The Art of the Con (39 page)

It would be impossible to know every conceivable method to compromise technology, so as users, we need to follow some simple guidelines to avoid becoming an easy target:

1. Be careful about what you share online and where you share it
   . You should always be aware of what information about you is available on the Internet. Your social media page should not have your phone number or your address; in fact, I would even avoid giving your true birthday online, which can be incredibly useful to identity thieves. I also monitor and remember what can be deduced by accessing my profile. Should someone find a way to use that information or present themselves to me with nothing but facts they've collated from known sources, I might be able to recognize this. Remember that information on the Internet can be accessed by anyone with enough time and motivation and that anything you say or do online could one day be used against you.
   
2. Do not accept anything on face value
   . An unsolicited e-mail from a friend asking you to visit a website or download a file should automatically be treated with suspicion. Look at the wording, consider the circumstances, and unless you are absolutely certain about its nature, don't click on anything. I don't trust secure websites unless I type the URL and visit them directly, and even then, it's possible to redirect my request and send me to a spoofed page depending on how and where I am accessing the Internet.
   
3. Take great care in how you access the Internet and avoid logging into secure pages or sending sensitive data on unsecured or unknown networks
   . Caution should always be exercised, even at home or when using cellular services. I personally try to avoid buying anything via public Wi-Fi or with my cell phone.
   
4. Try to remember that opportunity rarely knocks and that fabulous prizes are incredibly rare—even when we actually take part in a lottery or contest!
   Any windfall that arrives by e-mail or instant message is far more likely to be a scam than a gift of fortune. Act accordingly. Even if there's genuine reason to think something might be true, proceed with caution.
   
5. Take a few extra steps to protect your online presence
   . Buy software to manage passwords, protect yourself from viruses, always log out of any site you access publicly, and spend a few minutes every week monitoring your own activity to see if there's anything you don't recognize. Of course, nothing is completely safe; the objective is to avoid common pitfalls rather than needlessly restrict your online activity. Remember, the more you have to lose, the more steps you need to take to protect your online presence.
   

The digital domain may be the biggest playground of all time for con artists and scammers. It's an ethereal land of opportunity where potential victims are still blind to many of the dangers that exist when sharing information. Prevention is the best way to protect your online presence, and it's important to maintain a functioning level of knowledge about security and best practices, which are changing all the time. Complacency and ignorance are commonplace and are the primary reasons why online scams succeed. By investing a little time and taking a few simple steps, anyone can avoid becoming an easy target.

*
When you log into a secure site, your browser is sent a "cookie"-a piece of code that allows you to remain logged into that site so long as that code is detected by the site. If this cookie is not encrypted, then it can be intercepted and copied into the hacker's browser to grant the same access. This code expires whenever the user logs out of the site. If they fail to do so or are prevented from doing so, the code remains active.

M
G stood at the roulette table and made a few inexpensive bets while he waited for the next spin. His wife, SG, was at the other end of the table sipping a soft drink as the other players dropped chips on and around the numbers printed on the green baize.

The dealer reached into the large wooden tub and plucked the white ball from the still-spinning rotor. As the numbers continued to spin, the ball was pressed hard against the well-worn runway inside lip of the tub and snapped with familiar skill so it spun at high speed around the inner rim. As the ball hummed, MG found the tiny button sewn into his sleeve and began to press it in time with the ball as it passed a fixed point on the wheel. In his pocket, a PDA
*
running a secret computer program recorded each button-press and calculated the speed of the ball compared to the spinning wheel before transmitting a single number to the earpiece being worn by MG's wife.

Instantly, SG passed her hands smoothly over the layout, dropping chips with well-practiced accuracy on a memorized pattern of numbers. The ball slowed, then fell into the tub and onto the rotating wheel. After a few bounces, it landed on a winning number. MG smiled as his wife collected another large stack of chips.

MG had spent months testing his system, which had finally started to pay off after he taught the program to adjust its predictions for bounce patterns and human error. The losing bets were cleared away as MG prepared himself for the next spin, but from the corner of his eye, he spotted trouble.

Just as the dealer was preparing for the next spin, the head of security approached and asked MG if he would mind stepping away from the table.

Smiling, MG followed the head of security to the bar, where the casino manager was waiting. At the roulette table, SG continued to play without the aid of their advantage while glancing over nervously at her husband as he spoke to the manager and his security officer. After a few minutes, MG returned in time for another spin of the wheel. Without hesitation, he continued to clock the wheel and send the predicted number to his wife who expertly dropped her chips before the dealer called “no more bets.”

“Everything okay?” she asked.

“All fine,” MG replied. “We've been invited to dinner. The manager likes to take care of his best customers.”

SG looked over at the bar and waved to the manager who smiled back and returned the gesture as the ball landed on another winner.

With MG and his wife, the casino fell victim to an ingenious system that was far more advanced than anything previously seen within the industry. Because of this, any indication that a system might be behind MG's success was completely ignored. MG always watched the ball closely and his wife constantly made several bets at the last moment, but the casino ignored all of this because, at that time, clockers were thought to work alone or with physical signals. The idea that MG's wife was being sent the information wirelessly didn't occur to them because this was 1999, and Bluetooth technology was still relatively unknown.

Fifteen years later, casino security continues to fall victim to a lack of knowledge and understanding. In 2012, one of the world's most successful gamblers negotiated playing conditions that allowed him to selectively rotate the casino's cards during play until certain values pointed in opposite directions. He was able to do this thanks to a common flaw in almost all playing card back designs, which allows an advantage player to identify the orientation of known cards. Keen to attract his business, the casino easily agreed to an unusual procedure where the player was able to see each card before dictating how it should be turned face up. As a result of this tactic, the player earned almost thirteen million dollars, which the casino then refused to pay.

What shocks me is that the casino took so long to identify the ruse. Any genuine expert on cheating would consider this to be almost obvious, but advantage players have been successfully using the ploy all over the world. On the face of it, the strategy appears to rely on a tiny printing flaw; in fact, I believe that it depends entirely on the ignorance of casino managers and their staff who agree to these requests.

Sadly, instead of accepting their mistake, the casinos decided to blame the player for asking to improve his chances, have refused to pay his winnings,
and
have taken legal action against him. If a gaming establishment is willing to bend or break their own procedures to attract big-money gamblers, they are solely responsible for any advantage they might be giving away.

I could easily name a dozen casinos in Las Vegas where “playing the turn” in this way should never work because the people they employ have taken an active interest in how games can be beaten in this manner, and if there's anything they don't know, there are experts who can easily advise them.

I've had many dealings with casino security over the years. Most meetings have been pleasant and enjoyable, but in almost every interaction there is an air of defensiveness, a feeling that they don't wish to appear weak or foolish. This is natural since their job is to monitor and protect their company's interests. Any obvious lack of knowledge on their part might be seen as a weakness that could one day be used against them. Nevertheless, a more productive solution would be to actively educate themselves with the help of some genuine cheating experts.

This attitude is not isolated to the casino industry. Airport security, particularly in the United States, is almost belligerent in its certainty that their procedures are effective. In fact, it is my opinion that most of their practices are actually not just pointless but detrimental to the objective of genuinely protecting passengers. Security expert Bruce Schneier often uses the term “security theater” to describe unnecessary processes such as removing shoes or screening passengers with unproven, insufficiently tested body scanners. These slow down the lines but provide little defense against an intelligent or creative attack.

Ben Gurion Airport in Tel Aviv is an excellent example of a well-run security system that monitors and interacts with passengers closely. They use technology effectively to screen baggage and protect the perimeters of the airport, but the key to their success is simplicity. At Ben Gurion, security personnel are highly trained and extremely knowledgeable. This does not appear to be true in many of the airports that are protected by the TSA, where poorly educated staff often focus all of their efforts on finding forgotten containers of harmless liquid instead of engaging with passengers to identify a potential threat.

The Tel Aviv model has been successful because it examines people just as closely as their property, whereas the TSA model (and many others) spend too much time looking at luggage, shoes, and small bags filled with shampoo and cosmetics. Ben Gurion staff talk to people and observe their behavior, looking for any reaction or signal that would indicate stress or deception. A bomb might be hidden so perfectly it could easily go undetected, but a few friendly questions to the person intending to use that device might quickly alert a trained individual that something is amiss. Real terrorists do not behave as coolly and calmly as they do in the movies. They tend to be nervous, distracted, or unable to communicate normally.

With the TSA, I have noticed a change in the last few years. Now, there is greater interaction when passengers present their ID. I hope those officers have learned what to look for, but beyond this point, staff are still shouting at passengers or distracting one another with gossip while failing to exercise basic common sense in many situations. It continues to surprise me that management regularly fails to resolve conflicts at the security area because they give support to their staff instead of giving them what they need: leadership.

This type of machismo is counterproductive and fosters ignorance. The really smart security managers (and I've met many) maintain a more open posture. They listen more, consider all possibilities, and are constantly looking for new danger. The opposite of this approach is to build a secure environment, then fail to maintain it over time. Many successful incursions, whether physical or digital, depend on defenses that had not evolved as quickly as possible means of attack. Resting on the laurels of a well-built system is an all too common mistake, because it's not a matter of if your walls will be breached, but when. The biggest concern is not how long it takes to defeat a system but how long it takes before that breach is detected.