The most vulnerable part of any secure information system is the human at the controls. Secure passwords, strong encryption, and stringent protocols are all worthless if that human can be coerced to give away the keys to the kingdom. The techniques of attacking a system through the human are collectively known as social engineering. While most of us don’t use social engineering in our day-to-day jobs, anyone can fall victim to it, so it’s always good to see this stuff in action. Some of the best examples of social engineering come from unlikely places. One of those is [Matthew Pitman].
[Matt] is one of those people we all hope we never to meet in real life. He’s a repo man. For those not familiar with the term, [Matt] is the guy who comes to pick up your car, boat or other asset when you fall behind on your loan payments. Generally, these repossession agents are contractors, working for the bank or loan agency who holds the loan on the collateral. As you might expect, no one is happy to see them coming.
[Matt] uses plenty of high-tech gadgetry in his line of work, everything from GPS tracking devices to drones. He calls his tow truck the Repo Ninja, and the interior is decked out with an internet connection, laptop, and tons of cameras. Even so, his greatest asset is social engineering. His 26 years of experience have taught him how to work people to get what he needs: their cars.
About 5 years ago, [Matt] began taking videos of his repossession jobs. His motivation was not fame and fortune on the internet. The cameras came out as a way to protect him from frivolous claims. All too often a debtor will claim that damage was done to their vehicle during the repossession, or that the repossession agent did something illegal, like enter a closed garage. [Matt’s] cameras have kept these claims from escalating to court cases more times than he can count. As time went on, he started uploading some of the videos to his YouTube channel: RepoNut, which is how we found him.
Leveraging What’s (mostly) Public
Social networking services such as Facebook, Twitter, Instagram, Tinder, and Snapchat are one of the greatest boons for digging up personal data. [Matt] uses all of this to his advantage. It’s easy to see where a car is being stored when the owner posts pictures of it up on Facebook – even if it’s in the background on the kids first day of school. Many times a debtor’s Facebook security settings will be wide open. When they’re not, [Matt] has an arsenal of Facebook accounts to get onto that person’s friends list. Sex sells, and [Matt] knows it. Young single men are always happy to add a pretty local girl to their friends list. Little do they know that the person on the other end of the account is [Matt] himself.
Follow the Phone
Spearphishing is a technique where data is obtained from a specific target by sending them an innocent looking message. That target may be a high level executive, an engineer, or someone a few payments behind on their car. In this scene, from [Matt’s] appearance on ABC’s 20/20, [Matt] sends a text message to the ABC reporter. The message is actually from a spearphishing service. The payload [Matt] is phishing for is the reporter’s location. The SMS based trojan installs GPS tracking software on her phone. which leads [Matt] right to her.
A good social engineers is flexible, ready to change their techniques at a moments notice to achieve their goal. This flies in the face of the way most drivers handle repossessions. Many agents have one technique: “hook and book” – I.E. grab the car and go – assembly line style. However, this isn’t always the best way to do it. The goal of a repossession is not to snag a car. It’s to get the bank the money which it is owed. If a debtor can pay the money, great! If they can’t, the car is eventually sold at auction to repay the loan. [Matt] always analyzes the behavior and body language of the debtors he contacts. People’s attitudes change when they see their vehicle is hooked on a tow truck. Everyone says they’re going to pay – but only a few are sincere enough to warrant him spending extra time – time he could be using finish this repo and grab another. Here is a case where a debtor truly owned up to the missed payments and impressed [Matt]. He’s been doing this long enough to have seen just about every con in the book, and this person’s actions and body language came across as sincere. [Matt] actually lowered the car and followed the owner to a family member’s house. The family member called in a payment and everyone walked away with the best possible outcome. In a case like this, [Matt] is still payed his full fee, but he doesn’t have to worry about transporting, storing, and transferring personal items in the vehicle. Following the owner to a family member’s house also gave [Matt] some vital information: A new address which he could use to look for the vehicle should it come up for possession again.
The best social engineers know the mindset of their target, and can quickly deduce what they need to do to achieve their goal. When a debtor stopped to pick up new tries for a vehicle with a repo order on it, [Matt’s] target changed. Rather than hook the car, which would have brought out the entire staff of the tire shop, he went for a more subtle technique. Every automotive service center works the same way: Customers come in and talk to a service writer. The service writer writes up the problem and takes the customer’s keys. Eventually there are a line of keys and papers on a counter top. When a mechanic is ready for a new job, he grabs the next set of keys. Most of the time the keys are under the sole surveillance of the service writer – whose job focus is servicing the next customer. This was [Matt’s] new target. Distract the writer with a customer, and you can get the keys. It’s a perfect demonstration of using social engineering to turn someone’s job against them. That’s exactly what [Matt] did in this clip. He asks the clerk about a set of Pirelli tires for his Mustang, while covering the keys with a pamphlet. After this sleight of hand, [Matt] walks away with the pamphlet and the keys beneath. He’s able to drive the repossessed car down the street to his waiting tow truck.
Treating People Like People
A theme that has replayed itself countless times in [Matt’s] videos is one of respect. Folks who have their cars repossessed aren’t automatically criminals. Many times they are regular people who have lost their jobs, or had some other hardship. [Matt] always approaches the situation with respect for the other parties. More than just verbal respect, [Matt] adjusts his tone and mannerisms to appear as a non-aggressor. This tends to calm the vehicle owner. In Social Engineering terms, this is Neuro-linguistic programming (NLP). You can see that in action in this scene, where a woman thanks [Matt] for his respectful approach. This also helps to calm down her husband, who says he would have “whooped some ass” if [Matt] had upset her. That video is also a great example of how [Matt] always tries to allow the vehicle owners to get anything they need from the car before it is towed. The repossession is for cars, not child car-seats, cell phones, or anything else.
The Confidence Game
Many of the social engineering exploits from well-known hackers like [Kevin Mitnick] involve getting privileged information by just asking for it. In fact, [Kevin] has said that he never used software based exploits to gain privileges on a computer system. It’s just a matter of calling the people with the target data and either sweet-talking or scaring that data out of them. Convince a low-level corporate drone that you’re a manager 3 or 4 levels up, and are in a time-sensitive do-or-die situation. We guarantee 9 out of 10 of them will sing like a canary. [Matt] proved he can play that game as well when he ran into a locked gate at an apartment complex. The gate was locked with a combination lock, and a vehicle he needed to tow was in the yard behind the gate. He simply called the property management company, and said he needed access to the area. Whoever was on the other end of the line took the official sounding voice as one of authority and read the combination over the phone. So much for privileged data!
Even with all that experience, not every day is a good day for [Matt]. Here is one case where the owners just wanted to fight. Rather than escalate or involve the police, he simply left. Later the owner voluntarily surrendered the car – but not without some drama. They taped a razor blade on the inside door handle. [Matt] got a nasty cut while performing the repo. There is a new trick to be learned every day.
[Matt] performs repossessions in Utah for his company, Certified Asset Recovery Service. If you’re wondering what [Matt] is paid for a repossession, his average fee is $350 USD. That might be 5 minutes of work, or 5 months of research and tracking.