Identity theft — a century ago

How did scammers pull off a MitM attack and 2FA bypass in… 1915?!

Identity theft in 1915

Cyberthreat researchers have of late been sounding the alarm about the rising danger of deepfakes. In particular, they advise to not trust your ears: in the digital age of artificial intelligence the voice at the other end of the line may not belong to whom you think. Speaking of which, any guesses what people were afraid of more than a hundred years ago? In that mechanical age of scientific discovery, they were wary of, yes — trusting their ears. After all, the voice at the other end of the line — was it really whom they thought? Don’t believe it? Then just take a look at a case of identity theft using then-sophisticated technology to steal money from a bank account depicted in a film shot back in 1915! Welcome to the world of the French silent movie series Les Vampires.

Les Vampires

A quick spoiler: anyone looking for supernatural blood-sucking monsters will be disappointed. The main character, journalist Philippe Guérande, confronts a daring criminal gang that calls itself the Vampires. Despite its venerable age, the film has a lot to offer in terms of information security. Take just the first scene, which illustrates why outsider access to work documents is a no-no.

The Vampires themselves are of interest for their use of what were then hi-tech methods. A large chunk of episode three (The Red Codebook) is given over to cryptanalysis: Guérande looks for patterns in the villains’ encrypted notes. And episode 7 (Satanas) is built around an attempt to copy another’s identity. But how does anyone pull off identity theft armed only with early 20th-century tech?

Identity theft in 1915

In a nutshell, the criminal scheme goes as follows. The Vampires learn that US tycoon George Baldwin is on a trip to Paris, where they decide to relieve him of some of his money. To do so, they devise a multistage attack. First, they arrange for the millionaire to be interviewed by one of their own, Lily Flower, posing as a journalist for Modern Woman magazine. She tells Baldwin that her magazine publishes a celebrity quote every month, and asks him to write a few words in a notebook, then date and sign them.

Next, a saleswoman claiming to be from the Universal Phonograph Company visits the millionaire with a new piece of tech wizardry: an actual phonograph — the first device for recording and reproducing sound. She explains to Baldwin that it’s her company’s policy to record the voices of famous people visiting Paris. Falling for the ruse, he dictates the only phrase he can pronounce in French: “Parisian women are the most charming I’ve ever seen,” adding “All right!” in English at the end.

The full nature of the scam is then revealed to the viewer. The purpose of the first stage was, of course, to steal the tycoon’s signature. Under the sheet on which Baldwin left his autograph was some sort of carbon paper, which duly captured the signature and date. Above this, the criminals write out a fake order obliging New American Bank to pay Lily (the journalist) the sum of US$100 000 (a princely sum today; imagine its value a century ago!).

Next, they kidnap the telephone operator of Baldwin’s hotel, and send another accomplice in her place with a note: “I’m sick, sending my cousin as a replacement.” The hotel management swallows this primitive trick and puts the total stranger in charge of the phone.

Meanwhile, Lily goes to the bank with the fake payment order. The cashier decides to check the legitimacy of the transaction and calls the hotel where Baldwin is staying. There, the bogus telephone operator plays the recording of the millionaire uttering his catchphrase, which convinces the cashier to pay out.

How feasible is this scheme?

Most of it is utter twaddle, of course. How on earth would a Parisian cashier at a U.S. bank in 1915 know the signature, let alone the voice, of some American millionaire? Not to mention the fact that the phone lines back then would likely have distorted that voice beyond recognition. That said, the scheme itself is a classic implementation of a man-in-the-middle (MitM) attack — the cashier is sure the voice belonged to Baldwin, who in turn thinks that he, earlier, provided it to the “phonograph company”.

What’s more, the movie features a 2FA bypass: signature theft and fake voice confirmation. Sure, all this is now done using digital technologies, but the core attack scenario remains the same. As such, the main countermeasures could have been formulated over a century ago:

  • Don’t give outsiders access to communication channels (bogus telephone operator).
  • Do not share confidential personal data with anyone — ever (signature and voice biometrics).
  • If in doubt, carefully double-check the legitimacy of the instruction (the phrase “Parisian women are the most charming I’ve ever seen” is not the most cast-iron verification).

Today, you can check out this wonderful movie series for yourself on Wikipedia. If, however, your employees aren’t ready to take cybersecurity tips from silent cinema, we recommend using our interactive Kaspersky Automated Security Awareness Platform instead.

Tips