ID Theft: 40 Million Served

by Steve Wexler

Identity theft is a huge and growing problem, and the confession that up to 40 million MasterCard, Visa and American Express cardholders have been jeopardized in a theft at third-party credit card processor, CardSystems Solutions Inc., is just the latest cyber crime to be reported. The breach compromised account holder names, banks and account numbers.

It seems robbing banks is back in vogue and Jim Stickley, with over

100 successful heists to his credit, is laughing all the way to the .... bank. Unlike traditional bank robbers, he steals personally identifiable information such as names, addresses, Social Security numbers, credit card numbers and passwords. Most bank robbers only get away with a few thousand dollars. Stickley gets away with information worth millions of dollars.

Luckily, Stickley isn't a criminal in the common sense of the word; he's a social engineer. Financial institutions hire Stickley's company, TraceSecurity, a security compliance software firm based in Baton Rouge, Louisiana, to perform vulnerability audits of their banks. His firm has been getting a lot of calls lately as banks begin beefing up their information privacy practices, motivated by the recent spate of high-profile identity thefts as well as by an increasing number of information privacy and disclosure regulations.

Social engineering is a concept that has been around the computer security industry for many years. Social engineers prey on human weaknesses to gain the trust of their victims, and then they trick their victims into unknowingly becoming the co-conspirators in the social engineer's grand plan, which usually involves stealing something.

"Most banks are surprisingly vulnerable to identity theft," said Stickley. "They spend millions of dollars a year on high-tech computer security defenses, but often fail to address the simplest, most critical aspect of information security: the human element. A bank can have the strongest doors on their vaults, but if they invite me in and allow me to _wander their office_, I can steal much more than their money."

Stickley and his team successfully complete their heists 90 per cent of the time. The other 10 per cent of the time, vigilant bank staffers thwart their heist. It's not at all unusual for a single TraceSecurity social engineering team to rob three or four bank branches in a single day. And it's surprisingly easy.

Stickley and his team start their social engineering adventures by _impersonating someone of trust or authority_, such as an air conditioning technician, a pest exterminator or a fire marshal. The team's planning for their heists begins weeks in advance, often by mailing a letter to a bank branch on forged stationery, informing them of a planned "inspection." By the time they show up in their _fake uniforms_ with fake badges and fake identification cards, the front receptionist often welcomes them with coffee. Within minutes, they have free range of the bank as they crawl under desks, steal backup tapes, and install spyware on the computers.

In the evening, the TraceSecurity team returns to dumpster dive, an activity that often yields a surprising amount of sensitive customer account information.

Once the heist is completed, the TraceSecurity team returns the stolen information to the bank's executives who hired them, and provides recommendations on how to prevent actual criminals from perpetuating the same crime. And if by some chance Stickley's team gets caught, he always carries with him his "get-out-of-jail-free" paperwork which confirms the bank hired him, and provides the bank's executives' cell phone numbers to confirm Jim's story.

"The secret to an effective information security strategy," said Stickley, "is to balance security technology investments with better employee training, and better policy and procedure enforcement."

Copyright 2005 Corporation

NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at

formatting link
. Hundreds of new articles daily.

*** FAIR USE NOTICE. This message contains copyrighted material the use of which has not been specifically authorized by the copyright owner. This Internet discussion group is making it available without profit to group members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of literary, educational, political, and economic issues, for non-profit research and educational purposes only. I believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner, in this instance, Corporation.

For more information go to:

formatting link
[TELECOM Digest Editor's Note: I think I have been saying for awhile now that the best phisher people are not the ones who sit at their computer pecking out letters to a jillion people; now and then getting lucky with a sucker who responds. The smart guys know to get the data they want on a _wholesale_ basis. And where Stickley in this story always returns what he took, what about the dozens of UPS and FedEx 'delivery men' out there who go calling each day at all the banks and other business places? They are in and out with the wink of an eye, and what receptionist bothers to question or challenge them? This is an old, old trick, actually. In the mid-

1970's, guys posing as 'postal employees' attempted to hijack several thousand new credit cards just being issued at Amoco Standard Oil, at the credit card office. They just walked in, as was the daily custom, and said they were there to get the outgoing registered mail. (In those days, all new, outgoing plastics were sent registered mail to 'insure their safety'). These guys, with pseudo-postal worker uniforms walked right in and started gathering up the tubs and trays and boxes of outgoing mail that day.

Considering what a hell-hole (at least to work at) the credit card office had become by the mid 1970's, it was not surprising no one questioned them about what they were doing. But Amoco security officers had been tipped off a day or two before, and caught the guys going down on the freight elevator with a dolly cart full of boxes of outgoing mail. It turns out it was an 'inside job'. The credit card office 'cleaned house' that day; they got rid of twenty or thirty employees they suspected knew too much about the _overall operation_ of the system and a few months later the entire operation was moved to Des Moines, Iowa where the managers thought they would find a lot of farmer's wives and daughters (a smaller ratio of racially diverse people) to work for them than they had in Chicago, plus smaller salaries and much less corruption at the city government level. PAT]

Reply to
Lisa Minter
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.