The Art of the Con
Page 27
IN SECURITY
MG stood at the roulette table and made a few inexpensive bets while he waited for the next spin. His wife, SG, was at the other end of the table sipping a soft drink as the other players dropped chips on and around the numbers printed on the green baize.
The dealer reached into the large wooden tub and plucked the white ball from the still-spinning rotor. As the numbers continued to spin, the ball was pressed hard against the well-worn runway inside lip of the tub and snapped with familiar skill so it spun at high speed around the inner rim. As the ball hummed, MG found the tiny button sewn into his sleeve and began to press it in time with the ball as it passed a fixed point on the wheel. In his pocket, a PDA* running a secret computer program recorded each button-press and calculated the speed of the ball compared to the spinning wheel before transmitting a single number to the earpiece being worn by MG’s wife.
Instantly, SG passed her hands smoothly over the layout, dropping chips with well-practiced accuracy on a memorized pattern of numbers. The ball slowed, then fell into the tub and onto the rotating wheel. After a few bounces, it landed on a winning number. MG smiled as his wife collected another large stack of chips.
MG had spent months testing his system, which had finally started to pay off after he taught the program to adjust its predictions for bounce patterns and human error. The losing bets were cleared away as MG prepared himself for the next spin, but from the corner of his eye, he spotted trouble.
Just as the dealer was preparing for the next spin, the head of security approached and asked MG if he would mind stepping away from the table.
Smiling, MG followed the head of security to the bar, where the casino manager was waiting. At the roulette table, SG continued to play without the aid of their advantage while glancing over nervously at her husband as he spoke to the manager and his security officer. After a few minutes, MG returned in time for another spin of the wheel. Without hesitation, he continued to clock the wheel and send the predicted number to his wife who expertly dropped her chips before the dealer called “no more bets.”
“Everything okay?” she asked.
“All fine,” MG replied. “We’ve been invited to dinner. The manager likes to take care of his best customers.”
SG looked over at the bar and waved to the manager who smiled back and returned the gesture as the ball landed on another winner.
With MG and his wife, the casino fell victim to an ingenious system that was far more advanced than anything previously seen within the industry. Because of this, any indication that a system might be behind MG’s success was completely ignored. MG always watched the ball closely and his wife constantly made several bets at the last moment, but the casino ignored all of this because, at that time, clockers were thought to work alone or with physical signals. The idea that MG’s wife was being sent the information wirelessly didn’t occur to them because this was 1999, and Bluetooth technology was still relatively unknown.
Fifteen years later, casino security continues to fall victim to a lack of knowledge and understanding. In 2012, one of the world’s most successful gamblers negotiated playing conditions that allowed him to selectively rotate the casino’s cards during play until certain values pointed in opposite directions. He was able to do this thanks to a common flaw in almost all playing card back designs, which allows an advantage player to identify the orientation of known cards. Keen to attract his business, the casino easily agreed to an unusual procedure where the player was able to see each card before dictating how it should be turned face up. As a result of this tactic, the player earned almost thirteen million dollars, which the casino then refused to pay.
What shocks me is that the casino took so long to identify the ruse. Any genuine expert on cheating would consider this to be almost obvious, but advantage players have been successfully using the ploy all over the world. On the face of it, the strategy appears to rely on a tiny printing flaw; in fact, I believe that it depends entirely on the ignorance of casino managers and their staff who agree to these requests.
Sadly, instead of accepting their mistake, the casinos decided to blame the player for asking to improve his chances, have refused to pay his winnings, and have taken legal action against him. If a gaming establishment is willing to bend or break their own procedures to attract big-money gamblers, they are solely responsible for any advantage they might be giving away.
I could easily name a dozen casinos in Las Vegas where “playing the turn” in this way should never work because the people they employ have taken an active interest in how games can be beaten in this manner, and if there’s anything they don’t know, there are experts who can easily advise them.
I’ve had many dealings with casino security over the years. Most meetings have been pleasant and enjoyable, but in almost every interaction there is an air of defensiveness, a feeling that they don’t wish to appear weak or foolish. This is natural since their job is to monitor and protect their company’s interests. Any obvious lack of knowledge on their part might be seen as a weakness that could one day be used against them. Nevertheless, a more productive solution would be to actively educate themselves with the help of some genuine cheating experts.
This attitude is not isolated to the casino industry. Airport security, particularly in the United States, is almost belligerent in its certainty that their procedures are effective. In fact, it is my opinion that most of their practices are actually not just pointless but detrimental to the objective of genuinely protecting passengers. Security expert Bruce Schneier often uses the term “security theater” to describe unnecessary processes such as removing shoes or screening passengers with unproven, insufficiently tested body scanners. These slow down the lines but provide little defense against an intelligent or creative attack.
Ben Gurion Airport in Tel Aviv is an excellent example of a well-run security system that monitors and interacts with passengers closely. They use technology effectively to screen baggage and protect the perimeters of the airport, but the key to their success is simplicity. At Ben Gurion, security personnel are highly trained and extremely knowledgeable. This does not appear to be true in many of the airports that are protected by the TSA, where poorly educated staff often focus all of their efforts on finding forgotten containers of harmless liquid instead of engaging with passengers to identify a potential threat.
The Tel Aviv model has been successful because it examines people just as closely as their property, whereas the TSA model (and many others) spend too much time looking at luggage, shoes, and small bags filled with shampoo and cosmetics. Ben Gurion staff talk to people and observe their behavior, looking for any reaction or signal that would indicate stress or deception. A bomb might be hidden so perfectly it could easily go undetected, but a few friendly questions to the person intending to use that device might quickly alert a trained individual that something is amiss. Real terrorists do not behave as coolly and calmly as they do in the movies. They tend to be nervous, distracted, or unable to communicate normally.
With the TSA, I have noticed a change in the last few years. Now, there is greater interaction when passengers present their ID. I hope those officers have learned what to look for, but beyond this point, staff are still shouting at passengers or distracting one another with gossip while failing to exercise basic common sense in many situations. It continues to surprise me that management regularly fails to resolve conflicts at the security area because they give support to their staff instead of giving them what they need: leadership.
This type of machismo is counterproductive and fosters ignorance. The really smart security managers (and I’ve met many) maintain a more open posture. They listen more, consider all possibilities, and are constantly looking for new danger. The opposite of this approach is to build a secure environment, then fail to maintain it over time. Many successful incursions, whether physical or digital, depend on defenses that had not evolved as quickly as possible means of attack. Resting on the laurels of a
well-built system is an all too common mistake, because it’s not a matter of if your walls will be breached, but when. The biggest concern is not how long it takes to defeat a system but how long it takes before that breach is detected.
Let’s imagine that a castle hires a company of experts to build a moat. Typically, a moat surrounds the structure in order to better protect it from invading forces and to add a powerful layer of defense to the outer wall. Even if the castle hires the best moat builders in the world, concessions will need to be made in the construction of the moat itself or in how the castle will operate in the future. Now let’s imagine that the marketing department of our castle dictates the width of the moat based on aesthetics, rather than the most difficult distance for an army to cross during an assault. Normally, a moat would restrict access to all sides, but catering demands that there’s a back entrance for them to better manage their food supplies and the king and queen require a secret tunnel to escape without being seen. Next, the castle’s design team dictates that the moat should be filled with clear water and expensive koi fish for visitors to appreciate so the depth of the moat is now severely limited. To the untrained eye, this property is protected by a moat, but to anyone who has studied how to breach the outer defenses of a castle, the compromises made during installation suggest many opportunities for attack.
In the casino world, this is akin to spending millions of dollars to provide and protect a particular game only to have a player negotiate his own conditions of play in return for risking a higher amount of money at the table. As already discussed, this has certainly happened many times and smart players have been able to adjust the order of play in order to give themselves a huge advantage without the need to cheat or conceal their actions. In the past, poorly designed games have been installed in large casinos that attract herds of advantage players eager to grab every penny they can before the house wakes up and pulls the game off the floor.
Most people have an area of expertise or a field of interest in which they are able to see past the surface with a deeper understanding than others. Whether it be a business or a hobby, there’s something you know well enough to spot an opportunity other people might miss. This is the heart of the advantage player’s approach. It’s not just a matter of spotting a lucky gap in the fence. An advantage-oriented outlook often depends on a deep understanding of a subject so that profitable patterns might emerge when observing that subject in the real world.
It’s important to understand that people who build walls think differently from those who break them down, and many attackers find ways to pass under, over, around, or through that wall invisibly. Only by maintaining an active, fluid posture can we be prepared for any attempted incursion.
I often say that if you want to know how vulnerable your home is, place a saucepan of milk on the stove, turn up the heat, and lock yourself out. Now try to get back in before the milk boils over.
For security professionals, I recommend taking the same approach by constantly testing defenses in the hope of identifying a weakness before it can be abused. Unfortunately, this is often frowned upon in an industry where any flaw is treated as a failure and saving face is all too important.
These issues are not isolated to the casino industry or airport security. Large corporations have often been guilty of complacency and have regularly fallen victim to hackers who are one step ahead in terms of technology and how to use it.
In the hacking community, the term “white hat” refers to experts who often use their abilities to identify vulnerabilities on behalf of companies and individuals. This is opposed to their “black hat” cousins who might exploit any weakness from the outside or share it with others. Many of these ethical “white hat” hackers are part of the expanding penetration testing industry that is employed to test systems for susceptibility, but many more are lone wolves, exploring the digisphere for anything that could be taken advantage of.
I am not part of this community, but I’ve spent a lot of time in their company learning about new ways information can be intercepted or stolen. I recognize in them the same passion for deception and cleverness that first drove me to study cheating and con games. I also see, on a larger scale, the same problems and suspicions that this passion can attract.
In the casino business, no one likes to be “schooled” by outsiders, and anyone who knows how to beat their games is regarded with distrust. I know a few genuine cheating experts in the industry, but unless they play the corporate game in terms of how they interact with management, interpret evidence, and present ideas, casinos often prefer—to their detriment—industry insiders who have a small interest and a little knowledge in cheating or advantage play.
The same appears to be true for businesses that rely on an image of impenetrable security. Banks, credit card companies, department stores, investment firms, and communications giants all claim to protect their customers’ information, but as we’ve seen many times, all are vulnerable. In some cases, millions of lines of sensitive data can be lost before a breach is detected. I believe that failures in security are inevitable. Companies need to do more to monitor and evaluate their defenses. “Pentesting” (penetration testing), where expert consultants are hired to evaluate potential dangers, is one way to actively assess security, but it is not nearly enough. Education of users at all levels is essential to create stronger, more flexible systems.
Companies also need to build a means to interact with free-lance hackers who are willing to share their findings fairly. This suggestion will no doubt infuriate many security experts who feel targeted by aggressive “white hats” who threaten to expose any weaknesses if they aren’t compensated. This practice is far from ethical and hackers who constantly probe exposed systems in this way have been described as “gray hats.” I believe that, with a little creativity, the industry can find a model that uses well-informed professionals to test their level of resistance while finding a way to interact with and reward anyone who finds a weak spot from the outside.
The closed-minded nature of security departments in all industries is merely a magnified reflection of human nature. As a rule, we tend to be defensive and most people think they are too smart to be cheated or conned. The truth is that most of us haven’t been conned because we’ve been lucky up till now! As I’ve tried to illustrate, deception can target anyone at any time and knowledge remains the only consistent defense.
Demonstrating cons and scams is a powerful way to teach and cultivate greater understanding about the art of deception. The only way to fully comprehend an idea is to experience it firsthand. For this reason, during seminars, I encourage my audience to split into pairs and try to con one another using simple scams as role-playing tools. The objective is not to protect against these particular con games but to learn the patterns of a scam that they might now recognize in the future.
One such exercise is the change raising scam (described in chapter nine). Using pieces of paper, audience members take turns playing the hustler and the cashier until they fully understand the principle of forcing a victim to perform two transactions at the same time. Next, I invite someone to take part in a simple social engineering exercise that uses exactly the same principle to embed a dangerous mistake into a series of innocuous tasks. During this procedure, the person helping me would test cables, check their Internet speed, and log in and out of their e-mail account. The mistake is in how they are directed to their e-mail provider, because the Internet speed test is a bogus page with links to a spoofed website. This is all acted out as a role-playing game before and after the change-raising exercise. Only after experiencing a few scams from the hustler’s perspective does the audience immediately recognize the deception in that role-playing scenario.
Education is the single most effective means of protecting against all forms of deception. In today’s world, it’s a downhill race to keep up with ever-changing possibilities; if the enemy gets too far ahead, by the time your business catches up, it will likely be too late. F
or casinos, corporations, and individuals, it is better to identify any harmful vulnerability before it can be exploited. The most effective strategy is to fully accept that we are all potential targets and that it’s only a matter of time before our defenses need to be repaired or rebuilt.
In essence: Confidence is the opposite of vigilance.
Footnote
* Personal Digital Assistant—a palmtop computer for managing data.
I never anticipated how much I would learn from my experiences writing and executing con games for television. Soon after starting, I began to recognize the opportunity to study my lifelong passion from the hustler’s perspective without risking life or liberty in the process.
My initial observations were focused on the scams, which sometimes seemed to work automatically. I soon identified the three key phases and borrowed the terms “hook, line, and sinker”; as I delved deeper, I began to see that these were merely objectives on the path toward deception. How each hustler achieves these goals can vary wildly depending on talent or audacity. I soon began to question why victims were vulnerable and how scams worked from their perspective.
I’m not a psychologist, but I am naturally interested in many aspects of psychology, especially when it applies to deception. While much of it is fascinating, I disagree with many of its conclusions about scams. I’m certainly not qualified to challenge these academically, but I often find myself frustrated or infuriated by attempts to define scams as either this sequence of events or that list of ingredients.
It’s easy to correlate “optimism bias” with the hook and “confirmation bias” with the line and for the sinker there are aspects of “sunk-cost fallacy,” where people are inclined to allow previous investments of time and money to influence their decision about whether or not to commit. Personally, I am reluctant to overly simplify or confine any aspect of con games because con artists adapt and their preferred methods can vary wildly.