Slashdot Mirror
How To Rob a Bank: One Social Engineer's Story
itwbennett writes "Today's criminals aren't stealing money — that's so yesterday, according to professional social engineer Jim Stickley. In an interview with CSO's Joan Goodchild, Stickley explains how he's broken into financial institutions large and small, and stolen their sensitive data. In a companion story, Stickley walks through the steps he takes to fool clients into thinking he's there for fire safety, while he's really proving they are an easy target for a data breach."
The real big criminals own the banks.
Give me Classic Slashdot or give me death!
You can talk your way into almost anywhere by claiming you're from IT. A couple years ago I did these server upgrades for bank of the west. No ID cards or anything, just walk in and do what you want.
As a former security auditor myself, I'd attack the voice response units. Quite frequently those boxes (often standalone towers covered with a quarter inch of dust) were neglected in the corner, with no IDS, no one checking logs and frequently no automatic lockouts. Routed through Skype and/or Google Voice...
It can be. I had an instructor for a computer security class whose day job was doing pen tests for financial institutions. He and his partner would arrive at a site and set up in a random meeting room. While one guy started unpacking the trunk load of computers and getting set up the other would get on the phone and start dialing branch offices. Whoever answered on the other end would get a line like, "Hi, I'm Brad, the new guy on the Help Desk. We need to reconfigure the router in your office this afternoon. The guy who normally does that is home with his sick daughter, and the only other login on the router is your manager's. Can I get their username and password?"
In two years they had never failed to get a manager's username/password by the time they were finished setting up the equipment.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
So when did con men become "social engineers"? It sounds almost like a respectable profession.
Beg pardon, mate, but con is short for confidence, as in, they gain your confidence before nicking your lunch money.
Social Engineering is just a new-fangled label for probably the 3rd or 4th oldest profession in the world.
A feeling of having made the same mistake before: Deja Foobar
Not really. I work for a company that does physical security for businesses (key cards, alarm systems, cameras, etc.) Probably 70 percent of the time I could walk into a customer site, say "I'm Brian from Something-or-other Security", sit down at the guard's monitoring computer, and no one would stop me. Only once in five years has anyone called our office to make sure that we were really the guys they sent.
Want to get into a secured location? Get yourself a fake badge and a jacket that says XYZ Security Installers on it. Walk up to a door about lunch time with a tool bag in one hand and a ladder in the other, maybe a box or two tucked under an arm. Make a show of not being quite able to get your badge to the reader without putting everything down. People are too polite, they'll not only badge the door for you but then they'll hold it. I've seen it happen plenty of times, we even did it for a customer's security director to show them that their people really did need training.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Yeah, except none of this happened. The guy is just presenting a different version of the a similar BS story he spat out in an interview with CNN in 2008. Except that time he walked out with a bunch of back up tapes. Of course now that he has been on TV, he's free to make up any bullshit he wants so long as suckers like you keep lapping it up. After all it's entertainment. But you are reading a "work of fiction" that is at least 3 years old.
Seven puppies were harmed during the making of this post.
Yes, and these tests are invalid as they address a situation that will never happen in reality: actual criminals will never impersonate fire inspectors, as there's no way they'll manage to get the permission from the local officials.
Either my sarcasm detector is broken (please plant your tongue further in your cheek next time), or you've entirely missed the point. Actual criminals don't ask for permission before breaking the law. That's what makes them criminals. They'll still impersonate fire inspectors.
A true story regarding the problem of walking in behind people (one of the easiest ways to enter a large building you shouldn't be able to access):
Employee walks into the office building. A bit behind that employee was the CEO, but the CEO's badge was not visible, and this was a newer employee who didn't recognize the CEO. The employee made sure the door closed on the CEO. The CEO took swift action to send a message to the whole company: He called security, found out who that employee was, and sent word down the chain of command to give that employee a special award.
I am officially gone from
Once there was an actual criminal going around a large office park at a place where I previously worked that would walk in wearing a VERY fancy suit and kindof wander around stealing laptops, electronics, etc. and then walk out. Nobody could ever identify him except that he was in a fancy suit, and nobody dared question what he was doing so as not to get in trouble for offending somebody important. Not saying any of these places were supposed to be highly secure, but was quite a problem for a while and he always got out before anyone noticed or realized what was going on.
Then he walked into our office which was a startup, and he was obviously not familiar with the "atmosphere". As soon as he got in by following behind somebody, several people said "What the **** are you wearing a suit for and what the **** are you doing here?", took a picture of him, and escorted him out.
The lesson is: You can steal more with a suit and tie than you can with a gun.
A feeling of having made the same mistake before: Deja Foobar
I totally second that. For me, it was a tie and a clipboard, and my (totally true and legit) story that I worked for the building's property insurance company and needed to look everywhere and anywhere for risks (blocked doors, covered sprinklers, stacks of live ammo pointed at compressed oxygen canisters, that sort of thing). People would let me into the most amazingly sensitive areas, oftentimes with no escort, just a slap on the back and a "give the key fob back to Tina when you're done". Three hours later I would know every corner of the place.
I ain't that charismatic, so I conclude the clipboard is key.
You shall see a cow on the roof of a cotton house.