Social engineering can be really easy if you know what you’re doing and act confident. We’ve used it to test security at many conferences, and usually our efforts result in us getting in for free. It’s actually a pretty big issue for event security because ultimately, most conferences can’t truly control access or validate tickets, which leaves plenty of money on the table.
Typically, most conferences have a registration area that has multiple badge printers and staff helping expedite registrations. Usually, the registration protocol requires no identity validation, or of it does, it’s very lax. Since many people lose paper or plastic badges, which are what most conferences use, generally speaking, it’s not very hard to social engineer your way into a conference.
The easiest way is to pretend to be a personal assistant of someone who has “lost their badge and needs a new one”. You stand in line waiting for a badge and listen for a name that you can remember. Once you hear a name, get out of the current line and go wait in another line. When you get to the staff attendant, act like you’re an assistant for your boss, and mention something to the effect of “he lost his badge and really needs it so he can get back into the VIP area for a meeting that’s going to start in 15 minutes.” Because you’ll be putting pressure on the staff attendant, they will more likely than not give you a badge. Now you can enter the conference.
We’ve done this many, many times (allegedly). Usually we do it to show the conference organizers of security gaps. It’s actually one of the main reasons why we created Virtual Badge. Conference registrations should be handled from your mobile phone, and your ticket should require you to take a photo so no one can steal your badge.
With online registration and an identity validation system, conference organizers could greatly reduce the amount of staff required to run an event. A large portion of event staff is usually dedicated to conference registrations, and they can be repurposed into a security role, or could provide value to the event in other ways.