I just discovered a disturbing real-world vulnerability by accident.
A couple hours after checking in to my hotel, I went back to the front desk and said "I need to add someone to my room because her flight gets in late this evening." The clerk asked my room number, and I told her and also said my name. A few seconds later, after asking me to spell the name to add, there's a new name on my room reservation. Nowhere in this process did she check my ID.
Did I accidentally socially engineer my way into adding an unrelated name onto a room reservation?