by Steve Wexler
Identity theft is a huge and growing problem, and the confession that up to 40 million MasterCard, Visa and American Express cardholders have been jeopardized in a theft at third-party credit card processor, CardSystems Solutions Inc., is just the latest cyber crime to be reported. The breach compromised account holder names, banks and account numbers.
It seems robbing banks is back in vogue and Jim Stickley, with over100 successful heists to his credit, is laughing all the way to the .... bank. Unlike traditional bank robbers, he steals personally identifiable information such as names, addresses, Social Security numbers, credit card numbers and passwords. Most bank robbers only get away with a few thousand dollars. Stickley gets away with information worth millions of dollars.
Luckily, Stickley isn't a criminal in the common sense of the word; he's a social engineer. Financial institutions hire Stickley's company, TraceSecurity, a security compliance software firm based in Baton Rouge, Louisiana, to perform vulnerability audits of their banks. His firm has been getting a lot of calls lately as banks begin beefing up their information privacy practices, motivated by the recent spate of high-profile identity thefts as well as by an increasing number of information privacy and disclosure regulations.
Social engineering is a concept that has been around the computer security industry for many years. Social engineers prey on human weaknesses to gain the trust of their victims, and then they trick their victims into unknowingly becoming the co-conspirators in the social engineer's grand plan, which usually involves stealing something.
"Most banks are surprisingly vulnerable to identity theft," said Stickley. "They spend millions of dollars a year on high-tech computer security defenses, but often fail to address the simplest, most critical aspect of information security: the human element. A bank can have the strongest doors on their vaults, but if they invite me in and allow me to _wander their office_, I can steal much more than their money."
Stickley and his team successfully complete their heists 90 per cent of the time. The other 10 per cent of the time, vigilant bank staffers thwart their heist. It's not at all unusual for a single TraceSecurity social engineering team to rob three or four bank branches in a single day. And it's surprisingly easy.
Stickley and his team start their social engineering adventures by _impersonating someone of trust or authority_, such as an air conditioning technician, a pest exterminator or a fire marshal. The team's planning for their heists begins weeks in advance, often by mailing a letter to a bank branch on forged stationery, informing them of a planned "inspection." By the time they show up in their _fake uniforms_ with fake badges and fake identification cards, the front receptionist often welcomes them with coffee. Within minutes, they have free range of the bank as they crawl under desks, steal backup tapes, and install spyware on the computers.
In the evening, the TraceSecurity team returns to dumpster dive, an activity that often yields a surprising amount of sensitive customer account information.
Once the heist is completed, the TraceSecurity team returns the stolen information to the bank's executives who hired them, and provides recommendations on how to prevent actual criminals from perpetuating the same crime. And if by some chance Stickley's team gets caught, he always carries with him his "get-out-of-jail-free" paperwork which confirms the bank hired him, and provides the bank's executives' cell phone numbers to confirm Jim's story.
"The secret to an effective information security strategy," said Stickley, "is to balance security technology investments with better employee training, and better policy and procedure enforcement."
Copyright 2005 Integratedmar.com Corporation
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at
For more information go to:
Considering what a hell-hole (at least to work at) the credit card office had become by the mid 1970's, it was not surprising no one questioned them about what they were doing. But Amoco security officers had been tipped off a day or two before, and caught the guys going down on the freight elevator with a dolly cart full of boxes of outgoing mail. It turns out it was an 'inside job'. The credit card office 'cleaned house' that day; they got rid of twenty or thirty employees they suspected knew too much about the _overall operation_ of the system and a few months later the entire operation was moved to Des Moines, Iowa where the managers thought they would find a lot of farmer's wives and daughters (a smaller ratio of racially diverse people) to work for them than they had in Chicago, plus smaller salaries and much less corruption at the city government level. PAT]