CyberWire Daily - Misdirection and layering with a con in the middle. [Hacking Humans Goes to the Movies]
Episode Date: November 25, 2021Thanks for joining us for our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in ...this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Joe's and Rick's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies. Links to this episode's clips if you'd like to watch along: Joe's clip from "The Simpsons: Father and Son Grifting" episode Rick's pick from "Paper Moon" Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire. I'm Dave Bittner from the Cyber Wire, and joining me is my Hacking Humans co-host, Joe Kerrigan from the Johns Hopkins
University Information Security Institute. Hello, Joe. Hi, Dave. On this show, Joe and I look at
clips from some of our favorite movies and perhaps the occasional TV show, clips which demonstrate
some of the scams and schemes we talk about on Hacking Humans. And joining us once again this
week is Rick Howard, the Cyber Wire's chief security officer and chief analyst. Hello, Rick.
Hey, guys. Glad to be here.
We've got some fun clips to share, so stay tuned. We'll be right back after this message
from our show sponsor.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating. Too icy. We could book a vacation. Too sweaty. We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat self-packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.com or contact your Marlin travel professional for details. Conditions apply. Air Transat.
Travel moves us.
All right.
We've got some fun clips to share this week.
And Joe, you're going to start things off for us.
What do you have for us this week?
My clip actually comes from one of my favorite shows, The Simpsons.
Oh, The Simpsons.
I love it.
And this is from, I think, season 12, which is when the show was still good.
Now the show's gone downhill considerably.
Now, now.
Now, now.
Calm those nerd tendencies, Joe.
Yeah.
Worst show ever.
So in this episode, Bart has acquired an interest in magic.
And what has happened at, he was going to go out and do a magic show and collect money with a hat.
But that didn't go well.
And Homer says, I'm leaving you here.
And Bart, looking all sad and dejected, starts to get handouts, money from people.
And eventually winds up getting enough money
that he can take a cab home.
He passes Homer in the cab,
and then Homer and Bart realize,
hey, this is where the money is.
The money is in scamming people.
Of course.
So they go out and they buy a book,
and they're up in the treehouse,
and that's where the clip starts.
They're going through the book,
and let's listen.
This book has all the classic cons.
There's the pigeon drop, the earwigger, the bristling grab.
Do you have any father and son griffs?
Well, there's the Albany ham scam.
Interesting.
Picture of two guys running away from a cop with pigs.
And so now they're sitting there, and they're frosting an old throw pillow,
and Marge walks in.
Why are you frosting that old throw pillow?
I could ask you the very same question.
Should I just back
out of the room? Would you?
Typical Homer and Marge here.
That's my go-to move in my house.
Welcome back. Ready for our first con?
So now they're at the pier.
Let's trim the pier.
Bart has the frosted pillow in a box he puts on a pair of glasses and has a white cane. He stands behind Kent Brockman, who's on the phone.
Kent turns around and bumps into Bart, who now pretends to be blind.
Homer approaches.
And lays it on a little bit thicker.
I wish I'd have had those for my kid.
Right.
Now Kent Brockman feels bad for...
What should we buy first?
A singing rubber fish, of course.
There you are.
How's the magic act?
That's good enough.
What in the hell are you talking about?
Okay.
So now they come home and Marge and Lisa still believe they're doing the magic act.
Right.
But what happened was Kent Brockman bumped into Bart.
Homer yells at him and threatens him, you know, like, you'll work this off in the acid mines.
And he doesn't say anything to Kent like, hey, you owe me money.
He makes Kent feel bad about Bart.
Oh, here's this guy with this poor kid with his abusive father.
Let me see if I can buy this kid out of
a day in the acid mines.
And hands him the money.
And they make a lot of money doing this. And this is an old
scam called the
melon drop that comes
in Japan. Melons were very expensive
at one point in time.
I think it was Japan. Maybe
somewhere else. But anyway, someone would go out and they'd buy a melon.
They'd break up the melon.
And they'd put it in a box, a broken up box or a broken up melon in a box.
And then they'd let somebody bump into them very much in this fashion.
And they'd go, oh, you broke my melon because the melons were expensive.
And they demanded the person pay them for it.
Now, this happens also with things like a vase.
They put a bunch of broken glass in a vase and they say, I just paid $50 for that vase.
And then it's not a $50 vase.
It's a bunch of broken stuff.
So the best way to protect yourself when this happens is to say to the person that has just
bumped into you, you know what?
I'm very, very sorry.
Who should know about this is the police.
We should get the police involved to make sure that this goes off well.
You know, I've committed a terrible crime here.
Let's get the law enforcement involved.
I'll turn myself in and throw myself in the tender mercies of the court.
Usually when they hear the police are coming,
they'll just go and they'll get frustrated and walk away.
Yeah.
What do you make of this, Rick?
I would just like to point out that, you know, Bart and Homer, you know, being the resident cybersecurity canon guy, right, that they went and got a book to learn how to con people, right?
So if Bart can read a book, so can everybody else.
That's what I'm going to say.
Right.
Well, and who knew such resources were available at your local library, right? Exactly. Yeah, this is a good one. I like it. I like it a
lot. And you know what? The other thing I like about this is it's always great to be able to
learn things while you're laughing. Yes, absolutely. All right. All right. Well, we will have a link to
that segment in the show notes,
so you can check out the actual clip from the show there.
Why don't we move on to you, Rick?
You brought a clip for us today.
Tell us what you got.
So my clip is from the 1973 movie Paper Moon.
Have you guys seen this movie?
When's the last time you saw it?
No, I haven't seen it.
Not familiar with it.
It's an oldie but goodie, all right?
Directed by Peter Bogdanovich,
probably most famous for directing the 1971 movie,
The Last Picture Show.
And it stars Ryan O'Neill,
and he's probably most famous for the 1970 movie, Love Story.
And get this, his 10-year-old daughter, Tatum O'Neill,
who won the Best Supporting Actress Academy Award
for her performance for this picture
and is still the youngest actor to have ever won that award. And, you know, we're doing this in
October. So in the spirit of Halloween, she beat out Linda Blair that year, the child actress in
The Exorcist, who was four years her senior. How about that? So in this scene, Ryan O'Neill is
executing the 510 con.10 cons in a little dime store
somewhere in the midwest the clerk is played by dorothy price and it's the only movie she ever
made but she is absolutely fabulous i just love her so let's run the clip it's short and i'll try
to explain it all right you look real nice in that ribbon first, I didn't know was she a boy or a girl.
I'm a girl.
Well, it makes all the difference. Ain't she got a sweet little face, somehow?
Oh, seeing how I just got paid today, we'll take a ribbon in each color. How much that gonna set me back?
Well, that'll be 15 cents. Bought my grandchildren ribbons just like this last holiday time.
Grandchildren? I don't believe it.
You break a five?
Well, you can believe it, all right.
I'm just as old as I look.
So now, here you be.
That's one, two, three, four, five.
You know, this old wallet of mine's about to bust its size.
I give you five ones back, you give me that $5 bill.
How many grandchildren you got altogether?
Well, I got two little granddaughters, nine-year- year old two grandsons near 16 and i got a grandson 35 years old come on you're pulling my leg why don't you just give me a ten dollar bill here's the five
the five ones there that way i won't be so quick to see it break apart six children huh my daughter
51. oh now i don't mean to be handing you no line,
but that's just pretty hard to believe you've got a 51-year-old child.
You can believe it, all right.
I'm afraid I'd have to see it to believe it.
Much obliged.
See you again.
Y'all come back.
Did you guys catch the con?
Did he give her a sixth one?
He did not.
Okay.
Although I did think that when I saw it the first 10 times.
So, to help set the scene here, if folks aren't familiar with it, this is taking place inside of a little shop, like a little, you know, store.
A small town store, right?
Where you'd be able to buy all sorts of things.
And the woman in this clip is the shopkeeper.
So, the business part of this, as we heard is her making change um and i have to say i followed along and i did not see the scam it did not jump out at me of course i knew there had to
be a scam here because this is you know the point of the show here but it's not obvious to me exactly what the mechanism was
that was going on here. So Rick, can you explain it? Yeah. So I watched this thing 10 times and I
still didn't see what he did. Right. I had to go to the Reddit conspiracy channels just to find
somebody who could explain it. Right. So the trick here is twofold. Joe talks about this all the time
in his, in your guys' show. It's misdirection is one main
thing, and then layering. The misdirection by distracting the clerk about her family,
and layering by instigating multiple legitimate money exchanges with the con in the middle,
kind of like a con sandwich, right? So he pays 15 cents for the ribbons and gets $4.85 back.
So he's even.
He pockets the change.
So now he has four bills.
He uses one of his own bills to give her five ones in exchange for a $5 bill.
He's even again.
She keeps the ones in her hand and never puts them back.
So then he distracts her with questions.
And with the $5 bill that she just gave him says, how about give me a $10 bill?
So he hands her his five.
He's down $5 now.
But as asked, she hands him the $10 bill.
And now he's up $5.
Genius.
Okay.
Genius.
And I've looked for that many times and did not see it.
Wait, wait, wait, wait, wait, wait, wait.
I still don't, I still, I got to see it again.
I'm going to have to watch this again, I think.
Even after that explanation, I looked and I still didn't get it, right?
So it's that clever, yeah.
He gives her five ones and she gives him a five.
Yes.
Okay. So, oh, so gives him a five. Yes. Okay.
So, oh, so he has the five.
She has the ones in her hand now and never puts them in the cash register.
Right.
So while she's still holding on to those five ones,
he hands her the five that she just handed him and says,
I'll tell you what, let me hand you this five,
and along with the five you have in your hand, that makes 10.
So let's trade the five you have plus the five I have, and you can just give me 10 in exchange for that.
Exactly.
And because he's so smooth about it and so quick, she goes for it.
And he makes $5.
Yeah.
And the trick there is that they got to get out of Dodge very quickly.
Cause you know,
what you don't see in the clip is she starts to figure out that something's
going on,
but they're already gone by the time they do.
Right.
So yeah.
Wonderful.
Yeah.
And this is a common scam.
I mean,
if you go on,
um,
YouTube,
you can see countless examples of security cameras,
your people in convenience stores.
And I think they refer to it as a short change scam is how it's referred to.
Quick change, short change. Yeah. So this one still works today and you can see why. I mean,
all of us, we knew that we were going to be seeing a scam, and it still didn't jump out to us as to what exactly the scam was.
That's why these cons are really like magic tricks, right?
Even though you know the magician on stage is doing magic, you're looking for it, you don't see it, right?
Yeah.
And as this clip points out, as you say, Rick, the scammers drive off.
They get out of Dodge as fast as they can,
drive off in their car,
and then you see the woman at the cash register,
and she's like, wait a minute.
What just happened?
Wait a second.
And by then, it's too late.
How do you protect yourself against this?
Oh, that's a great question.
I actually have an answer for that.
Yeah?
All right, let's hear it.
So this comes from a discussion I had years ago.
And the key problem here is that when she is in the process of changing money,
she still has money in her hands when he starts asking for the next thing.
So when you work at a till, at a cash register,
somebody says, hey, this is about
to break my wallet open. So let me have five ones for, let me have a five for these five ones.
Okay. At that point in time, you shut down all the other input. You take the five ones,
you count the five ones out and let them go on about everything else. Don't talk,
don't engage them. Put the five ones into the cash register,
take a $5 bill out, close the till, hand the customer the $5 bill. So one at a time.
And I've heard stories, I've heard anecdotes that this actually frustrates these people and they
just walk away. I don't know how effective it is. I don't know anything about it. And it seems like
this would work to me. So that's my recommendation is one at a time. So take away their ability to
layer these transactions on top of each other. Exactly. And to distract you with their smooth
conversation. Yes. Smooth talking. Yeah. Yeah. All right. Well, gentlemen, both fun clips today.
Good things to learn from.
So thank you both for bringing those to us.
We want to thank all of you for joining us.
And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation.
the Johns Hopkins University Information Security Institute for their participation.
You can learn more at isi.jhu.edu.
The Hacking Humans podcast and Hacking Humans Goes to the Movies
is proudly produced in Maryland at the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our senior producer is Jennifer Iben.
Our executive editor is Peter Kilby.
I'm Dave Bittner.
I'm Joe Kerrigan.
And I'm Rick Howard. Thanks for listening.