How To Rob a Bank: One Social Engineer's Story

itwbennett writes "Today's criminals aren't stealing money — that's so yesterday, according to professional social engineer Jim Stickley. In an interview with CSO's Joan Goodchild, Stickley explains how he's broken into financial institutions large and small, and stolen their sensitive data. In a companion story, Stickley walks through the steps he takes to fool clients into thinking he's there for fire safety, while he's really proving they are an easy target for a data breach."

Small time

[Hatta]

The real big criminals own the banks.

Re:Small time

The real big criminals own the banks.

Exactly, see "The Best Way to Rob a Bank Is to Own One: How Corporate Executives and Politicians Looted the S&L Industry" by William K. Black. The basic concepts and problems from that debacle are still in play with our current mess.

Re:Small time

[ackthpt]

The real big criminals own the banks.

Own?

Nooooo....

The really big criminals work in top positions of banks and are well connected in government, so they only have to look slightly admonished for a few weeks after nearly bringing down the entire economy of the West and then it's back to business as usual.

They don't own banks, they pwn banks.

As a victim of theft

[esocid]

by the banks, I'm ok with the role reversal.

Re:As a victim of theft

[ackthpt]

by the banks, I'm ok with the role reversal.

Old bumper sticker: Don't Steal - The Government Hates Competition

New bumper sticker: Don't Steal - The Banks Hate Competition

Duh

[Niris]

You can talk your way into almost anywhere by claiming you're from IT. A couple years ago I did these server upgrades for bank of the west. No ID cards or anything, just walk in and do what you want.

Re:Duh

[pspahn]

One of the more insightful comments from Art of Deception (or Intrusion, don't remember which one) was that even a machine that doesn't work is a vulnerability.

"Yes, hello. I'm here to fix your broken machine."

as a former security auditor myself...

[xxxJonBoyxxx]

As a former security auditor myself, I'd attack the voice response units. Quite frequently those boxes (often standalone towers covered with a quarter inch of dust) were neglected in the corner, with no IDS, no one checking logs and frequently no automatic lockouts. Routed through Skype and/or Google Voice...

Re:Euphemisms

When they get paid by the boss of the people they are engineering to help prevent real con men from doing it.

And I call

[Dunbal]

Bullshit. You mean to say that this guy both steals stuff from bank employees desks AND installs keyboard loggers, and no one at the bank suspects anything like "hey, these guys stole all this stuff from us, maybe they weren't firemen, maybe security has been breached, let's check to see if computers/equipment has been tampered with!"

From TFA:

At that point, my partner's job is to start stealing everything he can steal and start putting it in his bag.

On our way out, we don't want them to know we're done. We want to be able to come back another time.

Too much mission impossible on TV. This is just an attention whore trying to cash in by pretending to be a crook. Typical of a "security consultant", really.

Re:And I call

[cusco]

Not really. I work for a company that does physical security for businesses (key cards, alarm systems, cameras, etc.) Probably 70 percent of the time I could walk into a customer site, say "I'm Brian from Something-or-other Security", sit down at the guard's monitoring computer, and no one would stop me. Only once in five years has anyone called our office to make sure that we were really the guys they sent.

Want to get into a secured location? Get yourself a fake badge and a jacket that says XYZ Security Installers on it. Walk up to a door about lunch time with a tool bag in one hand and a ladder in the other, maybe a box or two tucked under an arm. Make a show of not being quite able to get your badge to the reader without putting everything down. People are too polite, they'll not only badge the door for you but then they'll hold it. I've seen it happen plenty of times, we even did it for a customer's security director to show them that their people really did need training.

Re:And I call

[Dunbal]

Yeah, except none of this happened. The guy is just presenting a different version of the a similar BS story he spat out in an interview with CNN in 2008. Except that time he walked out with a bunch of back up tapes. Of course now that he has been on TV, he's free to make up any bullshit he wants so long as suckers like you keep lapping it up. After all it's entertainment. But you are reading a "work of fiction" that is at least 3 years old.

Re:And I call

[wren337]

Try carrying a big costco sheet cake that says "Happy Birthday!". Easier than carrying all those tools, and you can go business casual.

Re:And I call

[skiingyac]

Once there was an actual criminal going around a large office park at a place where I previously worked that would walk in wearing a VERY fancy suit and kindof wander around stealing laptops, electronics, etc. and then walk out. Nobody could ever identify him except that he was in a fancy suit, and nobody dared question what he was doing so as not to get in trouble for offending somebody important. Not saying any of these places were supposed to be highly secure, but was quite a problem for a while and he always got out before anyone noticed or realized what was going on.

Then he walked into our office which was a startup, and he was obviously not familiar with the "atmosphere". As soon as he got in by following behind somebody, several people said "What the **** are you wearing a suit for and what the **** are you doing here?", took a picture of him, and escorted him out.

Re:And I call

[dkleinsc]

A true story regarding the problem of walking in behind people (one of the easiest ways to enter a large building you shouldn't be able to access):

Employee walks into the office building. A bit behind that employee was the CEO, but the CEO's badge was not visible, and this was a newer employee who didn't recognize the CEO. The employee made sure the door closed on the CEO. The CEO took swift action to send a message to the whole company: He called security, found out who that employee was, and sent word down the chain of command to give that employee a special award.

Re:And I call

[ackthpt]

Once there was an actual criminal going around a large office park at a place where I previously worked that would walk in wearing a VERY fancy suit and kindof wander around stealing laptops, electronics, etc. and then walk out. Nobody could ever identify him except that he was in a fancy suit, and nobody dared question what he was doing so as not to get in trouble for offending somebody important. Not saying any of these places were supposed to be highly secure, but was quite a problem for a while and he always got out before anyone noticed or realized what was going on.

Then he walked into our office which was a startup, and he was obviously not familiar with the "atmosphere". As soon as he got in by following behind somebody, several people said "What the **** are you wearing a suit for and what the **** are you doing here?", took a picture of him, and escorted him out.

The lesson is: You can steal more with a suit and tie than you can with a gun.

Re:And I call

[NiteShaed]

What I think is unreal is that the guys could go around picking up wallets, cell phones and laptops and walk out of the bank without anyone noticing anything and suspecting them - even if it's the next day.

I don't think they were doing anything of the sort. They were testing security of company (bank) information, not just general security. I think by "grabbing everything" he was talking about things like USB sticks or disks, not wallets. It would be a stupid test if they took personal items as well, might as well just walk in wearing ski-masks.

Re:And I call

[karnal]

A gate guard did this to our company's president on his first day. Same thing, appreciated that the job was done properly even if it inconvenienced him some.

Re:And I call

[Kyont]

I totally second that. For me, it was a tie and a clipboard, and my (totally true and legit) story that I worked for the building's property insurance company and needed to look everywhere and anywhere for risks (blocked doors, covered sprinklers, stacks of live ammo pointed at compressed oxygen canisters, that sort of thing). People would let me into the most amazingly sensitive areas, oftentimes with no escort, just a slap on the back and a "give the key fob back to Tina when you're done". Three hours later I would know every corner of the place.

I ain't that charismatic, so I conclude the clipboard is key.

Re:And I call

[dkleinsc]

It wasn't - the CEO actually did the right thing.

And I should mention that the company in question here was a Fortune 1000 company, not some startup.

Re:I think acting as a fake fireman is a felony

[Galaga88]

Fortunately, the linked story addresses this, and the author talks about how he'll meet with local officials to get permission before playing fire inspector.

Re:Euphemisms

[cusco]

It can be. I had an instructor for a computer security class whose day job was doing pen tests for financial institutions. He and his partner would arrive at a site and set up in a random meeting room. While one guy started unpacking the trunk load of computers and getting set up the other would get on the phone and start dialing branch offices. Whoever answered on the other end would get a line like, "Hi, I'm Brad, the new guy on the Help Desk. We need to reconfigure the router in your office this afternoon. The guy who normally does that is home with his sick daughter, and the only other login on the router is your manager's. Can I get their username and password?"

In two years they had never failed to get a manager's username/password by the time they were finished setting up the equipment.

Re:Euphemisms

[ackthpt]

So when did con men become "social engineers"? It sounds almost like a respectable profession.

Beg pardon, mate, but con is short for confidence, as in, they gain your confidence before nicking your lunch money.

Social Engineering is just a new-fangled label for probably the 3rd or 4th oldest profession in the world.

Re:I think acting as a fake fireman is a felony

[Issarlk]

Yes, and these tests are invalid as they address a situation that will never happen in reality: actual criminals will never impersonate fire inspectors, as there's no way they'll manage to get the permission from the local officials.

Re:I think acting as a fake fireman is a felony

[ArsenneLupin]

But what if something go Wong or some get's sick and the fake fireman can't help just thing about the LAW SUITS.

Or, more plausible, what if the fake fireman gives bad advice (because he doesn't know his shit, as mentioned in story), people act on the advice, but doing so make things much worse in the event of a real fire...

I'm sure that he didn't tell the fire brigade that he would "keep walking around rooms, giving them advice on keeping their facility fire safe, even though I really have no idea what I'm talking about. I make stuff up and probably give the worst advice ever. I'll pull out cords and say 'This looks a little bit dangerous.' I'll comment on space heaters. I'm completely winging it. "

If you want to rob a bank, become CEO.

[bussdriver]

Surely recent years has shown the most successful bank robbers run banks.

Re:Money

[History's+Coming+To]

Really?

PIN numbers, account numbers, sort codes, mother's maiden name, address....people type lots of interesting things into computers these days.

Re:I think acting as a fake fireman is a felony

[Anubis+IV]

Either my sarcasm detector is broken (please plant your tongue further in your cheek next time), or you've entirely missed the point. Actual criminals don't ask for permission before breaking the law. That's what makes them criminals. They'll still impersonate fire inspectors.

Not my job....

[David_Hart]

Physical security and access is not the job of the standard employee. The only job the employee has is to ensure that their credentials are only used for thier access, either physical or digital, and that they are kept secure.

I once was working for a company that had higher a new CIO. The area where the IT people sit was secured with keycards, and was just outside of the server room, which had its own keycard. There was never any problem with letting visitors and other employees in and out to discuss IT projects, etc. In other words, while it had keycard access, it wasn't considered a security zone. The CIO came to visit the IT area and I let him in without knowing who he was. He was then buzzed into the Sever room by one of the operators who did know who he was. Of course, he made a big stink about the whole thing. The funny thing of course, is that nothing changed. He was just trying to make a big splash.

The point is, I am not a security guard. I am not about to put my physical safety in jeopardy for the sake of corporate secrets. I do not have the necessary skills to vett or interrogate every new visitor wandering our halls, nor do I have the authority or tools to throw them out. You can chew out your employees for allowing physical access to this "fireman" but the problem is management not spending the money to have proper security at the door, not the lack of vigilance by the employees.

I will keep my passwords secret, I will choose complex passwords, I will not allow people to tailgate on my keycard access, and I will inform IT security if any of my corporate devices goes missing. I will do all of this, but I will not be your security guard, there are people who do this who are much better at than I could ever be...

Re:Euphemisms

[ackthpt]

"It sounds almost like a respectable profession."

So did banking. The masters are utterly corrupt, which has removed any moral reason to respect them or their property. I shed no tears for the rich when they lose what to them is a pittance.

The bad bankers (and I don't mean inept, they're bad in a different way) have figured how to game the system. It's like they found the cheat codes to Super Mario to make him run faster, fly better or be invulnerable. It's the position of government to enact laws, as demanded by the people, and to place auditors in place, as also demanded by the people, to see this sort of gaming the system doesn't take place. The problem is the bankers have realized they can openly weep crocodile tears and certain people within the government will say, 'There, there, we'll back off with the mean old auditors and regulations so you can do business the way you want to'

In my experience the bigger than bank, the bigger the team of auditors and the sharper their pencils should be.

Re:Poor story.

[NiteShaed]

Completely plausible actually.

IDs not checked?

He does present ID. The fact is though that as long is it looks "official", most people will believe that it is what it says it is. Assuming you're not on your local fire department, do you know what your town's fire-inspector's ID actually looks like? It's not like this guy was handing them a piece of notebook paper with "Fire Inspekter" written on it in crayon.

USB ports not disabled?

Plenty of computers use USB keyboards, so there's your enabled port. A keylogger plugs into the port, the keyboard plugs into the keylogger, and done. Same thing went for the old PS/2 ports. Even if your average bank employee looked at the back of their PC (which isn't very likely to begin with), they probably wouldn't recognize anything out of the ordinary.

You want an effective security system?

[Beeftopia]

Then don't create a system where employees are forced to question someone who might be the company CEO or a senior VP.

This is the core issue - security systems are set up where "playing it safe" for the employees means looking the other way.

The solution? Get rid of card reader-only secured doors. You need vertical turnstiles which ONLY allow one person through, and signs which clearly say that if you let someone through, YOU will be fired for that.