Tinder hacking: Part 4: Psychological analysis of Opsec/SocEng mission

Ok, not quite the end…

I’d like to dedicate this post to one very intelligent, charismatic young lady who is/was hurt by this experience. If you’re reading, all I ask is that you understand my crusade, please don’t lose trust in people resulting from my actions, I/this came from a good place 😦

Forward: This subject sprawls to lots of different areas, we’ll stick to the key points. The reader may have ethical or moral questions about this post. My request is that you read this with an open mind before forming a discussion/conclusion.

One reason why these exercises only last for a short time (eg: one week) is to ensure that the attacker does not form any emotional attachments with the target that could jeopardize the exercise. Brutal but true. Bad guys pillage and run. SocEngers act/think the same to be ahead of the game.

There are associated risks from SocEng to both parties. Taken in a military context, lives would be at stake. We’re all human.

To categorize the failures as mistakes would be a misconception, the mistakes are emotions which make us human. This is why SocEng works so many times.

In my history of a security professional, I faced a massive moral and professional dilemma. I broke a key rule and had to deal with the consequences:
Do I open up and blow the exercise or do I continue and shatter another person’s trust.

I wanted to open up and dispel misconceptions raised by the target, I was in too deep. I chose the latter with a heavy heart and even to this day I’m not certain if I had made the right decision.

NOTE: Respecting everyone’s privacy, specific details have been omitted.

After being matched, it started off as a another interaction, we bantered and bantered we did. The one week mark came by and the rules state that I had to abort and go for full disclosure.

This was undoubtedly my biggest mistake, I did not stick to the rules: I played offense and attempted to move the conversation off Tinder.

The next day, my gut knew what was going to happen next: she followed.

What ensued was innocent fun. For most of the interaction, I stuck to the rules for as long as I possibly could.

The one rule broken was exchanging photos, I held ground without raising suspicion as long as I could without being socially awkward.

The situation got comfortable, there was some level of trust until…

A few weeks in, small warning signs appeared, I was called out for being cagey. Namely, my reluctance of revealing my physical details, opening up, etc. It’s natural, this was bound to happen. I was still in exercise mode especially after a month of continuously engaging in OpSec, disengaging did not cross my mind.

Further to this, I was conscious of time spent online. With one month coming up after continuous contact, I had a decision to make and it was one not to be taken lightly.

My options were:

  • full disclosure: at the expense of prematurely ending the exercise and losing my anonymity (the latter is not necessarily a bad thing but goes against the rules)
  • completing the exercise: demonstrate the risk at the expense of losing trust

Just after the one month anniversary, I dropped a ‘seed’, before closing. The outcome resulted with me completing the exercise at the expense of losing trust. The end was a deliberate change in persona from what was displayed over the month, it was ruthless and I still feel bad about it.

Usually, the exercise would be done in an controlled environment such as an organizational drill, etc but it wasn’t, the situation got out of hand and blew things out of the water. In short, things should have ended differently.

There are a few points that remain:

  • What was her account of the exercise?
  • Did she know what she was a target?
  • When did her suspicions arise?

etc..

By writing this, I hope that anyone planning a SocEng exercise take into account the ramifications towards the target. Depending on the target, the outcome could be more than just the loss of trust.

In retrospect, I shouldn’t have broken the first rule but then again, things are always easy to say things in retrospect.

To everyone out there, if you ever find your self with a lady with exceptional conversational skills, make sure you treat her well with the utmost respect and tell her that I’m sorry.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s