Girl on a train. The snooping girl on a train: The Sequel

We want to trust one another – it’s one of the basic human traits that social engineers (and sociopaths) are so quick to exploit. And equally we’re often keen not to cause offence so will go to great lengths to avoid giving others the impression we don’t trust them.

It’s this kind of psychology that can see the basic commute fraught with complexity. There’s a whole undercurrent of social norms that can see us behave contrary to how we would normally because we’re sharing a space, albeit in a train carriage.

So here I am again, back on the train to London, at a table with a window seat and a power socket (a coveted seat that I and my fellow passengers always pre-book so we can work on the move). That common ground immediately plants the seeds of trust.

I’m sat opposite a chap who is clearly very busy (making it safe to assume he is fairly well positioned in his job). He has a laptop, two mobile phones and several work documents spread out in front of him.

We had exchanged pleasantries and smiles as we sat, but still respected each other’s space; merely two strangers on a train working across from each other. However, our proximity allowed me to take in a great deal of information.

The problem

I already know who he works for. There are documents in front of me with the logos for three different organisations and I have deduced which one is his employer. But – and here comes the rub – I also work with all of them.

A little way into our journey, the chap pays a visit to the loo and leaves ALL of the devices, all of the paperwork and his wallet on the table. None of the phones had PIN codes and one actually stayed open without sleep mode kicking in. The laptop (confession time – yes I did lean over for a sneaky peek when he went) was left logged in and was displaying the document he was currently working on.

A game of scruples

At this point I’m in a dilemma. The guy is clearly flouting his organisation’s security policy, and as a contracted employee for all three of the organisations concerned I have a vested interest. And I’m also pricked by my cyber conscience to just DO something to make this chap aware of how exposed he is personally.

So, what would you do? If you’re one of my clients, what would you expect me to do? If you’re the chap on the train, would you welcome my advice? The options were many and varied…

• The easy option. I could turn a blind eye and simply do nothing. Consequence: this man and his associates would continue to be exposed probably until something was stolen.
• The educator. Get into a discussion with the guy and share some advice. Consequence: a) he may welcome my advice (unlikely) b) he could ignore it c) he could think I was interfering and accusing him of poor practice.
• The storyteller. Walk away but use it as an example to future clients as a lesson on what NOT to do. Consequence: said clients would probably want to know why I didn’t act there and then.
• The whistle-blower. Call those three clients and inform them of what I’d seen. Consequence: the chap could be severely reprimanded but on the flip side this could see the companies focus more on their security training and device controls improving cyber security.

Want to know what I did?

When he returned I used the classic social vehicle of dry humour and said he shouldn’t have trusted me and how I could have made off with everything. Socially, this ensured I didn’t alienate him while getting across my message. Would that convey how exposed he and those companies had been? Probably not, but at least it may have caused him to question his behaviour, and as we all know true change is usually self-motivated.

I also decided it was a useful experience to take into the boardroom and now mention the scenario to all clients who are considering whether Security Awareness Training is a worthwhile investment. It’s also a great way of and reminding them of the need to validate within their supply chain; plenty of organisations focus on security within and forget to look at how their partners and suppliers are exposing them to attack.

I’m sure others may have approached the situation differently; I was as surprised as anyone at how difficult it was to confront what was a blatant abuse of security policy. It goes to show how social etiquette can affect how we behave to the point where we flout even the most basic security practices and how correcting others behaviour can feel intrusive. Plus, it demonstrates how training needs to be based on real-world scenarios and backed up with controls that take the onus off the user.

Conclusion

Admittedly, I suffer a certain amount of OCD (ObsessiveCyberDisorder) when on public transport. That’s something I’ll just have to live with, but everyone can help if they would just stop leaving their data and devices visible and secure them instead.

Here’s a takeaway of what we should all be doing:

• Always set a PIN for your personal devices – preferably longer that four digits – and always opt-in to second factor authentication for your web accounts
• Paperwork may seem less at risk of theft but it can still hold value – think dumpster diving – so don’t leave material unattended and dispose of it carefully
• Don’t ever leave a device unattended while you’re still logged in – anyone can then pretend to be you using that device, accessing documents and other accounts and wreaking havoc. Try explaining to your boss that it wasn’t you that sent that phishing email round the company when you were logged in
• Leaving your wallet unattended is foolhardy in the extreme. Your cards could be stolen and used for low value swipe purchases. It takes second to remove and clone a card and replace it in said wallet. Personal identification can be used for ID theft.

As only seems fitting, I’ll leave the last word to the train manager: “Please keep your personal possessions with you at all times”.