in case of grizzly attack.
posted by Rhomboid at 2:34 PM on June 4, 2008


social engineering FTW.
posted by rmd1023 at 2:36 PM on June 4, 2008


A couple of years ago, some thieves stole an expensive server from Customs & Immigration at Sydney Airport, by showing up after hours & saying "Oh, hi. We're the IT guys. We've come to take a computer away for repairs"

Ah, found it. Turns out they stole two servers.
posted by UbuRoivas at 2:38 PM on June 4, 2008


...police have said the museum's insurance company has boosted the current $50,000 reward substantially but will not say by how much.
Doesn't that kind of defeat the purpose of offering a reward?


Bear spray
posted by Kirth Gerson at 2:51 PM on June 4, 2008


something doesn't make sense to me here - this guy is smart enough to evade/trick all security be it human or electronic yet fails to consider his high profile and the need for a solid alibi or accomplice. (I base this on the article stating that they know someone who works this way and are already focussing on him.)

this sounds like a molecular biologist who can't figure out how to open a can of peas. or a hacker who lacks knowledge in personal hygiene.
posted by krautland at 2:53 PM on June 4, 2008


My guess is the security guard was in on this.
posted by sour cream at 3:06 PM on June 4, 2008


One aspect of my job is training people to be aware of what social engineering is, how it works, and to be cognizant of the fact that at some point, they will probably encounter someone trying it in some way, shape or form.

Employees are always amazed when they realize how much confidential information they give away without knowing it, once it's brought to their attention.
posted by quin at 3:11 PM on June 4, 2008


Afroblanco, "A clipboard and a confident wave can get you into any building in the world." is the quote sometimes attributed to Mitnick, but probably most famous from the bad movie The Paper.
posted by rokusan at 3:11 PM on June 4, 2008


I was thinking bear spray attracted bears and that perhaps they sprayed to attack the guard to keep him occupied. I had all sorts of comical scenarios playing out in my head before I got to that paragraph in the article.
posted by Brainy at 3:22 PM on June 4, 2008 [4 favorites]


I was scammed in one of those "order printer cartridges" scams. I was working in an office and had to cover the front desk one day when the receptionist was out. Ordering office supplies was not part of my normal duties, so when a nice, chatty guy called and let me know that we were nearly out of printer ink, and he was calling to confirm our address so our order could be filled, I totally fell for it. No one had ever told me about this scam, and it never dawned on me that such a thing could exist.

Even so, these guards seem pretty...trusting, for being guards.
posted by rtha at 3:27 PM on June 4, 2008


Bear spray

Best. John Waters furdaptation. Ever.
posted by cortex at 3:30 PM on June 4, 2008 [3 favorites]


I love that museum. I'm glad only a few things were taken, but still, this isn't just jewelry here, these are cultural artifacts. So any amusement I have in the cleverness of the thief is lost in the thought of what was stolen.
posted by Hactar at 3:54 PM on June 4, 2008


I see the campus cops at UBC are still the crack squad they were in my day.
posted by Turtles all the way down at 3:58 PM on June 4, 2008


I was scammed in one of those "order printer cartridges" scams.

Wow, that's a pretty elaborate scam...
posted by SweetJesus at 4:06 PM on June 4, 2008


Best. John Waters furdaptation. Ever.

And no one had to shave Travolta for that one.
posted by GuyZero at 4:28 PM on June 4, 2008


From the Social Engineering wiki link:

Kevin Mitnick, William L. Simon, Steve Wozniak. 2002. "The Art of Deception: Controlling the Human Element of Security". John Wiley & Sons. ISBN 0-471-23712-4.

(hehe - sell 'em Apples & pretend that hackers & phishers don't go after 'em...)
posted by UbuRoivas at 4:46 PM on June 4, 2008


He just wrote the foreword.
posted by box at 5:16 PM on June 4, 2008


What the hell? A multimillion dollar museum heist happens on my campus and I hear about it two weeks later on Metafilter? I need to get out more.
posted by PercussivePaul at 5:43 PM on June 4, 2008


Isn't this how Mitnick did most of his "hacking?"

Yes. As any hacker worth his salt knows, social engineering is the fastest and simplest way to break into any system. Thus, Mitnick made extensive use of this.

His hacking, therefore, was uncommonly effective, and didn't require scare quotes.
posted by dhartung at 5:49 PM on June 4, 2008


WTF it sounds like a movie...
posted by super11 at 7:04 PM on June 4, 2008


Pffft. Bear spray has nothing on shark repellent bat spray.
posted by pokermonk at 7:25 PM on June 4, 2008


UbuRoivas,

I'm not a MAC guy at all, but Woz wrote the forward... I read it back in 2002, but I am pretty sure Woz wasn't involved in any ilicit activities :)
posted by andryeevna at 8:44 PM on June 4, 2008


You may be right, andryeevna, but just to be sure I'm going to change my MacBook password, so it's no longer a combination of my Social Security, bank a/c & PIN numbers.
posted by UbuRoivas at 10:27 PM on June 4, 2008


His hacking, therefore, was uncommonly effective, and didn't require scare quotes.

Thank you, seriously, it's annoying when social manipulation is seen as being somehow less valid than technical solutions. People always have this bizarre preference for imagining hacking as some kind of mystical "Hackers"-style interface with the computer itself. (Kind of reminds me of when a good speech is accused of being "just rhetoric." So what if it is?)
posted by voltairemodern at 11:08 PM on June 4, 2008


voltairemodern: that's because it's comforting to think that mindblowingly complex technical engineering can protect us, as opposed to being at the mercy of all-too-human factors - like the fact that 97% of people, left to their own devices, would use the name of their loved one, pet or favourite sporting team as their password.

Unless they're sysadmins, of course. Then the password is usually one of four options: sa, [blank], "." or God.
posted by UbuRoivas at 12:00 AM on June 5, 2008


"I'm not a MAC guy at all, but Woz wrote the forward... I read it back in 2002, but I am pretty sure Woz wasn't involved in any ilicit activities"

Oh let's just say Woz liked to get his phreak on every now and then.
posted by PenDevil at 12:08 AM on June 5, 2008


Erk! that link should point here.
posted by PenDevil at 12:09 AM on June 5, 2008


Even so, these guards seem pretty...trusting, for being guards.

I was a security guard once. The only qualifications were a clean police record and a willingness to work the late shift. There was no psychological testing and very little training or supervision. It's a great job if you don't have much ambition and like being alone for hours at a time. Easy pickings, really.
posted by tommasz at 5:26 AM on June 5, 2008


speaking of nonchalant guards (again in Canada)
posted by figTree at 8:54 AM on June 5, 2008


Unless they're sysadmins, of course. Then the password is usually one of four options: sa, [blank], "." or God.

don't forget "password123" or "admin"
posted by indiebass at 8:59 AM on June 5, 2008


His hacking, therefore, was uncommonly effective, and didn't require scare quotes.

My use of the scare quotes was to contrast Mitnick's actual deeds with the public perception of what constitutes hacking.

Far be it from me to profane the name of such as solid character as Mitnick.
posted by Afroblanco at 10:46 AM on June 5, 2008


Mitnick does have one of the coolest business cards I've ever seen.
posted by quin at 10:59 AM on June 5, 2008 [1 favorite]


After being out of the country for about a month, I returned home and could not remember the complex password into the underground parking garage. The superintendent gave me the "backup" password: 1234.
posted by KokuRyu at 12:08 PM on June 7, 2008


Update: 10 of 12 pieces recovered, three people arrested.
posted by russilwvong at 5:35 PM on June 10, 2008


Hey, I just came in here to post the same good news. Beaten by one hour.
posted by PercussivePaul at 6:40 PM on June 10, 2008


« Older A teeny-tiny bloggie about itty bitty kitties....  |  bomomo... Newer »


This thread has been archived and is closed to new comments