How To Rob a Bank: One Social Engineer's Story 111
itwbennett writes "Today's criminals aren't stealing money — that's so yesterday, according to professional social engineer Jim Stickley. In an interview with CSO's Joan Goodchild, Stickley explains how he's broken into financial institutions large and small, and stolen their sensitive data. In a companion story, Stickley walks through the steps he takes to fool clients into thinking he's there for fire safety, while he's really proving they are an easy target for a data breach."
Small time (Score:5, Insightful)
The real big criminals own the banks.
Re:Small time (Score:5, Informative)
The real big criminals own the banks.
Exactly, see "The Best Way to Rob a Bank Is to Own One: How Corporate Executives and Politicians Looted the S&L Industry" by William K. Black. The basic concepts and problems from that debacle are still in play with our current mess.
Re:Small time (Score:5, Insightful)
The real big criminals own the banks.
Own?
Nooooo....
The really big criminals work in top positions of banks and are well connected in government, so they only have to look slightly admonished for a few weeks after nearly bringing down the entire economy of the West and then it's back to business as usual.
They don't own banks, they pwn banks.
Re:Small time...Big Time was Congress (Score:2, Insightful)
But the group that sets the rules TELLS THE BANKS what they will do.
CRA, The Community Reinvestment Act demanded that banks make loans to low income areas regardless of meeting loan requirements or...the banks would be subject to having their approval to be a bank revoked by the Treasury Dept. or whoever oversaw the CRA.
The banks made the loans but said "We can't keep these marginal loans" so all the biggies agreed that FMae and FMac would take them...but then they said they couldn't hold them, so rules wer
Re: (Score:2)
Re: (Score:1)
But the group that sets the rules TELLS THE BANKS what they will do.
Not really, although that's what they teach you in schools. In reality, congress asks the financial industry lobbyists what laws they want and has the lobbyists write the legislation. The congressman sponsoring the legislation writes very little of it (if any) and probably doesn't even read it all. That's why laws like exceptions to capital requirements for large banks (Bearn Sterns or bigger) are passed - look it up. That's the rule now, n
Re: (Score:2)
This has next to nothing to do with the financial crisis, as many financial insiders (like the old Lehman Brother's CEO and others) have discussed.
How do they know? Because they're insiders? There's so much misinformation and genuine complexity that it's almost impossible to say. However, look at this little tidbit in an article about Capital One's plans to buy ING Direct: http://dealbook.nytimes.com/2011/08/23/in-feds-move-on-capital-one-deal-a-test-of-dodd-frank/ [nytimes.com]
Clarity, if not an answer, may have come inadvertently from National Community. The coalition argues that Capital One’s application to acquire ING Direct is suspect because Capital One refuses to lower its credit standards to extend Federal Housing Administration-insured loans to people with credit scores of 580. This is the lowest credit score allowed by the F.H.A. National Community contends that this is discriminatory against members of minority groups because they tend to have lower credit scores and have been hit harder by the financial crisis.
Capital One has responded by agreeing to lower its credit score requirements by 2012. For National Community, this is not enough, because Capital One’s F.H.A. loan volume is relatively flat in growth. Capital One is now a bit player with less than 1 percent of the F.H.A. loan market. National Community wants the combined entity to make more of these loans, since they help people who could not otherwise afford a mortgage.
Who is National Community? (http://www.ncrc.org/)
In recent years, NCRC has led efforts to reform the financial system, respond to the foreclosure crisis, and expand the Community Reinvestment Act. We are experts on banking, business development, community reinvestment, community development, civil rights, housing, and workforce issues.
I love the idea of "inadvertent clarity" here -- it's funny but absolutely true. This organization is working with the government to make ba
Thieves on the outside, thieves from within (Score:2)
Here we are in between.
Re: (Score:1)
Best way to derail an interesting story: inject politics into the discussion.
Re: (Score:2)
In fact, there's a worthwhile read on precisely this topic: The Best Way to Rob a Bank Is to Own One [amazon.com]
Re: (Score:2)
The big criminals are the guy sitting in government. Hate to break the news to you. Banks can only work with the regulations given, or forced on them. Remember that housing bubble and collapse? Did you enjoy the government forcing banks to loan out money to unsafe groups? I bet you did!
Re: (Score:2)
If that were the case, why did the housing bubble happen outside the US as well? US regulations don't apply outside the US, yet there was a global bubble. how do US regulations on bank account for that?
http://seekingalpha.com/article/124306-the-global-housing-bubble-it-s-a-small-world-after-all
Re: (Score:2)
CDS and cross-ownership of debt. That's how. The same reason why there was a massive implosion of the mortage and banking system in iceland. On average the mortgage there was divested by nearly 60% into other non-standard currencies and debts.
Re: (Score:2)
Re: (Score:2)
Funny that. I guess I've never made money in the market by knowing what countries are going to issues a CDS and taking advantage of the forex market either. Oh wait...
Re: (Score:2)
Re: (Score:2)
"Bank"? (Score:2)
Most of the companies called banks nowdays have about as much to do with banking as going down to Vegas and putting all your money into a slot machine.
Banking is relatively low-risk; creating "financial instruments" and selling them is potentially high risk, unregulated, and untested.
So don't call it banking.
As a victim of theft (Score:4, Insightful)
Re:As a victim of theft (Score:4, Insightful)
by the banks, I'm ok with the role reversal.
Old bumper sticker: Don't Steal - The Government Hates Competition
New bumper sticker: Don't Steal - The Banks Hate Competition
Euphemisms (Score:2)
So when did con men become "social engineers"? It sounds almost like a respectable profession.
Re: (Score:2, Insightful)
When they get paid by the boss of the people they are engineering to help prevent real con men from doing it.
Re:Euphemisms (Score:5, Insightful)
In two years they had never failed to get a manager's username/password by the time they were finished setting up the equipment.
Re: (Score:2)
I thought about how stupid people can be and I can say with certainty that 50% are below average.
I think it's stupid. People that really rob banks don't have the money to buy 50 computers, uniforms with badges and vans painted with company logos.They go after credit card info by hacking or the old at gunpoint way. Even though it could happen that way it never has because with too many people involved in a robbery, someone will talk. So you would not get stopped right away but you have then left many ways fo
Re: (Score:2)
I thought about how stupid people can be and I can say with certainty that 50% are below average.
So can I. That's because that's how averages work, by definition.
Re: (Score:2)
No, dummy. That's how medians work, by definition.
Re: (Score:1)
I thought about how stupid people can be and I can say with certainty that 50% are below average.
So can I. That's because that's how averages work, by definition.
Exactly! Like when there's a test and out of 50 pupils 49 score 100/100 and one of them scores 0/100. The average score is then 98 and exactly half of the students are below the average, right, oh wait...
Re: (Score:2)
Slow down there is no gravity but the Earth sucks.
Re: (Score:1)
People that really rob banks don't have the money to buy 50 computers, uniforms with badges and vans painted with company logos.
Don't know too many bank robbers do you?
Re: (Score:2)
Yeah bank presidents and such. I know a few.
Re:Euphemisms (Score:5, Informative)
So when did con men become "social engineers"? It sounds almost like a respectable profession.
Beg pardon, mate, but con is short for confidence, as in, they gain your confidence before nicking your lunch money.
Social Engineering is just a new-fangled label for probably the 3rd or 4th oldest profession in the world.
Re: (Score:2)
One that's less respectable than its predecessors, prostitution and banditry.
Re: (Score:2)
"It sounds almost like a respectable profession."
So did banking. The masters are utterly corrupt, which has removed any moral reason to respect them or their property. I shed no tears for the rich when they lose what to them is a pittance.
Re: (Score:3)
"It sounds almost like a respectable profession."
So did banking. The masters are utterly corrupt, which has removed any moral reason to respect them or their property. I shed no tears for the rich when they lose what to them is a pittance.
The bad bankers (and I don't mean inept, they're bad in a different way) have figured how to game the system. It's like they found the cheat codes to Super Mario to make him run faster, fly better or be invulnerable. It's the position of government to enact laws, as demanded by the people, and to place auditors in place, as also demanded by the people, to see this sort of gaming the system doesn't take place. The problem is the bankers have realized they can openly weep crocodile tears and certain people
Not stealing money? (Score:2)
Yes...they are stealing money. They just aren't doing it directly. EVERYONE who steals does it for the money. The guy who steals bread to feed his family would be just as likely to steal money to buy the bread if an opportunity presented itself. These guys are stealing information....that they will then sell to make money.
Unless you are stealing decorations from Pier 1 in an attempt to make your home look like a twisted and freakish version of a "Better Homes and Gardens" cover, you are stealing money...
Re: (Score:2)
The point was that they're not stealing physical money. As in, not running out of the bank with bags full of bills.
Duh (Score:5, Interesting)
Re: (Score:3)
One of the more insightful comments from Art of Deception (or Intrusion, don't remember which one) was that even a machine that doesn't work is a vulnerability.
"Yes, hello. I'm here to fix your broken machine."
as a former security auditor myself... (Score:5, Interesting)
As a former security auditor myself, I'd attack the voice response units. Quite frequently those boxes (often standalone towers covered with a quarter inch of dust) were neglected in the corner, with no IDS, no one checking logs and frequently no automatic lockouts. Routed through Skype and/or Google Voice...
Vonnegut? (Score:2)
Stickley reads like Kurk Vonnegut Jr. That provided an amusing image.
Re: (Score:2)
Listen. Anyone can sound like Kurt Vonnegut, Jr. Throw in a few oddball names like "Tralfamadorians", and a few quirky cliches every other paragraph, like "And so it goes...", make all the important characters seem like incredible chumps, and you're all set.
I think acting as a fake fireman is a felony (Score:1)
I think acting as a fake fireman is a felony and I don't think the real firemen like professional security consultants doing tests acting / saying that they are a fireman.
Re: (Score:3)
Fortunately, the linked story addresses this, and the author talks about how he'll meet with local officials to get permission before playing fire inspector.
Re: (Score:2)
But what if something go Wong or some get's sick and the fake fireman can't help just thing about the LAW SUITS.
Re: (Score:3)
But what if something go Wong or some get's sick and the fake fireman can't help just thing about the LAW SUITS.
Or, more plausible, what if the fake fireman gives bad advice (because he doesn't know his shit, as mentioned in story), people act on the advice, but doing so make things much worse in the event of a real fire...
I'm sure that he didn't tell the fire brigade that he would "keep walking around rooms, giving them advice on keeping their facility fire safe, even though I really have no idea what I'm talking about. I make stuff up and probably give the worst advice ever. I'll pull out cords and say 'This looks
Re:I think acting as a fake fireman is a felony (Score:5, Funny)
Re:I think acting as a fake fireman is a felony (Score:5, Insightful)
Either my sarcasm detector is broken (please plant your tongue further in your cheek next time), or you've entirely missed the point. Actual criminals don't ask for permission before breaking the law. That's what makes them criminals. They'll still impersonate fire inspectors.
Re: (Score:2)
He's not telling the police so the people he's attacking will feel better about it. He's telling the police that there is a 'test' going on and reports about suspicious firemen from that location are likely the 'test' going on.
It's the same reason why pilots do time in simulators...to train them for when it's *real*. He's effectively training the people he's attacking by putting them through a real world scenario - as far as they know.
Re: (Score:2)
Actual criminals are. . Criminals. They don't particularly care if impersonating a fire inspector is illegal.
As for whether it will ever happen - well, at a lot of places it probably won't because you don't have to get that tricky to get what you want. Just call a high-placed exec's secretary, say you're from IT, and need his l/p to fix his computer. 9 times out of 10 it'll work.
As he says in the article, the fire inspector ruse comes out when the bank is more sophisticated than most and therefore a harder
Re: (Score:2)
"I think acting as a fake fireman is a felony"
Is Google broken today?
Re: (Score:2)
Apparently pretending to be a football referee is also a felony.
One day, it just might be a felony to celebrate Halloween.
Re: (Score:2)
I saw that on the news the other day and I could NOT believe my ears!?!?
I instantly thought..."OK, we've reached the point to where we have enough....err....too many laws. If they had to come up with making impersonation of a freakin' football game ref a felony, we've gone over the edge.
Re: (Score:2)
And I call (Score:2, Interesting)
Bullshit. You mean to say that this guy both steals stuff from bank employees desks AND installs keyboard loggers, and no one at the bank suspects anything like "hey, these guys stole all this stuff from us, maybe they weren't firemen, maybe security has been breached, let's check to see if computers/equipment has been tampered with!"
From TFA:
At that point, my partner's job is to start stealing everything he can steal and start putting it in his bag.
On our way out, we don't want them to know we're done. We want to be able to come back another time.
Too much mission impossible on TV. This is just an attention whore trying to cash in by pretending to be a crook. Typical of a "security consultant", really.
Re: (Score:1)
This is a bank, do you really think they have a competent it staff? When you have something stolen, the last thing most normal people think of is to check their computer data (first thing would be to check what they sole and who did it). Data loggers are quite easy to miss unless you specifically are looking for them. This is an exercise that tests both physical and data security into one heist.
It is reasonable? Most criminal admittedly will do one or the other but there still exists the possiblity of both.
Re:And I call (Score:5, Informative)
Re:And I call (Score:5, Informative)
Want to get into a secured location? Get yourself a fake badge and a jacket that says XYZ Security Installers on it. Walk up to a door about lunch time with a tool bag in one hand and a ladder in the other, maybe a box or two tucked under an arm. Make a show of not being quite able to get your badge to the reader without putting everything down. People are too polite, they'll not only badge the door for you but then they'll hold it. I've seen it happen plenty of times, we even did it for a customer's security director to show them that their people really did need training.
Re: (Score:2)
Re:And I call (Score:4, Interesting)
Once there was an actual criminal going around a large office park at a place where I previously worked that would walk in wearing a VERY fancy suit and kindof wander around stealing laptops, electronics, etc. and then walk out. Nobody could ever identify him except that he was in a fancy suit, and nobody dared question what he was doing so as not to get in trouble for offending somebody important. Not saying any of these places were supposed to be highly secure, but was quite a problem for a while and he always got out before anyone noticed or realized what was going on.
Then he walked into our office which was a startup, and he was obviously not familiar with the "atmosphere". As soon as he got in by following behind somebody, several people said "What the **** are you wearing a suit for and what the **** are you doing here?", took a picture of him, and escorted him out.
Re:And I call (Score:5, Insightful)
Once there was an actual criminal going around a large office park at a place where I previously worked that would walk in wearing a VERY fancy suit and kindof wander around stealing laptops, electronics, etc. and then walk out. Nobody could ever identify him except that he was in a fancy suit, and nobody dared question what he was doing so as not to get in trouble for offending somebody important. Not saying any of these places were supposed to be highly secure, but was quite a problem for a while and he always got out before anyone noticed or realized what was going on.
Then he walked into our office which was a startup, and he was obviously not familiar with the "atmosphere". As soon as he got in by following behind somebody, several people said "What the **** are you wearing a suit for and what the **** are you doing here?", took a picture of him, and escorted him out.
The lesson is: You can steal more with a suit and tie than you can with a gun.
Re: (Score:1)
Didn't you read the second part of the thing you quoted? I'd say the real lesson is, "when attempting any sort of scam, study your marks first."
Re: (Score:3)
I don't think they were doing anything of the sort. They were testing security of company (bank) information, not just general security. I think by "grabbing everything" he was talking about things like USB sticks or disks, not wallets. It would be a stupid test if they took personal items as well, mi
Re: (Score:3)
Try carrying a big costco sheet cake that says "Happy Birthday!". Easier than carrying all those tools, and you can go business casual.
Re:And I call (Score:5, Interesting)
A true story regarding the problem of walking in behind people (one of the easiest ways to enter a large building you shouldn't be able to access):
Employee walks into the office building. A bit behind that employee was the CEO, but the CEO's badge was not visible, and this was a newer employee who didn't recognize the CEO. The employee made sure the door closed on the CEO. The CEO took swift action to send a message to the whole company: He called security, found out who that employee was, and sent word down the chain of command to give that employee a special award.
Re: (Score:3)
A gate guard did this to our company's president on his first day. Same thing, appreciated that the job was done properly even if it inconvenienced him some.
Re: (Score:1)
Re: (Score:3)
It wasn't - the CEO actually did the right thing.
And I should mention that the company in question here was a Fortune 1000 company, not some startup.
Re:And I call (Score:4, Interesting)
I totally second that. For me, it was a tie and a clipboard, and my (totally true and legit) story that I worked for the building's property insurance company and needed to look everywhere and anywhere for risks (blocked doors, covered sprinklers, stacks of live ammo pointed at compressed oxygen canisters, that sort of thing). People would let me into the most amazingly sensitive areas, oftentimes with no escort, just a slap on the back and a "give the key fob back to Tina when you're done". Three hours later I would know every corner of the place.
I ain't that charismatic, so I conclude the clipboard is key.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
What's especially clever is if you actually spend time really taking notes on pointless things. Spend five minutes measuring the distance between electrical outlets or whatever.
Even if you have an escort, they will quickly get bored.
Bonus points if you actually forms on the clipboards with blanks on them that want that information.
Incidentally...stacks of live ammo pointed at compressed oxygen canisters? Seriously?
Re: (Score:1)
Incidentally...stacks of live ammo pointed at compressed oxygen canisters? Seriously?
OK, it was rarely that bad, though I did see things like empty pallets stacked to within inches of the fire sprinklers, gas cans stored in unventilated stationery rooms, and plenty of other violations of common sense and/or the fire codes.
There was a famous incident we studied in classes where a small fire started in a big warehouse (Kmart I believe). Or at least, it should have remained small and been quickly contained by fire sprinklers. But one of the pallets that caught on fire was a bunch of cans of
Re: (Score:2)
For me, it was a butt set (http://en.wikipedia.org/wiki/Lineman%27s_handset) along with the clipboard.
I did a fair amount of network cabling support years ago, mostly in retail locations. I'd be wandering around the stock room of a Best Buy or Wal Wart, someone would come up to me and ask: "Can I help you?", and I'd reply: "No, thanks; I'm good." They'd stand there uncomfortably for a second, and I'd walk away with a warbling toner. Always a blast.
Cash on demand (Score:2)
Interestingly, I was watching an old movie from the 60s a few days ago where the crook convinces the bank staff that he's from their insurance company and come to the bank to check their security, then robs it.
Similar ideas seem to have been around for a long time.
If you want to rob a bank, become CEO. (Score:4, Insightful)
Surely recent years has shown the most successful bank robbers run banks.
Re: (Score:2)
It's always been that way we are just now figuring it out.
Re: (Score:3)
PIN numbers, account numbers, sort codes, mother's maiden name, address....people type lots of interesting things into computers these days.
Not my job.... (Score:4, Interesting)
Physical security and access is not the job of the standard employee. The only job the employee has is to ensure that their credentials are only used for thier access, either physical or digital, and that they are kept secure.
I once was working for a company that had higher a new CIO. The area where the IT people sit was secured with keycards, and was just outside of the server room, which had its own keycard. There was never any problem with letting visitors and other employees in and out to discuss IT projects, etc. In other words, while it had keycard access, it wasn't considered a security zone. The CIO came to visit the IT area and I let him in without knowing who he was. He was then buzzed into the Sever room by one of the operators who did know who he was. Of course, he made a big stink about the whole thing. The funny thing of course, is that nothing changed. He was just trying to make a big splash.
The point is, I am not a security guard. I am not about to put my physical safety in jeopardy for the sake of corporate secrets. I do not have the necessary skills to vett or interrogate every new visitor wandering our halls, nor do I have the authority or tools to throw them out. You can chew out your employees for allowing physical access to this "fireman" but the problem is management not spending the money to have proper security at the door, not the lack of vigilance by the employees.
I will keep my passwords secret, I will choose complex passwords, I will not allow people to tailgate on my keycard access, and I will inform IT security if any of my corporate devices goes missing. I will do all of this, but I will not be your security guard, there are people who do this who are much better at than I could ever be...
Re: (Score:2)
The point is, I am not a security guard. I am not about to put my physical safety in jeopardy for the sake of corporate secrets. I do not have the necessary skills to vett or interrogate every new visitor wandering our halls, nor do I have the authority or tools to throw them out.
I will keep my passwords secret, I will choose complex passwords, I will not allow people to tailgate on my keycard access, and I will inform IT security if any of my corporate devices goes missing. I will do all of this, but I will not be your security guard, there are people who do this who are much better at than I could ever be...
You're close to fulfilling your responsibilities. Just add "challenge strangers to present valid credentials" and "report suspicious activity" to your list. You don't have to risk your physical safety to do those.
Re: (Score:2)
If management can't be bothered to hire enough security personnel to take care of this at the door, then they need to take responsibility for anyone who enters the facility without the proper credentials. This is a security job, not an employee responsibility.
However, I do agree that an employees should report suspicious activity.
Re: (Score:2)
Re: (Score:2)
But again, it was left up to employees, not security, to escort the "fire marshall". Employees should only escort people that they personally have business with. All others should be escorted by security, people who are trained to verify credentials, contain access, etc.
Leaving this job to employees is an abdication the responsibility of security by management. It's a way of reducing costs while putting the responsibility on the average employee who doesn't have the right training to handle these situati
Re: (Score:2)
Poor story. (Score:2)
This story is working on too many assumptions that probably aren't true.
An analogy would be a story about robbing Fort Knox but putting on a fake military uniform and saying you're an important general, and you want to look at the gold just to make sure it is all there.
Seriously, THATS how bad this story is. IDs not checked? USB ports not disabled? What?
Re:Poor story. (Score:4, Interesting)
Completely plausible actually.
He does present ID. The fact is though that as long is it looks "official", most people will believe that it is what it says it is. Assuming you're not on your local fire department, do you know what your town's fire-inspector's ID actually looks like? It's not like this guy was handing them a piece of notebook paper with "Fire Inspekter" written on it in crayon.
Plenty of computers use USB keyboards, so there's your enabled port. A keylogger plugs into the port, the keyboard plugs into the keylogger, and done. Same thing went for the old PS/2 ports. Even if your average bank employee looked at the back of their PC (which isn't very likely to begin with), they probably wouldn't recognize anything out of the ordinary.
Re: (Score:2)
An analogy would be a story about robbing Fort Knox but putting on a fake military uniform and saying you're an important general, and you want to look at the gold just to make sure it is all there.
Closer to pretending you're a traffic cop on a street directing people only in one direction. Authority, but not *too* much authority. The best part about the Fire Inspector is that he doesn't prevent anyone from doing their jobs (the job of the guards in your example are "don't let anyone past unless they're fully authorized (and random general isn't)".
Seriously, THATS how bad this story is. IDs not checked? USB ports not disabled? What?
Bank branches aren't the CIA. IDs don't get checked. USB ports most assuredly are not disabled, and I bet the desktop HDDs aren't encrypted either.
Full article (Score:2)
Here is a link to the printable version. [csoonline.com]
security? (Score:1)
back 8 years or so ago, a guy who was installing security cameras in a bank called. I never met him before or knew who he was, he just knew of me through a friend. He wanted me to come setup the network on the cameras to work with the banks network. So I show up and spend the next couple hours in the back room of the bank with the servers, totally un monitored and un supervised, and after hours setting up the cameras. No one at the bank asked for my id or even my name, and one person asked if I would look a
Here's How I Do It... (Score:2)
You want an effective security system? (Score:2)
This is the core issue - security systems are set up where "playing it safe" for the employees means looking the other way.
The solution? Get rid of card reader-only secured doors. You need vertical turnstiles which ONLY allow one person through, and signs which clearly say that if you let someone through, YOU will be fired for that.
Re: (Score:2)
I can't believe that worked
Re: (Score:1)
where I man???
Was it you?:)