The Art of the Con (40 page)

Let's imagine that a castle hires a company of experts to build a moat. Typically, a moat surrounds the structure in order to better protect it from invading forces and to add a powerful layer of defense to the outer wall. Even if the castle hires the best moat builders in the world, concessions will need to be made in the construction of the moat itself or in how the castle will operate in the future. Now let's imagine that the marketing department of our castle dictates the width of the moat based on aesthetics, rather than the most difficult distance for an army to cross during an assault. Normally, a moat would restrict access to all sides, but catering demands that there's a back entrance for them to better manage their food supplies and the king and queen require a secret tunnel to escape without being seen. Next, the castle's design team dictates that the moat should be filled with clear water and expensive koi fish for visitors to appreciate so the depth of the moat is now severely limited. To the untrained eye, this property is protected by a moat, but to anyone who has studied how to breach the outer defenses of a castle, the compromises made during installation suggest many opportunities for attack.

In the casino world, this is akin to spending millions of dollars to provide and protect a particular game only to have a player negotiate his own conditions of play in return for risking a higher amount of money at the table. As already discussed, this has certainly happened many times and smart players have been able to adjust the order of play in order to give themselves a huge advantage without the need to cheat or conceal their actions. In the past, poorly designed games have been installed in large casinos that attract herds of advantage players eager to grab every penny they can before the house wakes up and pulls the game off the floor.

Most people have an area of expertise or a field of interest in which they are able to see past the surface with a deeper understanding than others. Whether it be a business or a hobby, there's something you know well enough to spot an opportunity other people might miss. This is the heart of the advantage player's approach. It's not just a matter of spotting a lucky gap in the fence. An advantage-oriented outlook often depends on a deep understanding of a subject so that profitable patterns might emerge when observing that subject in the real world.

It's important to understand that people who build walls think differently from those who break them down, and many attackers find ways to pass under, over, around, or through that wall invisibly. Only by maintaining an active, fluid posture can we be prepared for any attempted incursion.

I often say that if you want to know how vulnerable your home is, place a saucepan of milk on the stove, turn up the heat, and lock yourself out. Now try to get back in before the milk boils over.

For security professionals, I recommend taking the same approach by constantly testing defenses in the hope of identifying a weakness before it can be abused. Unfortunately, this is often frowned upon in an industry where any flaw is treated as a failure and saving face is all too important.

These issues are not isolated to the casino industry or airport security. Large corporations have often been guilty of complacency and have regularly fallen victim to hackers who are one step ahead in terms of technology and how to use it.

In the hacking community, the term “white hat” refers to experts who often use their abilities to identify vulnerabilities on behalf of companies and individuals. This is opposed to their “black hat” cousins who might exploit any weakness from the outside or share it with others. Many of these ethical “white hat” hackers are part of the expanding penetration testing industry that is employed to test systems for susceptibility, but many more are lone wolves, exploring the digisphere for anything that could be taken advantage of.

I am not part of this community, but I've spent a lot of time in their company learning about new ways information can be intercepted or stolen. I recognize in them the same passion for deception and cleverness that first drove me to study cheating and con games. I also see, on a larger scale, the same problems and suspicions that this passion can attract.

In the casino business, no one likes to be “schooled” by outsiders, and anyone who knows how to beat their games is regarded with distrust. I know a few genuine cheating experts in the industry, but unless they play the corporate game in terms of how they interact with management, interpret evidence, and present ideas, casinos often prefer—to their detriment—industry insiders who have a small interest and a little knowledge in cheating or advantage play.

The same appears to be true for businesses that rely on an image of impenetrable security. Banks, credit card companies, department stores, investment firms, and communications giants all claim to protect their customers' information, but as we've seen many times, all are vulnerable. In some cases, millions of lines of sensitive data can be lost before a breach is detected. I believe that failures in security are inevitable. Companies need to do more to monitor and evaluate their defenses. “Pentesting” (penetration testing), where expert consultants are hired to evaluate potential dangers, is one way to actively assess security, but it is not nearly enough. Education of users at all levels is essential to create stronger, more flexible systems.

Companies also need to build a means to interact with free-lance hackers who are willing to share their findings fairly. This suggestion will no doubt infuriate many security experts who feel targeted by aggressive “white hats” who threaten to expose any weaknesses if they aren't compensated. This practice is far from ethical and hackers who constantly probe exposed systems in this way have been described as “gray hats.” I believe that, with a little creativity, the industry can find a model that uses well-informed professionals to test their level of resistance while finding a way to interact with and reward anyone who finds a weak spot from the outside.

The closed-minded nature of security departments in all industries is merely a magnified reflection of human nature. As a rule, we tend to be defensive and most people think they are too smart to be cheated or conned. The truth is that most of us haven't been conned because we've been lucky up till now! As I've tried to illustrate, deception can target anyone at any time and knowledge remains the only consistent defense.

Demonstrating cons and scams is a powerful way to teach and cultivate greater understanding about the art of deception. The only way to fully comprehend an idea is to experience it firsthand. For this reason, during seminars, I encourage my audience to split into pairs and try to con one another using simple scams as role-playing tools. The objective is not to protect against these particular con games but to learn the patterns of a scam that they might now recognize in the future.

One such exercise is the change raising scam (described in chapter nine). Using pieces of paper, audience members take turns playing the hustler and the cashier until they fully understand the principle of forcing a victim to perform two transactions at the same time. Next, I invite someone to take part in a simple social engineering exercise that uses exactly the same principle to embed a dangerous mistake into a series of innocuous tasks. During this procedure, the person helping me would test cables, check their Internet speed, and log in and out of their e-mail account. The mistake is in how they are directed to their e-mail provider, because the Internet speed test is a bogus page with links to a spoofed website. This is all acted out as a role-playing game before and after the change-raising exercise. Only after experiencing a few scams from the hustler's perspective does the audience immediately recognize the deception in that role-playing scenario.

Education is the single most effective means of protecting against all forms of deception. In today's world, it's a downhill race to keep up with ever-changing possibilities; if the enemy gets too far ahead, by the time your business catches up, it will likely be too late. For casinos, corporations, and individuals, it is better to identify any harmful vulnerability before it can be exploited. The most effective strategy is to fully accept that we are all potential targets and that it's only a matter of time before our defenses need to be repaired or rebuilt.

In essence: Confidence is the opposite of vigilance.

*
Personal Digital Assistant—a palmtop computer for managing data.

I never anticipated how much I would learn from my experiences writing and executing con games for television. Soon after starting, I began to recognize the opportunity to study my lifelong passion from the hustler's perspective without risking life or liberty in the process.

My initial observations were focused on the scams, which sometimes seemed to work automatically. I soon identified the three key phases and borrowed the terms “hook, line, and sinker”; as I delved deeper, I began to see that these were merely objectives on the path toward deception. How each hustler achieves these goals can vary wildly depending on talent or audacity. I soon began to question why victims were vulnerable and how scams worked from their perspective.

I'm not a psychologist, but I am naturally interested in many aspects of psychology, especially when it applies to deception. While much of it is fascinating, I disagree with many of its conclusions about scams. I'm certainly not qualified to challenge these academically, but I often find myself frustrated or infuriated by attempts to define scams as either this sequence of events or that list of ingredients.

It's easy to correlate “optimism bias” with the hook and “confirmation bias” with the line and for the sinker there are aspects of “sunk-cost fallacy,” where people are inclined to allow previous investments of time and money to influence their decision about whether or not to commit. Personally, I am reluctant to overly simplify or confine any aspect of con games because con artists adapt and their preferred methods can vary wildly.

By their very nature, con games
have no rules
and they don't belong in a box.

One can identify objectives and elements of different cons, but successful scams vary in style, content, order, and execution. It can be an expression of the con artist or a response to the personality of the mark. It's more difficult to understand something that shifts and changes depending on unknown factors like thoughts and feelings, but this is the nature of con games; they depend on human interaction and that is fluid by nature. It's one of the things that makes them so resilient. Hustlers learn to adapt proven strategies to each scenario and through experience, they develop a toolkit of lies and tricks to achieve their goal.

As I noted at the outset, every one of us is a potential mark. Con artists often select their victims in an attempt to find the most vulnerable targets, but the truth is that we can all be susceptible to a well-timed scam or confidence trick.

Eradicating cons and scams completely would be impossible, but as a society, we can do so much more to defend against crimes of deception.

Knowledge, Empathy, and Acceptance

Con games prey on our hopes and fears, and unless we shed all emotion and learn to regard all of life's interactions with cold logic, there will always be new ways to play old scams. Con artists depend on human nature; to give up those qualities that make us who we are would be a far greater loss than any amount of money, property, or self-respect.

Trust is an important aspect of a successful and productive society, and it would be impossible for a community to thrive without some faith in authority or in each other, and to regard all situations with automatic suspicion could be as damaging as blindly accepting anything we hear. The wheels of civilization need a little oil to keep turning or the machine will quickly break down.

Protecting ourselves and others from deception is important and there are three steps we can take that would quickly make con games more difficult and dangerous for those who would attempt them: spread the word, stop blaming the victim, and be honest with yourself.

Spread the Word

If you are willing to steal from others, you will quickly learn or devise any con game that is likely to work in your personal situation. The first question a smart grifter would ask is whether the public is aware of the con he is planning. The more a scam is in the public's consciousness, the less effective it will be for potential scammers. Hence the con artist's motto, “Never wise-up a mark.”

It is therefore important that, whenever a con game turns up, the public is quickly informed. The more people know about a new scam, the more difficult it becomes to safely hook new marks. This forces hustlers to adapt more quickly and the sooner any new twist is shared with the public, the sooner people will learn to identify further variations.

In the age of information there are many ways to share knowledge, but with so much digital noise, it is almost impossible to reach everyone. On the Internet there are many useful resources that discuss cons and scams for those who care to look, but not all of the information is accurate. There are many books that describe and expose con games, and occasionally there are entertaining TV shows that reveal scams in a memorable fashion. The problem is that none of these reach a large enough audience to have a significant impact on real hustlers.