How to rob a bank: A social engineering walkthrough

Interesting take on physical penetration testing through social engineering in the banking sector from an old hand. Article here.

Professional social engineer Jim Stickley walks through the steps he typically takes to fool clients into thinking he’s there for fire safety, while he’s really proving they are an easy target for a data breach.

By TraceSecurity‘s Jim Stickley, as told to Joan Goodchild

October 26, 2011 — CSO —

If a company hires us for a social engineering engagement, typically they want us to get in and get to their back-up tapes, or into the data in their document room.

Let’s say I am posing as a fire inspector. The first thing I will have besides my badge and uniform is a walkie-talkie, like all firemen. Outside, we’ll have our car guy. The guy that sits in the car, and basically his job in the beginning is to send chatter through to our walkie-talkies. We will have a recording of all that chatter you’ll hear on walkie-talkies. He sits in the car and plays it and sends it through to our walkie-talkies.

[Jim Stickley explains his social engineering methods in Social engineering: My career as a professional bank robber

We walk into the facility and make sure that all the chatter is coming loudly into to the walkie-talkies as soon as we walk in their door so that we are immediately the center of attention. When I walk in, I want everyone to know that I mean business. My walkie-talkie is loud and everyone looks over as I apologize and turn it down.

Learn more about social engineering tricks and tactics

• 4 ways criminal outsiders get inside
• 3 examples of ‘human hacking’
• Exploiting 5 security holes at the office (includes video)

I show the person at the front desk my badge. They’ll say “Hi, how’s it going?” I’ll say “Good, I’m here to do a fire inspection.” They say “Great” and assign someone to us, like a teller. It’s generally someone who’s nice. I’ll start talking with them, flirting with them, or whatever it takes. We’ll start walking around.

While I’m talking with the person who has been assigned to us, my partner knows his job is to immediately wander away from us. So, my partner will immediately walk off. In most cases our escort will say “Can you come back here? I need to keep you guys together.” We say “Sure, sorry.” But really that means nothing to us. All it means is that we keep doing it until she gives up. My partner will wander off two or three times more times and get warned until she finally stops and gives up. She just thinks he’s a fireman and thinks “Let’s just let him do what he needs to do.”

my partner’s job is to start stealing everything he can steal and start putting it in his bag. And he also has to get under the desks of any employee he can find and start installing these little keyboard loggers. I stay with the person who is escorting me and my whole job now is keeping them entertained. I keep walking around rooms, giving them advice on keeping their facility fire safe, even though I really have no idea what I’m talking about. I make stuff up and probably give the worst advice ever. I’ll pull out cords and say “This looks a little bit dangerous.” I’ll comment on space heaters. I’m completely winging it.

A few years ago I got a device at Home Depot. It’s like a measuring tape, but not a regular measuring tape. It has a laser pointer and makes a clicking noise. This device is like the Tricorder on Star Trek for me. I can do any magical thing with it as far as Im concerned. I’ll put it up to a socket and say “This looks like it has too much current running through it.” And they just believe it. It’s amazing the stupid things I can do. It’s the bells and whistles that count and people want to see that you have products.

In the meantime, my partner is going under desks. If the employees are there, he’ll say “Hey, do you mind if I get under your desk for a minute? I’m just checking for any kind if fire danger.” If the employee asks “What kind of danger could be under my desk?” He will say “You know that fan on the back of your computer? If it stops spinning that could be a fire hazard.” This kind of explanation sounds reasonable.

My guy gets under the computer and in his bag he has a bunch of dongles. He easily installs one on the employee’s computer and now all data is going through this device. Of course, while my partner is under the computer, the person can’t see what they’re doing and they usually just wander off.

At that point we usually meet back up and discuss with each other out loud all the places where we’ve already been. That way we really have a good idea of what’s been accomplished and he can go back into places where I was unable to steal anything because of my escort. He’ll say “I’ve hit all the desks.” I’ll say “Can do me a favor and go back and check in here again?” and mention some place where I may have seen something interesting and I want him to go back and take care of it.

On our way out, we don’t want them to know we’re done. We want to be able to come back another time. This is where our guy in the car will make a fake call to the walkie-talkie and tell us they need us to respond to a call. I look at my escort and say “Hey, sorry, we’ll be back.”

We show back up in the next few days, do a quick recheck, go back in and get the dongles we’ve installed on the computers. We’ll do another quick run through, claiming we’ve lost our original inspection form. Since we’ve already taken everything already, the second visit is quick. We them tell them we’re all set and will send a report in the mail.

By the time it’s over, we’ve stolen stuff, and gotten access to log-ins and passwords because we’ve been recording that information with the key logging devices, whether it be online sites or local accounts on their system. We’ve been on their wireless network and have been able to hack into that as well.

When we’ve done everything we need to do, the last thing we will do is a dumpster dive. Its miserable, but it’s crazy how lucrative it is. We show up with rubber gloves and start ripping bags open. It’s amazing how much confidential information ends up in the trash. [Also see A real dumpster dive: Bank tosses personal data, checks, laptops.]

When we show up after the engagement to present what we found, there is often a total look of shock on the employees’ faces. But it’s a learning experience we hope they will all learn from. It’s stuff they never thought would happen. If you talked to them a week earlier, they never thought they’d fall for some of the stuff we pulled. But now they see it can happen, and it can happen to them.

Related articles

• Social Engineering (braelynspinosa.wordpress.com)
• Social Engineering Used to Steal From Billionaire Paul Allens Acount (voipsecurityblog.typepad.com)
• The Next Generation of Cyber Attacks (inc.com)
• Social engineering red flags and tips for training users (techrepublic.com)
• The Abbott Form of Social Engineering (theaimn.com)
• “Hacking Human Nature”: Former CIA Agent Leads WEBINAR on Social Engineering Testing (sys-con.com)
• Social Engineering: The Art of Human Hacking (resources.infosecinstitute.com)

~ by cisoblogger on December 31, 2013.