NewsNight
Broadcast on CNN
DAVID MATTINGLY, CNN CORRESPONDENT (voice-over): When it comes to identity theft, Jim Stickley is Jesse James, John Dillinger and Pretty Boy Floyd all rolled into one, minus all the guns and violence. He's claimed to have stolen enough sensitive data to run up credit cards and drain bank accounts of tens of thousands of people. And he's done it by breaking into supposedly secure systems at hundreds of corporations, from small regional banks to Fortune 500 companies.
JIM STICKLEY, TRACESECURITY INC.: I know your mother's maiden name, I know your Social Security number, I know all of your bank account numbers, I possibly know your visa numbers or credit card numbers. I know all of your references, if you've done like a loan, where you had to put reference accounts on there of other people. I know what car you drive. I know your driver's license number. I know every last thing you would ever put on a loan application.
MATTINGLY (on camera): And what can do you with that?
STICKLEY: I can be you, I can just become you tomorrow.
MATTINGLY (voice-over): If you were among the legions of Stickley's victims, you probably never knew it and never will. That's because he's one of the good guys. Corporations pay his company, TraceSecurity in Baton Rouge, to test the security of the data they keep on you. More than a hacker, Stickley is a conman, a master at exploiting human weaknesses. From a Six by 12 cubicle, he concocts schemes and disguises, talking his way into sensitive areas, sometimes as an air conditioning serviceman or pest control guy.
STICKLEY: You should make sure you have an appointment ahead of time. You wouldn't just walk in and say, I'm here to do a pest inspection.
MATTINGLY: But his favorite is posing as a uniformed fire inspector. (on camera): Does anyone question you when you walk in just wearing this white uniform shirt?
STICKLEY: No. And actually, the uniforms are bought from an actual fire department uniform supplier.
MATTINGLY (voice-over): Once inside, Stickley can deploy a number of easy-to-get devices. Connected to back of a computer, this device records everything put into it. A wireless transmitter like this can send data to a waiting van.
Posing as an OSHA inspector, he's actually convinced companies to use this keyboard rigged to record every key stroke. But nothing, he says, is more surprising than how easily he can take things the old- fashioned way.
STICKLEY: The first time I got backup tapes, I walked out with, you know, a box, a box of backup tapes. You know, I figured someone's going to like tackle me as I'm walking through the door. Nobody noticed. Nobody said a word.
MATTINGLY (on camera): If you're worried right now thinking about all that personal information you've given away to any number of companies, experts say you should be. As a customer, there's not a lot you can do once you've given your information away. So consumer groups recommend that you ask a lot of important questions up front.
JAY FOLEY, IDENTITY THEFT RESOURCE CENTER: By more consumers asking the questions, why are you collecting it, who gets access to it, what steps do you take to protect it, and when you're done with it, how will you dispose of it?
MATTINGLY (voice-over): One exhaustive checklist for consumers can be found on the Web site of the Privacy Rights Clearinghouse. Some of it, simple things, like, is the company's data encrypted? Do they conduct employee background checks? Even if it's a public official, do they ever allow outside personnel into sensitive areas unsupervised?
STICKLEY: If I'm a fire marshal, for example, I'll try to use my authority to tell them, go get me these documents, go get me coffee, go do things, make them leave me alone. If they're not trained and told never leave that person alone and tell that person, you must stay with me, they'll say, OK, and they'll go.
MATTINGLY: But as long as humans can be fooled, no system will be fool-proof. Jim Stickley's perfect record of data theft will remain intact and your debt will remain at risk.
David Mattingly, CNN, Baton Rouge. (END VIDEOTAPE)