Speaker: Edward Miro, Freelance Security Consultant & Penetration Tester
Background: 20 years in IT, 5 years focused on security, physical security specialist, rideshare driver
Key Focus: Using rideshare driving as a social engineering laboratory and OSINT gathering platform
Introduction: From Hacker to Rideshare Driver
Edward Miro shares his unconventional journey into social engineering through rideshare driving, demonstrating how everyday interactions can become valuable security learning opportunities.
Career Transition: "I had recently left a career as a federal contractor that didn't really make me happy and I just needed a way to make money... Driving for Uber or Lyft isn't really that bad if you keep your car clean, have social awareness, and are not super awkward."
Background & Experience:
- 20 years in IT and security since the mid-90s
- Started with dial-up tech support for EarthLink
- Freelance penetration testing and security consulting
- Host of "The Pseudo Social Club" podcast and YouTube channel
- Mentor and judge at HACC Davis 2019 with lock-picking workshops
- Speaker at Noir Con hacker conference in Chico, California
"Like many of you, I've been in the world of hacking since the mid-90s. I was a teenager running Sub7, making people's CD-ROM trays open, and making system dialog boxes that said 'Boner Alert' - you know, very elite."
Ethical Framework & Research Methodology
Ethical Boundaries
No audio or video recording of interactions, completely anonymous note-taking, no PII documentation. All interactions were 100% authentic and organic.
Research Period
Drove for Lyft from December 2018 to February 2019 in Chico, California. Most interesting correlation found: talkers tend to tip better.
Psychological Phenomenon
Observed that people share sensitive information freely in rideshare environment, possibly due to app-based nature creating perception of anonymity.
Observation: "I only wrote this talk as an observation of how much personal and private information riders will share in this environment and how it could be weaponized... People take the app-based nature and it kind of bleeds mentally into the grey area of the anonymous nature of the internet."
Foundational Social Skills Development
Core Social Engineering Principles:
Dale Carnegie Foundation
"How to Win Friends and Influence People" (1936) as essential reading. Not about manipulation but genuine human connection: become interested in others, remember names, be a good listener.
Social Skills Gap
Most social engineering books assume basic social skills. Many in IT/security lack these foundational abilities and need to develop them deliberately.
Personal Transformation
From shy teenager to socially capable through college public speaking and communication classes. "If I can learn this, I think almost anyone can."
Dale Carnegie's Six Ways to Make People Like You:
- Become genuinely interested in other people
- Smile
- Remember that a person's name is to that person the sweetest and most important sound
- Be a good listener - encourage others to talk about themselves
- Talk in terms of the other person's interests
- Make the other person feel important - and do it sincerely
Mindset Shift: "Every person I've met has had something interesting to teach me or some interesting experiences to share with me... People you meet during your daily lives can be like the internet - an unlimited resource for curiosity and learning."
Rideshare Operational Excellence
Driver Best Practices:
Vehicle Maintenance
Keep car clean, odor-free, and smoke-free. Regular car wash membership. "I don't like it when a car is dirty or smells funky."
Driving Competence
Be a good, safe driver. This builds immediate trust and comfort with passengers.
Social Awareness
Read passenger cues for desired interaction level. "If the passenger is paying for the ride, they should get the level of comfort they desire."
Conversation Starters & Techniques:
- Use passenger's name when they enter to confirm identity and build rapport
- Standard openers: "What's your major?", "What do you do?", "Are you from here?"
- Comment on personal items: "I see you have [item], tell me about that"
- Address-based recognition: "Based on that address, you must work for [company]"
- Industry knowledge: Use insider terminology and name-dropping when appropriate
"95% of people want to talk at least a little bit... Even passengers who aren't overly chatty expect at least a little small talk. Getting my social skills back wasn't that hard to do - you have to use these things."
OSINT Gathering Through Rideshare
Passive Intelligence Collection:
Corporate Intelligence
Identify company employees by pickup locations. Use insider knowledge and name-dropping to build rapport and gather information about software, projects, and internal gossip.
Executive Targeting
"Executives are the most fun - they love to brag." Tech-savvy executives particularly enjoy conversations with knowledgeable drivers.
Sensitive Information Shared
Medical conditions, criminal histories, legal situations, relationship problems, infidelities, personal betrayals. "I've had people tell me more about their medical conditions than I ever wanted to know."
Information Types Collected Organically:
- Corporate software and systems in use
- Internal company gossip and politics
- Personal medical and mental health information
- Criminal histories and legal situations
- Relationship problems and infidelities
- Financial situations and employment status
- Personal invitations to bars, restaurants, apartments
Weaponization Potential: "And what if I was a bad guy? Do you think people are telling me things I could use against them? ...I'm just this random guy, and all I'm doing is being nice and friendly to them, speaking their lingo, being interested in them."
Active Targeting & Strategic Operations
Targeted Intelligence Gathering:
Geographic Staging
Park near specific companies or locations of interest. "If my car is the closest one to you when you request a ride, there's a 99% chance I'm gonna get that passenger."
Pattern Recognition
Use OSINT to identify target patterns - daily commutes, weekend routines. "You can almost guarantee you'll be matched" with specific targets.
Repeat Ride Strategy
While rare, repeat rides do occur, especially with commuters. "It wouldn't be weird to get the same person on a regular basis." Use pretext of living nearby.
High-Value Targeting Locations:
- Airports: Travelers with valuable information, time constraints
- Tech Industrial Sectors: Employees from specific companies
- Corporate Headquarters: Executives and decision-makers
- Commuter Routes: Regular patterns for repeated access
- Business Districts: Concentration of corporate targets
Psychological Analysis: From Reddit psychology response: "You have many qualities of a good bartender - it's a temporary friendly paid trusted relationship which is about satisfying an immediate need... You have an empathetic ear that makes people feel safe."
Real-World Scam Prevention Case Studies
Puppy Adoption Scam Intervention:
Initial Red Flags
Passenger asked about wiring money for puppy adoption. $350 payment to "pet transportation company." Seller wouldn't speak on phone due to "religious reasons."
Investigation Process
Examined emails, checked social media for seller, analyzed shipping company website, verified phone numbers, conducted reverse image searches on puppy photos.
Successful Intervention
Confirmed scam through multiple verification methods. Passenger saved $350+ and educated about online scams.
Scam Red Flags Identified:
- Seller wouldn't talk on the phone
- Seller name didn't seem legitimate
- Shipping company name didn't match URL and email
- Legitimate company came up first in searches
- Poorly designed company website
- No social media presence
- Generic email address (Outlook.com)
- Google Voice number with screening enabled
- Reverse image search showed stolen photos
- Sense of urgency and pressure tactics
"I always feel the best way to handle someone getting caught in a scam is to be on their side and never shame them. We're all humans, we're all susceptible to social engineering no matter how smart you think you are."
Security Awareness & Organizational Impact
Educational Approach:
Individual Empowerment
Teach practical skills like reverse image searching, email verification, and phone number analysis. "These small acts from us can go a long way to make the world a little bit safer."
Organizational Learning
"Never fire an employee that fails a phishing or pen test. That person is gonna go on to be the most vigilant after that experience and they're gonna tell everyone at the company what happened."
Storytelling Impact
Use individual stories rather than statistics. "Stories about individuals are much more impactful than numbers... You have to show them how it could happen to them."
The Power of Framing in Security Awareness:
- Individual Focus: Stories about single individuals generate more concern and action
- Personal Connection: Make security threats relatable to decision-makers' personal experiences
- Emotional Impact: Statistics numb response, stories engage emotions
- Practical Application: Use rideshare scenarios to demonstrate real-world vulnerabilities
- Positive Reinforcement: Frame security as empowerment rather than restriction
Psychological Framing: "If you show a participant the picture of a single child, they donate X dollars. But if you show them the child with a sibling it goes down, and a child with sibling and parents it goes down more, and a picture of a whole community even less... If you want decision-makers to care about your proposed security protocols, you have to tell them stories about individuals."
Key Takeaways for Security Professionals
Essential Security Awareness Points:
- Assume no interaction is anonymous - Even friendly rideshare drivers might have ulterior motives
- Develop basic social skills foundation - Social engineering requires genuine human connection abilities
- Recognize environmental vulnerabilities - Context shapes information sharing behavior
- Implement practical verification skills - Reverse image searching, email analysis, phone verification
- Use storytelling in security training - Individual stories beat statistics for impact
- Leverage everyday opportunities for awareness - Random interactions can become teaching moments
- Maintain ethical boundaries in research - No recording, no PII collection, authentic interactions
- Understand psychological framing - How presentation affects security decision-making
Core Message: "The biggest takeaway I'm hoping for here is awareness. I love that people are friendly and amenable to small talk, but you shouldn't assume any of your interactions are anonymous... Even your friendly neighborhood rideshare driver might be a hacker - you never know."
Red Team Applications:
- Use rideshare driving as social engineering training laboratory
- Develop geographic targeting strategies for physical security testing
- Practice organic information extraction in low-suspicion environments
- Test organizational security awareness through unconventional vectors
- Develop empathy and communication skills for social engineering
- Create realistic security awareness training scenarios based on actual interactions
"If you want to learn social engineering, you need to be comfortable and confident socializing and dealing with humans. Doing rideshare is a great way to get a ton of social interactions quick and can be a wonderful laboratory to hone those skills. I mean, where else can you do that?"