The Art of Deception
Review of Kevin Mitnick's legendary book
I’ve read Kevin Mitnick’s The Art of Deception and so far my experience has been underwhelming.
On the one hand, many of the stories that he tells are nice examples of social engineering, but I believe the book might not have aged well (after all, it was written back in 2002, more than 20 years ago). Many of the anecdotes do not seem to boil down to lax security practices, not even to stupidity, but rather to sheer luck and misplaced trust. Some of those would not even be possible now – maybe even thanks to the growth of security practices since then.
One of the instances that stays in my head is how the engineer obtained a credit card number by simply asking about it. However, I can’t think of a single business that stores them in plaintext, so reading them out would not be possible. (Next massive leak proves me wrong, I guess.)
In many other anecdotes, he explains how knowing nothing one can gain a lot of information by just asking about it, and the he tells the story of how calling a particular private number you can just ask for details and get it – nevermind that the number is a private one and the agent already knew about the business lingo enough to create a credible lie. How is this “knowing nothing”? Regardless, I understand that the point he’s trying to make is that with enough public information, you can cheat your way into acquiring some private information and use it as leverage for more and more sensitive information as well.
But I’m also not in love with his writing style, which is related to the previous point. He does not explain the structure of a scam, he does not go into the mechanics that make social engineering possible, but rather, he goes over the same story he tells a second time with very little analysis. Without wanting to do it, he sounds condescending, repeating time and time again how it can happen to anyone and people would not suspect about it.
Only a few of the stories I actually found surprising. Ruses where the lie itself would be easy to pick up, so using various victims with different excuses and giving each part of a story was a good way to cover the whole crime, without ever revealing to each more than they should know to do what he wants them to do.
Aside from the stories, which are a good 80% of the book, there’s a security policies section. That one surprised me positively, because I expected it to be very basic and outdated, but it was actually a good set of guidelines to start drafting a security policy. Yes, they need some dusting off and some modernization before they can be used, but they’re a great head start.
Most of the learnings in this book can be reduced to:
- Know your target. Really know your target.
- Know how to lie and improv without giving away the lie
- Don’t leave traces or suspicions, even after you’re done
- Don’t show all of your cards at once
I think that’s about it. I believe this wasn’t a great experience, mostly because of how hyped I was to read this book, and it wasn’t such a great deal.