In the December issue of Wired magazine there is a fascinating story written by Evan Ratliff. Evan wanted to see if he could disappear off the face of the earth for 1 month without anyone finding him. He also put up a $5,000.00 reward if anyone could find him. Wired covered the story from start to finish and also posted updates as people were tracking him down.

Wired Magazine also gave him small tasks to complete that would reveal his location but yielded a nice cash prize for Evan.

Its truly fascinating to hear how he socially engineered his way across the united states (and used our travel systems of railway and buses) without any form of government issued identification. Just some fake business cards and a pre-paid credit card/gift card made out to his fake name.

Now you probably know already I am not much of a reader but this 8 page 10,000 word story kept me on the edge of my seat like some Tom Clancey inspired movie (I would say novel but I don’t read).

I don’t want to ruin the story for you but trust me its WELL worth the read.

It also got me thinking back to the days when I did internet security for banks. A lot of people might not know that after I got my start with Internet Service Providers I fell into this “security” niche in the banking industry.

I would get paid to do a lot of attack and penetration testing and most of the time that involved a lot of social engineering. Being good at social engineering is a great skill to have. It sure came in handy last year when I was able to socially engineer my wife and I into a Madonna concert and even got front row $1200.00 seats for free.

Most of it boils down to just acting “as if”.

Its so much fun breaking into banks… and not having the risk of getting caught.

I remember going to branches far away… waiting for someone to leave the parking garage and asking if they could please let me in cause I forgot my badge… then sneaking into the bathroom and waiting until everyone left so I could go around to every computer and see what I could get into. Sometimes people left their computer unlocked… sometimes the IT guy accidentally left the cdrom/floppy on the computer and I could boot into admin mode and change the admin password then get in. It was fun.

Remotely trying to break into the computer system was just as fun… and a little more creative.

But the rules were that I could not use anything that was not publicly accessible on the companies website. I wont use the companies name but it would not be hard for you to figure out if you do a little bit of research on me.

First I would call a branch and act like a angry customer. I would not give out a name but insist on speaking to the branch manager. If they were not in I would ask for their name and cellphone number. Then when I got them on the line I would ask them for their district managers name and phone number. I would keep asking for peoples bosses bosses until I hit a end. Sometimes you could get as far as a regional manager or even a VP.

Every time I would record the calls so I could listen to them later and write down all the info. Its was important to have everyones name and phone rank and where they were from (branch numbers, region names, etc..).

Then I would visit the publicly accessible internet site and look up the phone number for their IT help desk.

When I called the help desk I would impersonate the branch manager. In a stern voice say something like, “This is Joe Johnson branch manager of branch 85. I am having a problem dialing into the mainframe from my laptop. I have a pissed off customer and I need to get in now.” When they would ask me for any information I would stop them in their tracks and say, “Listen kid I don’t have time for games. Understand my situation here. I been trying to get in all morning and am my wits end. I need you to walk me all the way through it.”

To my amazement often times the helpful IT person would walk me though the entire process of dialing into the network. Everything from providing the phone number to dial into to giving me my username & resetting my password to something new. He even would go so far as to tell me what url to access to get into account information.

This did not happen every time… I would say it had about a 10% chance of success actually.

And yes even though I was told I could not use anything that was not publicly accessible my knowledge of the system gave me an advantage over a hacker who was not familiar at all with the system.

But here is the scary thing… This company has hundreds of thousands if not millions of people who are familiar with their system.. actually way more familiar then me. All you had to do was be a basic $10 teller to know your way around the system. Pretty wild.

Now since this company like many others have outsourced their help desk overseas. I wonder if it would be harder or easier to social engineer your way in?

By Jeremy Schoemaker

Jeremy "ShoeMoney" Schoemaker is the founder & CEO of ShoeMoney Media Group, and to date has sold 6 companies and done over 10 million in affiliate revenue. In 2013 Jeremy released his #1 International Best selling Autobiography titled "Nothing's Changed But My Change" - The ShoeMoney Story. You can read more about Jeremy on his wikipedia page here.

36 thoughts on “Think You Can Disappear?”
  1. I think a lot of companies operate this way, they believe that obfuscation is a good replacement for strong security practices.

    It’s also not surprising to learn that social engineering still works very well. Computers can make systems harder to brute force hack but social engineering runs the end around.

  2. towards the middle of this post I totally have forgotten that I was reading a shoemoney article. this is a refreshing read.

  3. Very freaking interesting reading, Shoe’…

    I’d heard about Evan Ratliff’s experiment (the insights into Facebook privacy were particularly interesting) – but combined with the social engineering insights… Very interesting.

  4. I didn’t think I’d ever expect to find a “2600” type post on ShoeMoney… It’s amazing that with a little carrot of information and overwhelming confidence, you can get through most barriers of security.

    Try carrying a flashlight & clipboard onto a movie set… I guarantee that you’ll get quite far before anyone ever questions you!

  5. That was fun to read and was an internal confirmation to me that I don’t only have to blog about my sites “main” topic. People love variety. Thanks. (and stay away from my bank.)

  6. It is pretty easy as long as you have some cash.

    JJ Luna has a book, how to be invisible and if you can afford to follow what is said, then you can live invisible.

  7. Ever heard of Dick Marcinko? He is/was the head of Seal Team 6, the Navy SEALs unit responsible for breaching military bases. A friend of mine met him about 10 years ago because he was a security auditor hired to do the same thing for big companies.

    His story was fascinating. He used simple social cues like acting “as if” (as you mentioned) to get past armed guards. He would simply hang out by where the smokers would be and just walk right in with them. He was even able to get into a data center and steal passwords by doing some low tech snooping.

    There was an article in New Yorker magazine in the summer about trolls who travel the country and even the world with a duffel bag full of cash. They have no identity, but wreak havoc around the internet.

    Thanks for this article. I’ll try to check it out.

  8. Of course you also have “More balls than a Christmas Tree” πŸ™‚

    You said: “…This did not happen every timeÒ€¦ I would say it had about a 10% chance of success actually.”

    I submit that this willingness to fail as illustrated is one of the key components of YOUR sucess and that of any sucessfull business person. Within the context of your failure, you probably didn’t realize that this would prove valuable a few years down the road. Thats the real deal take away from your life experience post.

  9. Are you trying to teach us how to rob the banks? πŸ˜›

    Because that is essentially the most important part of the bank robbery, disappearance.

    You can have a perfect robbery plan, but if you don’t manage to escape and disappear, you…well you go to jail πŸ™‚

  10. good lord, take a break, bro! I hope you’re not writing this sitting on the beach in Cabo when you should be salsa dancing and drinking Coronas!

  11. Well such long post I prefer to read on weekends. Because at that time I can really enjoy this kind of post and can do correct justice as well.

  12. this is an amazing thought! it is intense! i dont get it; where do people come out with such ideas! Thanks for the share Shoe, i get to learn so much from you! cheers

  13. Good story, did you really read the whole story? πŸ™‚
    I would say it’s harder to engineer your way in now since the technology becomes better. However, the main philosophy oversees is to collect the money with minimal amount of effort, most of the people I worked with there have no idea what mysql injection is, unless they are on the dark side of the biz. πŸ™‚

  14. Its nice reading the story. When I saw the Title of the post I had no idea such a thrilling story lies underneath.

  15. That was an awesome story. Quite interesting. I love to read such stories. Keep sharing similar posts in future as well.

  16. fyi; this lifestyle exists and there’s a handful of cryptoanarchist darknets where such transient souls from time to time gather, plan and coordinate their existence.

    Most (all?) of them are/were relatively well-off persons ($M-MMM range) whom originated as ‘tax refugees’ […] a choice gradually evolved out of hand.

    Today, several have become serial ponzi schemers, others have become sheep herders along deserted country roads, others have vanished completely and resurface only when declared dead …

    R.I.P. James, Frank and James…

  17. With such helpful “IT” persons, no wonder hackers find it so easy to steal information. That’s a risk of outsourcing.

  18. That is quite scary but so true. When I did service work I was always amazed at the freedom I had in companies. All it took was a laptop on one shoulder and some paperwork with some names from head office that requested the service.

    Since the type of work I was normally doing required total building access the next question they would ask is would you like a master key or do you need one of us to follow you around!

  19. It’s an interesting test but seem impossible if you have a life at all were family is dependent on you.

  20. JJ Luna has a book, how to be invisible and if you can afford to follow what is said, then you can live invisible.

  21. That’s insane. You have a lot of creative smart tactics, no wonder you are so successful. I really enjoyed that story, very ballsy.

  22. This blog appears to recieve a great deal of visitors. How do you get traffic to it? It offers a nice individual twist on things. I guess having something authentic or substantial to talk about is the most important factor.

  23. Just in case you are looking for the very best domestic cleaning services london this particular site can be the actual right website!!!

  24. Reverse to favorite perception, not really every vintage bath integrated a clawfoot tub having a bathroom tile style of plain vibrant subway tile. Your toilet tiles can set the tone for that whole area. Your en-suite bathroom tiles can arrange the tone for the whole space

  25. So pleased I stumbled on your article. I have only just began to use pc’s and I’ve wasted the past week or so trying to find this information. My boy bought us a notebook for an early xmas treat and i am beginning to get the hang of it.

Comments are closed.