If you have any doubts about the value of field research, Laurie Taylor's "In the Underworld" will settle them. This practical and unorthodox work of criminology described the world of 1980s' professional crime, in which Professor Taylor's travels and interviews were ably assisted by no less than John McVicar himself.
As a long-time Radio 4 broadcaster (he's still going), you'd expect Laurie Taylor to educate, inform, and entertain. Within "In the Underworld", the education is instructive, the information is both surprising and alarming, and the entertainment is richly comic. The experience may have been influential in one respect at least: he later made the radio series "Speaking as an Expert" in which he successfully impersonated a wide range of specialists – including an IBM consultant (with their permission, of course).
The flavor of the book is best conveyed by one successful heist of a million pounds; back then, a million pounds was actually worth something. Sadly, it was a million pounds in luncheon vouchers. Well - at least you could eat luncheon vouchers, unlike Bitcoin.
“The Beauty of a Good Con”: effective countermeasures then and now
The security practitioner can learn much from this book. The chapter on cheque book fraud explains how the evolution of countermeasures (the improvements in cheque book design) effectively contained this fraud within a few years.
So the fraudsters moved on to travelers cheques. It turns out that the hard part for them wasn't stealing the travelers cheques, but being able to forge a signature fluently. The pressure of being watched by a teller while signing really did make this far harder to do.
Today, we hear a lot about biometric forgery. Supervision would be an effective countermeasure. It's not often that one can build this kind of supervision into biometric authentication, but if you can use facial recording alongside authentication, this might be a good deterrent.
“Enter Robbers Armed”: shifting from security guards to data encryption
Just the chapter title "Robbing Banks with a Pen" may now seem quaint but even in the book, John McVicar also reminisces: “‘Except when we used to do the smash-and-grab', said John nostalgically, as though describing a childhood prank. (I was beginning to wonder if it had been a mistake to stay on Pernod for a whole evening.)"
Those days were already long gone due to on-street bollards, security screens and improvements to jewelry shelves in the 1960s. So, physical security improvements can indeed be effective and rather quickly too. Given those rapid returns for physical security, information security professionals should ask themselves why, in the 21st century, we are still using passwords.
“Hoisting and Tweedling”: the evolution of social engineering
The chapter on confidence trickery is the most directly relevant to information security today. Nowadays we call it social engineering, as practiced by email and phone – and on a much larger scale.
In the social engineering kill chain, we can disrupt the lure (the convincing email) or the hook (the crucial action, like clicking on the link in that email). Today, email lures are very effective: there are no more spelling mistakes to set alarm bells ringing and each email can be carefully targeted at a specific individual. Targeting is only going to get worse with the vast quantities of leaked identity data out there.
So here are three pieces of advice for any employee concerned about a potential email lure
- Recheck the sender. Don't rely on what the email actually said – if in any doubt, phone them or forward the email (don't reply to it) and wait for confirmation. If your organization uses signed email, check the signature. Remember, they contacted you – not the other way round.
- Think again, before taking the second step. If you did click the link, don't fill in your password. If you did open an attachment, don't override a warning.
- Don't be hasty. Any hint of urgency, pressure or temptation in the email is a warning sign. If it looks like it is from someone important, recheck the sender again.
For security professionals wondering how to mitigate the threat of email lures:
- If you are planning to use signed email, check it is available everywhere, including on mobile devices.
- Tailor email training to high-risk groups such as executives, finance staff and IT administrators.
- Reinforce the role of business managers. Remind them to let their staff know beforehand when they will be out of contact, and to warn their staff not to trust any email that tells them to bypass normal business procedures.
At the time, Laurie Taylor agreed with one conclusion: professional criminals were a dying breed, partly due to advances in police computing. In the early 1980s, he could hardly have foreseen how they would simply move to the internet, stealing from the comfort of their homes instead.