Wednesday, February 27, 2008

Social engineering the deliveryman


Sometimes life gives you a great example of a vulnerable system - here's my recent exposure to an everyday system with a reasonably significant vulnerability.

We've all heard of cases of packages being left on doorsteps, or mis-delivered. This one is a bit different...

I recently ordered a new phone, and had it shipped to my apartment. As most apartment dwellers are used to, over the course of my time there any delivery that arrived when I wasn't around was taken to the complex office and a note was left on my door. That's actually quite convenient, and the complex staff require signatures and, better, recognize me.

In this case, however, something a bit different happened. First, the delivery person was told by my neighbors that I wasn't around, and carried on with his deliveries. On his way back, he saw someone outside of the apartment and stopped. The person claimed to be me - and according to the delivery person, they knew my name, and claimed to be waiting for the package. A forged signature later, and my new phone was gone.

If you ship with FedEx, DHL, or UPS, you've likely never been asked to present ID. If you're around the residence, know the person's name, and act reasonably sure of yourself, packages are free for the taking.

A hole in the system? Yes. One I had never seen exploited before, but one that is pretty easy to tackle if you can get the resident's name. The solution is amazingly simple: allow packages to be sent with a "require ID" option. A photo ID would have prevented the entire issue.

I'll post a follow up, as further investigation is ongoing. Sadly, in cases like this the value of the stolen item isn't sufficient to change policy, and is below the threshold to make any sort of police investigation likely.

Creative Commons licensed image credit to Flickr user StarMama

1 comment:

MTI said...

David,

I once had a similar problem at a previous employer. However, we're not talking a phone here - we are talking a SAN. An HP MSA1000 with over 4 TB of disk. Here's the story.

The package was shipped truck freight as it was large and was not being handled by our normal purchasing agent. When it came time to deliver the package, the driver was not familiar with the campus addressing and could not find the building to drop it at. So, he resorted to looking up the contact name that was printed on the address label.

Unfortunately, the contact and his wife had recently moved to their new house they had just completed building, and the address that was in the delivery company's data warehouse was for their previous rental. So, the deliveryman drove the packages to the old address and rang the bell. The couple inside claimed to be the contact and signed and accepted the package.

When our rep from HP called to confirm we had received the SAN and associated hardware we got a little concerned. When we looked at the tracking status online we were shocked to see that the package showed "delivered and signed for." When we called the delivery company they stated that the contact had signed for it...Wanna bet?

After involving HP, the delivery company and finally two police agencies, we were able to retrieve the packages and the SAN lives on. You are correct, a photo ID would have prevented this from happening.

Now, I wonder why the 6 quarts of synthetic oil I had coming last night shows this:

"A CORRECT COMPANY OR RECEIVER NAME IS NEEDED FOR DELIVERY. (Company Named Withheld) IS ATTEMPTING TO OBTAIN THIS INFORMATION / THE ADDRESS HAS BEEN CORRECTED. THE DELIVERY HAS BEEN RESCHEDULED"