Thursday, June 27, 2013

The Social Hack

  By Daniel Palmer

I start every new book project by searching for a big idea to ground the narrative. With DELIRIOUS I wrote about schizophrenia, while in HELPLESS the topic was sexting. With my third novel, STOLEN, I decided to write about computer hackers; more specifically, I wanted to write a story about identity theft. 

Only, I didn’t want to write a book where the bad guy steals the good guy’s identity and madcap trouble ensues. I think that’s been done enough and with mixed results. What interested me more was the idea of a good person making a bad decision by stealing another person’s identity.

Here’s the story problem: it’s hard to root for a criminal. For my protagonist to be a good person he needed a compelling reason for committing his crime. I was stuck a bit here, searching for inspiration the way a fisherman might chum the water looking for a catch.

As it turned out, inspiration found me.

It all began when I needed a new health insurance plan for my family.

What I soon discovered was a maddening system of policy options more numerous than the precious stones in the Crown of Queen Elizabeth. With each new tier of coverage came new services, enticing new benefits, all of which (surprise, surprise) came with added costs. I began to wonder, what if (most of my story work begins with those two words, what if) a young couple just starting out bought cut-rate health insurance and one of them got very sick?

They would need to raise a lot of capital or go bankrupt, that’s what. Sure, they could tap into friends and family, but what if the costs of care exceeded hundreds of thousands of dollars? What if after they explored every possible avenue, turned over every life-giving rock, this lovely couple was forced to settle for some drug, and not the best drug for treatment?

As the saying goes, desperate times might call for desperate measures. In the case of STOLEN, it’s motivation enough for John Bodine, the protagonist of my tale, to engage in identity theft for the purpose of committing medical fraud.

Here, I came to my next obstacle. I needed to know how one might go about stealing an identity. The process of writing, I’ve discovered, is overcoming one obstacle after the other until there is no more tale to tell.

After a bit of Google searching, mostly about computer hacking, using keywords I’m sure placed me on somebody’s naughty list at the FBI or NSA, I stumbled on a convention in Las Vegas put on by, and almost exclusively for, computer hackers. The conference is called Def Con®. When I attended last August, 25,000 computer hacker types converged on the Rio Hotel for three days of mischievous computing fun. Def Con has no age requirement, but it is clearly an adult event. Goons (yes, that is their official name) run security for a conference that, at its soul, is all about breaking security.

For the record, as a first time attendee I was considered a “n00b”, which is Def Con lingo for newbie. Many attendees shunned given names for handles like Dark Tangent (he’s the founder of Def Con), Lost, Ripshy. and Dr. Tran. My hacker handle, which I bestowed upon myself, was 1Z8N (get it? ISBN). I haven’t used it since.

I spent my time at Def Con living the Vegas life, and by that I mean I never saw the sun. When I wasn’t attending a workshop about breaking wireless encryption keys, or listening to a lecture on the joys of hacking Excel, or watching a light and breezy presentation about the operational use of offensive cyber warfare, I was chatting up the hackers, looking for insights into how they think, feel, and plan for a hack. I saw lots of examples of hands-on-hacking and even a massive room dedicated to different hacking competitions—an ignoble digital Olympiad of sorts.

The conference was good fun, but my personal payoff came when I attended a live demonstration of social engineering. Social engineering, I learned, is nothing more than the con artistry of manipulating people into performing actions or divulging confidential information. The technique exploits a weakness in one of humanity’s greatest strengths: our inherent desire and ability to trust. I sat in the audience slack-jawed, watching a hacker seated in a soundproof booth work his telephone magic.

Two minutes into the call I got the sense this was who Sade had in mind when she wrote her hit song “Smooth Operator.” I believed him, and yet I was watching him lie to the unsuspecting person on the other end of the phone. He was talking to an employee from a major airline. In the span of ten minutes, he learned what version of the Windows operating system airline employees used. He obtained this highly useful (at least useful to hackers) data point by pretending to be an airline IT manager conducting a survey as part of his job. He was chatty, pleasant, and utterly believable. His mark never questioned his credentials or motive.

IT experts have spent countless billions beefing up their computer security infrastructure. They’ve brought in meatier computers, state-of-the-art virus protection software, firewalls, and various tools of the trade to keep the hackers out. What they can’t upgrade are the people who work in their call centers. This weakness can’t be fixed with code or by upgrading to a smarter model. People will do what people will do.

When a hacker gets a customer service representative on the telephone—or even better, a salesperson who thinks money is on the line—common sense vanishes like a reality star’s fame, and the real magic happens. It’s the moment a dedicated employee becomes the unwitting accomplice of a hack.

At last, I knew how my character was going to steal an identity. He was going to use social engineering to commit medical fraud to save his dying wife. You’ll have to read the book to see just how he pulls it off. Unfortunately for my well-intentioned albeit misguided hero, he unwittingly steals the worst identity imaginable.  For new writers out there, what’s most relevant is how I arrived at this story. So let’s review the key points:

1.      Come up with a big idea to ground your narrative. For STOLEN it was identity theft.

2.      Always have a good “What If” question. I keep mine to a max of 28 words, two sentences at most. Write it many times, revise it, and make sure it’s tight.

3.      Writing is about overcoming obstacles. Your characters have to do it, so it makes sense the writer has to do it as well. When you don’t have the information you need, seek it out and often what you find will shape your story in unexpected ways. Sometimes you can’t get what you need from the glorious Internet. Sometimes you have to leave the house and get out into the big real world.

Stolen was published in early May 2013 from Kensington.

Daniel Palmer spent a decade as an e-commerce pioneer, helping to build first generation Web sites for Barnes & Noble and other popular brands. 

Daniel’s three novels of domestic suspense, DELIRIOUS, HELPLESS & STOLEN, explore the hidden dangers and vulnerabilities of an increasingly tech-centric world. Daniel lives in New Hampshire with his wife and two children.

Connect with Daniel:

Web site


Kim M. Hammond said...
This comment has been removed by the author.
Kim M. Hammond said...

The hacker conference sounds awesome. How lucky you found it and were able to attend. Loved Stolen and can't wait for the next one.

David Tindell said...
This comment has been removed by the author.
David Tindell said...

You never know what you're going to find at one of these conferences. Or outside the conference center. Several years ago I accompanied my wife to a travel convention (she owns an agency) in New Orleans, and while she was indoors, I was exploring the French Quarter. Bourbon Street, by the way, is a lot more attractive at night.