Scene: A group of “detectives” are trying to find someone who meets the right criteria for someone to steal their identity and take over their life.

Back in Tokyo,… Funaki took the day off work and the Isakas joined in as well, searching the printout for women in their twenties.

“Say ‘police’ if you have to,” Funaki instructed. “Ask the women listed if two years back some close relation might have met with an accident or been badly injured somehow. Get them talking, no matter what it takes.”

It was past eleven, time to call it a day, when they got a break.

Funaki cupped his hand over the receiver. “We’re in business!” he called to Honma, who was over by the window, tentatively stretching his legs. Then, speaking into the phone again, he said, “Hold on, I’ll turn you over to the officer in charge.”

Emi Kimura was twenty-four years old. The printout gave her occupation as “freelancer.” At first she spoke in a sweet, almost child-like voice. She interrupted Honma to ask, “Is this for real? This isn’t Candid Camera or something?”

“No. Look, I’m sorry to bother you like this. I don’t know if you’ll be able to help us or not, but let me explain. We traced you through some customer data provided by a company called Roseline. I believe you know the name?” Honma paused. “Ms. Kimura, I’m sorry, but these questions are important for an investigation we’re working on. You don’t come from a large family, and you live by yourself, is that correct? And both your parents have passed on.”

Emi’s voice trembled. “How do you know all that?”

So far so good, Honma nodded to Funaki. “My colleague, the person you spoke to a minute ago, asked if you had any close relatives who might have had an accident or some kind of personal tragedy in the last two years. You said you had. Could you tell me more about that?”

It took a moment for Emi to Answer. “It was my sister.”

“Your sister.”

“Ye-e-es.”

Honma quietly repeated, “Yes?”

Emi was clearly getting upset. “Listen, I’m going to hang up. I mean, how do I know this isn’t some kind of crank call? How do I know you’re actually detectives?”

Honma hesitated. Funaki grabbed the phone away from him and rattled off the number of the direct line to Investigation. “Got that? Here’s what I want you to do. Ring up and say our names. Ask if there are any detectives by those names on the force. Tell whoever answers that you need to get in touch with Inspector Honma immediately. Ask them to have him call you back as soon as he can. Only give a totally made-up name and phone number. Don’t give your real ones. The officer will contact us to say you called. The we’ll call you back at your real number and give you the false name and number he tells us. Just to make sure there’s no mistake, that we are who we say we are. Fair enough?”

Emi agreed and hung up.

“When you’re in a hurry, take a side road,” Funaki said. He reached for a cigarette and lit up. …

Emi picked up on the first ring. Honma kept his voice as neutral as possible. “Hello? Is this Akiko Sato? At 5555-4444?”

“You’ve got to wonder about that girl’s powers of imagination,” Funaki whispered.

But Emi Kimura was in no mood for flip remarks. She burst into tears.

I love this scene (from Miyuki Miyabe’s All She Was Worth) as a model for social engineering. Imagine you’re Emi Kimura. You’re being asked about an emotional topic: the death of a loved one. The callers say they are cops and gives you a way to authenticate them. The authentication check succeeds. You’re talking about difficult-to-confront, emotional material with an authority figure who has authenticated themselves successfully.

Consider:

  • After the person at the Investigations precinct confirms their names and the two detectives are able to relay the fake name and number back to you, are you now convinced that they’re actually cops?
  • What’s the issue with the authentication challenge they presented? What revision to the proposed process would you give to have better certainty of their identities?
  • If you did start divulging personal details to them, what wouldn’t you say? Or more importantly, how would you know if you’d already said too much or to the wrong people?
  • Now, pretend you’re actually cops who need to interview Emi as a witness to a potential crime. Time is of the essence. What could you do to better convince Emi that you’re legitimate?
  • And now, as an attacker. You’re a social engineer trying to find out details so you can steal Emi’s identity. What revisions, if any, would would you make to the approach above?