O hai let me verify your identity!

Wednesday, 19 February, Year 6 d.Tr. | Author: Mircea Popescu

It all started as all good things start these days : on irc.

Person didya get my last email
Person they sent a passport pic now, badly faked

What the...

So I look in my inbox, wherein :

---------- Forwarded message ----------
From: *
Date: Wed, Feb 19, 2014 at 2:49 AM
Subject: Fwd: Change of email
To: *


such identity


---------- Forwarded message ----------
From: cuddle-puddle@riseup.net
To: *
Date: Tue, 18 Feb 2014 17:41:14 -0800
Subject: Change of email
This is Martha McCuller, owner of bitbet.us. I would like the email associated with my account changed to cuddle-puddle@riseup.net. Attached is a scanned image of my United States passport for proof of identification. If more proof is necessary let me know and I'll be happy to comply. :)

And yes there's a passport. Behold :


This, obviously, is a fake, and a very cheap fake at that. Not only because the purported photograph of an actual item does not have the metadata associated with pictures normally, not only because even on a casual examination of the thing it's apparent it was generated scripturally rather than by actually photographing an actual physical itemi, but for a myriad other reasons I'm not going to go into because I'm not running a free critique and improvement service for fakers. They should be obvious anyway for anyone who isn't twelve, isn't retarded and isn't a third worlder.

Let me just reiterate and thickly underscore an older observation :

I. Social engineering is the #1 threat you face. Appallingly coded pieces of crap made by mentally feeble dorks (such as Tor or Bitdaytrade) are defeated through technical means all the time, sure. Nevertheless, if you’re not mentally feeble and you’re not coding a piece of crap the possibility of technical breach shall be and should be the least of your concerns. Mind that BitInstant lost a few hundred BTC in a social engineering attack last year, mind that Lavabit ended up closed through a social engineering attack last monthi, mind that even the NSA, for all its lavish expenditure out of ill gotten proceeds and all its advertised (if false) abundance of young bright minds and qualified engineer hands has pretty much abandoned technical attacks and is concentrating primarily on social engineering tactics.


Social engineering is your enemy, social engineering will stay your enemy. Permanently, your biggest enemy. If you don’t have plans to fight this beast in all its multifacetious forms you don’t have plans to survive, and that’s how it is.

This is exactly how things stand, today as six months ago, as they will stand six years and perhaps sixty decades from now : social engineering is your biggest enemy. Take measures.

As a service provider, take measures to protect your customers from social engineering. Do not allow some random know-nothings handle their accounts the way bullshit non-companies like Twitter do it. The people working customer identification have to be the best paid, most senior and experienced people in your entire organisation, with decades of experience working as ranking customs officials and lead detectives in tough precincts. And if you can't afford them, simply don't do customer identification. At all. There is no rule laid down on Moses' tablets that idiots who lose passwords should be able to ever recover them. "Sorry sir, the most we can do is wipe and reinstall your server for you, that is absolutely all" can perfectly acceptably and perfectly adequately be the limit of your customer support. You don't have to provide email reset services over the phone or password reset services over email or all the rest of the crap. In fact, if you don't have excellently good reasons why you would, simply don't. No, it's not true that "all customers lose their passwords sooner or later", and if it were : it would have been your fault. And if it ever becomes, it will be your fault.

As a customer, take measures to protect yourself from providers' social engineering ineptitude. Ask them to reset your password : if they do just move to a sane provider. What's so hard about that ?

Think this through. Think this through long and hard because it is big, it is huge, it is important. The biggest, the most important. Do not be surprised by it. Be prepared for it.

  1. Speaking of which, you ever seen one of those lengthy "sales letters" with all the yellow underscoring and highly formulaic, stylized characteristics ? Stuff like the warrior forum peddles ? Well in that case you're familiar with the unwritten rule that all these perfectly worthless and utterly pointless "products" necessarily come with a picture of the imaginary physical, dead tree book or cardboard box that the product somehow "is". These are required supposedly because "it's professional" to have them or more articulatedly explained because it helps the bullocks imaginary perceptions of value along. Yet upon more serious analysis they strictly as an artwork convention, like women in Hollywood movies must pull the covers up to their chin (else the film is "not being professional" about it), or like all fast food sodas must come in a paper cup. Them things.

    Anyway, this is the ultimate utility of all those piles of crap piled upon piles of crap : as a result of their existence and flowing from the effort put into their building and maintenance, someone somewhere has an imagemagick script that creates "passports". Transparently bad, awkward, laughable images of "passports", but nevertheless! And they ain't afraid to use it. []

Category: Bitcoin
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

12 Responses

  1. Kottke did it before you and the NYT.

  2. Mircea Popescu`s avatar
    Mircea Popescu 
    Wednesday, 3 June 2015

    http://kottke.org/ ?

  3. "Sorry sir, the most we can do is wipe and reinstall your server for you, that is absolutely all"

    But.. this can be socially engineered too?

  4. Mircea Popescu`s avatar
    Mircea Popescu 
    Saturday, 19 March 2016

    It could be, sure.

  1. [...] apparent bad behavior known. On the Internet and in life in general the greatest threats are of a social engineering [...]

  2. [...] apparent bad behavior known. On the Internet and in life in general the greatest threats are of a social engineering [...]

  3. [...] you wish at any time whatsoever. Some people suspect Obama is a Nigerian scammer who used a fake passport to "verify his identity" right into the most valuable account in the US. Some other people suspect [...]

  4. [...] some random kid that failed to do much recently and readily admits to it sent people loading 98 pagesii. Then Gawker with 82 and [...]

  5. [...] deleting stuff would be the most basic, if quite toxic form of hacking. Because yes, social engineering is a threat to security, and by far the most dangerous sort. [↩]Arguably such attacks are easier on the blog side of [...]

  6. [...] your blog and it doesn't sound as convincing as I thought it did", let's have some quick examples : O hai let me verify your identity! ; O hai. I was justing doing a penetration test of your site. ; MIRCEA POPESCU IS AN ASSHOLE! etc [...]

  7. [...] not getting at least one piece of maculature aspiring to the status of legal menace a year (plus social engineering attacks, plus normal attacks, plus plus plus) you're definitely doing things wrong. Moreover, when you run [...]

  8. [...] people. They are the very important, right up there with social engineering. ———Check it out btw, I found a way to wordpress proper contracts : wrap the [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.