News & Events
ID Theft: 40 Million Served
eChannel Live Daily News , 06/21/2005
by Steve Wexler
Identity theft is a huge and growing problem, and the confession that up to 40 million MasterCard and American Express cardholders have been jeopardized in a theft at third-party credit card processor, CardSystems Solutions Inc., is just the latest cyber crime to be reported. The breach compromised account holder names, banks and account numbers.
It seems robbing banks is back in vogue and Jim Stickley, with over 100 successful heists to his credit, is laughing all the way to the ... bank. Unlike traditional bank robbers, he steals personally identifiable information such as names, addresses, Social Security numbers, credit card numbers and passwords. Most bank robbers only get away with a few thousand dollars. Stickley gets away with information worth millions of dollars.
Luckily, Stickley isn't a criminal in the common sense of the word; he's a social engineer. Financial institutions hire Stickley's company, TraceSecurity, a security compliance software firm based in Baton Rouge, Louisiana, to perform vulnerability audits of their banks. His firm has been getting a lot of calls lately as banks begin beefing up their information privacy practices, motivated by the recent spate of high-profile identity thefts as well as by an increasing number of information privacy and disclosure regulations.
Social engineering is a concept that has been around the computer security industry for many years. Social engineers prey on human weaknesses to gain the trust of their victims, and then they trick their victims into unknowingly becoming the co-conspirators in the social engineer's grand plan, which usually involves stealing something.
"Most banks are surprisingly vulnerable to identity theft," said Stickley. "They spend millions of dollars a year on high-tech computer security defenses, but often fail to address the simplest, most critical aspect of information security: the human element. A bank can have the strongest doors on their vaults, but if they invite me in and allow me to wander their office, I can steal much more than their money."
Stickley and his team successfully complete their heists 90 per cent of the time. The other 10 per cent of the time, vigilant bank staffers thwart their heist. It's not at all unusual for a single TraceSecurity social engineering team to rob three or four bank branches in a single day. And it's surprisingly easy.
Stickley and his team start their social engineering adventures by impersonating someone of trust or authority, such as an air conditioning technician, a pest exterminator or a fire marshal. The team's planning for their heists begins weeks in advance, often by mailing a letter to a bank branch on forged stationery, informing them of a planned "inspection." By the time they show up in their fake uniforms with fake badges and fake identification cards, the front receptionist often welcomes them with coffee. Within minutes, they have free range of the bank as they crawl under desks, steal backup tapes, and install spyware on the computers.
In the evening, the TraceSecurity team returns to dumpster dive, an activity that often yields a surprising amount of sensitive customer account information.
Once the heist is completed, the TraceSecurity team returns the stolen information to the bank's executives who hired them, and provides recommendations on how to prevent actual criminals from perpetuating the same crime. And if by some chance Stickley's team gets caught, he always carries with him his "get-out-of-jail-free" paperwork which confirms the bank hired him, and provides the bank's executives' cell phone numbers to confirm Jim's story.
"The secret to an effective information security strategy," said Stickley, "is to balance security technology investments with better employee training, and better policy and procedure enforcement."
In the second part of this series, Stickley recommends five simple best practices that can reduce identity theft risk by up to 80 per cent.