Slashdot Mirror
How To Rob a Bank: One Social Engineer's Story
itwbennett writes "Today's criminals aren't stealing money — that's so yesterday, according to professional social engineer Jim Stickley. In an interview with CSO's Joan Goodchild, Stickley explains how he's broken into financial institutions large and small, and stolen their sensitive data. In a companion story, Stickley walks through the steps he takes to fool clients into thinking he's there for fire safety, while he's really proving they are an easy target for a data breach."
The real big criminals own the banks.
Give me Classic Slashdot or give me death!
by the banks, I'm ok with the role reversal.
Absolute power corrupts absolutely. indymedia
You can talk your way into almost anywhere by claiming you're from IT. A couple years ago I did these server upgrades for bank of the west. No ID cards or anything, just walk in and do what you want.
As a former security auditor myself, I'd attack the voice response units. Quite frequently those boxes (often standalone towers covered with a quarter inch of dust) were neglected in the corner, with no IDS, no one checking logs and frequently no automatic lockouts. Routed through Skype and/or Google Voice...
It can be. I had an instructor for a computer security class whose day job was doing pen tests for financial institutions. He and his partner would arrive at a site and set up in a random meeting room. While one guy started unpacking the trunk load of computers and getting set up the other would get on the phone and start dialing branch offices. Whoever answered on the other end would get a line like, "Hi, I'm Brad, the new guy on the Help Desk. We need to reconfigure the router in your office this afternoon. The guy who normally does that is home with his sick daughter, and the only other login on the router is your manager's. Can I get their username and password?"
In two years they had never failed to get a manager's username/password by the time they were finished setting up the equipment.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
So when did con men become "social engineers"? It sounds almost like a respectable profession.
Beg pardon, mate, but con is short for confidence, as in, they gain your confidence before nicking your lunch money.
Social Engineering is just a new-fangled label for probably the 3rd or 4th oldest profession in the world.
A feeling of having made the same mistake before: Deja Foobar
Not really. I work for a company that does physical security for businesses (key cards, alarm systems, cameras, etc.) Probably 70 percent of the time I could walk into a customer site, say "I'm Brian from Something-or-other Security", sit down at the guard's monitoring computer, and no one would stop me. Only once in five years has anyone called our office to make sure that we were really the guys they sent.
Want to get into a secured location? Get yourself a fake badge and a jacket that says XYZ Security Installers on it. Walk up to a door about lunch time with a tool bag in one hand and a ladder in the other, maybe a box or two tucked under an arm. Make a show of not being quite able to get your badge to the reader without putting everything down. People are too polite, they'll not only badge the door for you but then they'll hold it. I've seen it happen plenty of times, we even did it for a customer's security director to show them that their people really did need training.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Yeah, except none of this happened. The guy is just presenting a different version of the a similar BS story he spat out in an interview with CNN in 2008. Except that time he walked out with a bunch of back up tapes. Of course now that he has been on TV, he's free to make up any bullshit he wants so long as suckers like you keep lapping it up. After all it's entertainment. But you are reading a "work of fiction" that is at least 3 years old.
Seven puppies were harmed during the making of this post.
Yes, and these tests are invalid as they address a situation that will never happen in reality: actual criminals will never impersonate fire inspectors, as there's no way they'll manage to get the permission from the local officials.
Surely recent years has shown the most successful bank robbers run banks.
Democracy Now! - uncensored, anti-establishment news
Either my sarcasm detector is broken (please plant your tongue further in your cheek next time), or you've entirely missed the point. Actual criminals don't ask for permission before breaking the law. That's what makes them criminals. They'll still impersonate fire inspectors.
Physical security and access is not the job of the standard employee. The only job the employee has is to ensure that their credentials are only used for thier access, either physical or digital, and that they are kept secure.
I once was working for a company that had higher a new CIO. The area where the IT people sit was secured with keycards, and was just outside of the server room, which had its own keycard. There was never any problem with letting visitors and other employees in and out to discuss IT projects, etc. In other words, while it had keycard access, it wasn't considered a security zone. The CIO came to visit the IT area and I let him in without knowing who he was. He was then buzzed into the Sever room by one of the operators who did know who he was. Of course, he made a big stink about the whole thing. The funny thing of course, is that nothing changed. He was just trying to make a big splash.
The point is, I am not a security guard. I am not about to put my physical safety in jeopardy for the sake of corporate secrets. I do not have the necessary skills to vett or interrogate every new visitor wandering our halls, nor do I have the authority or tools to throw them out. You can chew out your employees for allowing physical access to this "fireman" but the problem is management not spending the money to have proper security at the door, not the lack of vigilance by the employees.
I will keep my passwords secret, I will choose complex passwords, I will not allow people to tailgate on my keycard access, and I will inform IT security if any of my corporate devices goes missing. I will do all of this, but I will not be your security guard, there are people who do this who are much better at than I could ever be...
Once there was an actual criminal going around a large office park at a place where I previously worked that would walk in wearing a VERY fancy suit and kindof wander around stealing laptops, electronics, etc. and then walk out. Nobody could ever identify him except that he was in a fancy suit, and nobody dared question what he was doing so as not to get in trouble for offending somebody important. Not saying any of these places were supposed to be highly secure, but was quite a problem for a while and he always got out before anyone noticed or realized what was going on.
Then he walked into our office which was a startup, and he was obviously not familiar with the "atmosphere". As soon as he got in by following behind somebody, several people said "What the **** are you wearing a suit for and what the **** are you doing here?", took a picture of him, and escorted him out.
A true story regarding the problem of walking in behind people (one of the easiest ways to enter a large building you shouldn't be able to access):
Employee walks into the office building. A bit behind that employee was the CEO, but the CEO's badge was not visible, and this was a newer employee who didn't recognize the CEO. The employee made sure the door closed on the CEO. The CEO took swift action to send a message to the whole company: He called security, found out who that employee was, and sent word down the chain of command to give that employee a special award.
I am officially gone from
Once there was an actual criminal going around a large office park at a place where I previously worked that would walk in wearing a VERY fancy suit and kindof wander around stealing laptops, electronics, etc. and then walk out. Nobody could ever identify him except that he was in a fancy suit, and nobody dared question what he was doing so as not to get in trouble for offending somebody important. Not saying any of these places were supposed to be highly secure, but was quite a problem for a while and he always got out before anyone noticed or realized what was going on.
Then he walked into our office which was a startup, and he was obviously not familiar with the "atmosphere". As soon as he got in by following behind somebody, several people said "What the **** are you wearing a suit for and what the **** are you doing here?", took a picture of him, and escorted him out.
The lesson is: You can steal more with a suit and tie than you can with a gun.
A feeling of having made the same mistake before: Deja Foobar
I totally second that. For me, it was a tie and a clipboard, and my (totally true and legit) story that I worked for the building's property insurance company and needed to look everywhere and anywhere for risks (blocked doors, covered sprinklers, stacks of live ammo pointed at compressed oxygen canisters, that sort of thing). People would let me into the most amazingly sensitive areas, oftentimes with no escort, just a slap on the back and a "give the key fob back to Tina when you're done". Three hours later I would know every corner of the place.
I ain't that charismatic, so I conclude the clipboard is key.
You shall see a cow on the roof of a cotton house.
Completely plausible actually.
He does present ID. The fact is though that as long is it looks "official", most people will believe that it is what it says it is. Assuming you're not on your local fire department, do you know what your town's fire-inspector's ID actually looks like? It's not like this guy was handing them a piece of notebook paper with "Fire Inspekter" written on it in crayon.
Plenty of computers use USB keyboards, so there's your enabled port. A keylogger plugs into the port, the keyboard plugs into the keylogger, and done. Same thing went for the old PS/2 ports. Even if your average bank employee looked at the back of their PC (which isn't very likely to begin with), they probably wouldn't recognize anything out of the ordinary.
Some bring out the best in others, some the worst. Some bring out far more.