We recently saw a video posted by the London Fire Brigade on Twitter and it got us thinking. I’m sure followers of the blog know just what we thought already…
It’s probably best to rate the London Fire Brigade on their outstanding courage and dedication to saving lives in London and not their attempt at preventing scams. We wanted to play a scenario out and raise awareness of ID verification in general. Believe me, some large businesses are no better.
I want to be a Firefighter
The issue here is so do quite a few grifters in the UK. The scam is as old as front doors but goes a little like this:
- Working in pairs, criminals knock on the door of some unsuspecting person and explain they are from the local fire service.
- Fake ID is shown and their pretext is delivered – a fire safety check.
- As one person distracts the homeowners and talks about escape routes outside, another enters the property and rummages through belongings or scopes the house for their pending burglary.
- The crooks claim the house is OK, thank the homeowner for their time and drive to another area to repeat the attack.
In my own life, time is scarce. Combined with years of consulting, I’m not sure I’d pass the extensive physical needed to become a real bonafide firefighter… there must be an easier way to do this.
Go Go AntiSocial Firefighting Engineers
We decided to prepare for this in a similar fashion to how we prepare for a physical social engineering assignment. The aim was to create the above ID, but make our ID look better than their ID and expand on what we deemed to be possible for a nefarious social engineer.
The plan was to recreate the ID card and abuse the authentication mechanisms put in place by the fire service, highlighting how solely trusting ID these days isn’t enough.
Designing The ID Card
The ID card was replicated by Chris in Photoshop, using a photo from ThisPersonDoesNotExist.com, Chris then stitched a face on to the body of a female firefighter… note the London telephone number and a slightly smaller than average head…
This information was all taken from the genuine card they show in the video and is a good reason why you should keep your own ID private, this isn’t always possible with ID because by its very nature it has to be shown, but posting high quality examples on Twitter does little to stop fraudsters.
Printing the Fake ID Card
Printing ID cards used to be quite hard, to get the specialist printer needed could cost £1000 for an ‘OK’ model. Like most things, there is many ways to achieve the same goal. Often a card printed with an Inkjet printer can produce adequate results.
This changes the risk model slightly, in 1990 ID cards would be produced by competent and dedicated criminals with access to specialist machinery. In 2020 this has opened up to any would be criminal with a few hours to spare and access to their local Argos.
The real card also had a hologram on, but the hologram just said ‘genuine’. You can buy these stickers on Amazon.
We decided to purchase holograms with an alphanumeric serial on them too so we could then match the hologram serial number with the printed badge number on the card.
For genuine cards LFB could add security measures that are much harder to reproduce, companies like De La Rue own this space and have many good designs.
What about the telephone number…
There is nothing stopping some criminal cretin from simply adding any old number on to the card, you could have a mate around the corner providing reassurance if any savvy victim rang the number.
Here at the AntiSocial Engineer we didn’t like the idea of relying on an accomplice on the other side of the phone to validate the ID. We wanted something a little more professional.
Making use of the Twilio IVR flow it was trivially easy to configure a robotic voice that would ‘validate’ the card. It worked well actually and if you entered any other number it would even warn the caller.
Note – The number seen in the video has now been released and the fake validation service stopped.
Some tips on improving ID verification
It’s all well and good picking holes in existing methods, but what should LFB do in a situation like this? How could they improve their ID verification system and deter social engineers from targeting people with such scams.
It is hard to be honest! Out of the blue someone arrives and a member of the public has to determine if the person on the doorstep is a genuine caller or a fraudster. I’m also going to hazard a guess that if the social engineer is confident in their own abilities and has the gift of the gab it could be quite a believable pretext, so the advice is multifaceted and a little holistic.
- Include the verification number on correspondence to the resident, maybe a yearly flyer that has fire safety tips combined with information about this kind of attack.
- Make use of professional validation technology, embossed serials, holograms worked into the card, UV strips. Not just holograms with a number on like our version… These are common place online. If you have a UK/EU driving license or passport have a look at all of the security measures built in to the document for inspiration.
- It’s a little out there but using LFB vehicles, red vans with blue lights on. Of course a social engineer could just go and buy an old fire service vehicle but the scam now leaves the common place and enters the unlikely.
- Share more on social media about scams, if fraudsters have been reported don’t let the victims suffer in silence – be quick to respond with alerts and advice to residents.