by Steve Wexler
Identity theft is a huge and growing problem, and the confession that
up to 40 million MasterCard, Visa and American Express cardholders
have been jeopardized in a theft at third-party credit card processor,
CardSystems Solutions Inc., is just the latest cyber crime to be
reported. The breach compromised account holder names, banks and
account numbers.
It seems robbing banks is back in vogue and Jim Stickley, with over
100 successful heists to his credit, is laughing all the way to the
... bank. Unlike traditional bank robbers, he steals personally
identifiable information such as names, addresses, Social Security
numbers, credit card numbers and passwords. Most bank robbers only get
away with a few thousand dollars. Stickley gets away with information
worth millions of dollars.
Luckily, Stickley isn't a criminal in the common sense of the word;
he's a social engineer. Financial institutions hire Stickley's
company, TraceSecurity, a security compliance software firm based in
Baton Rouge, Louisiana, to perform vulnerability audits of their
banks. His firm has been getting a lot of calls lately as banks begin
beefing up their information privacy practices, motivated by the
recent spate of high-profile identity thefts as well as by an
increasing number of information privacy and disclosure regulations.
Social engineering is a concept that has been around the computer
security industry for many years. Social engineers prey on human
weaknesses to gain the trust of their victims, and then they trick
their victims into unknowingly becoming the co-conspirators in the
social engineer's grand plan, which usually involves stealing
something.
"Most banks are surprisingly vulnerable to identity theft," said
Stickley. "They spend millions of dollars a year on high-tech computer
security defenses, but often fail to address the simplest, most
critical aspect of information security: the human element. A bank can
have the strongest doors on their vaults, but if they invite me in and
allow me to _wander their office_, I can steal much more than their
money."
Stickley and his team successfully complete their heists 90 per cent
of the time. The other 10 per cent of the time, vigilant bank staffers
thwart their heist. It's not at all unusual for a single TraceSecurity
social engineering team to rob three or four bank branches in a single
day. And it's surprisingly easy.
Stickley and his team start their social engineering adventures by
_impersonating someone of trust or authority_, such as an air
conditioning technician, a pest exterminator or a fire marshal. The
team's planning for their heists begins weeks in advance, often by
mailing a letter to a bank branch on forged stationery, informing them
of a planned "inspection." By the time they show up in their _fake
uniforms_ with fake badges and fake identification cards, the front
receptionist often welcomes them with coffee. Within minutes, they
have free range of the bank as they crawl under desks, steal backup
tapes, and install spyware on the computers.
In the evening, the TraceSecurity team returns to dumpster dive, an
activity that often yields a surprising amount of sensitive customer
account information.
Once the heist is completed, the TraceSecurity team returns the stolen
information to the bank's executives who hired them, and provides
recommendations on how to prevent actual criminals from perpetuating
the same crime. And if by some chance Stickley's team gets caught, he
always carries with him his "get-out-of-jail-free" paperwork which
confirms the bank hired him, and provides the bank's executives' cell
phone numbers to confirm Jim's story.
"The secret to an effective information security strategy," said
Stickley, "is to balance security technology investments with better
employee training, and better policy and procedure enforcement."
Copyright 2005 Integratedmar.com Corporation
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Integratedmar.com Corporation.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
[TELECOM Digest Editor's Note: I think I have been saying for awhile
now that the best phisher people are not the ones who sit at their
computer pecking out letters to a jillion people; now and then getting
lucky with a sucker who responds. The smart guys know to get the
data they want on a _wholesale_ basis. And where Stickley in this
story always returns what he took, what about the dozens of UPS
and FedEx 'delivery men' out there who go calling each day at
all the banks and other business places? They are in and out with
the wink of an eye, and what receptionist bothers to question or
challenge them? This is an old, old trick, actually. In the mid-
1970's, guys posing as 'postal employees' attempted to hijack several
thousand new credit cards just being issued at Amoco Standard Oil,
at the credit card office. They just walked in, as was the daily
custom, and said they were there to get the outgoing registered
mail. (In those days, all new, outgoing plastics were sent registered
mail to 'insure their safety'). These guys, with pseudo-postal worker
uniforms walked right in and started gathering up the tubs and trays
and boxes of outgoing mail that day.
Considering what a hell-hole (at least to work at) the credit card
office had become by the mid 1970's, it was not surprising no one
questioned them about what they were doing. But Amoco security
officers had been tipped off a day or two before, and caught the guys
going down on the freight elevator with a dolly cart full of boxes of
outgoing mail. It turns out it was an 'inside job'. The credit card
office 'cleaned house' that day; they got rid of twenty or thirty
employees they suspected knew too much about the _overall operation_
of the system and a few months later the entire operation was moved
to Des Moines, Iowa where the managers thought they would find a lot
of farmer's wives and daughters (a smaller ratio of racially diverse
people) to work for them than they had in Chicago, plus smaller
salaries and much less corruption at the city government level. PAT]
Lisa Minter (lisa_minter2001@yahoo.com)