I Am a Social Engineer
I’m a social engineer. And no, you won’t recognize me or be able to spot me when I come into your bank or credit union. My job is to scope a target (it could be your institution) and probe potential weaknesses in the security, both physical and cyber. I’m paid to find the holes and potential places where we could launch an attack on your branch or even your entire institution.
So, this is my typical day: I have an early breakfast and make sure I have all of my equipment packed in my green SUV (tinted windows hide my laptops with directional antennae pointed at your windows). I have a small battery pack for additional power needs, and I can use my cigarette lighter to run an AC/DC power line if needed.
The morning begins with the review of what I found in your trash your office left out the night before. Some good stuff was pulled out of the dumpster in the back. Yes, you did buy shredders, but nobody was specifically told to use them, or if you did tell them, they’ve gotten slack and lazy about it. Let’s review what I found.
I’ve got customer account numbers, commercial account numbers, a loan application, partially filled out, teller general ledger report printouts, a couple of deposit slips, and a ripped up copy of an entire account history. There’s even a list of the deposits made at that branch in the last 24-48 hours. Wow. If I could hook up with a bank robber, we could make off with several hundred thousand, most of it in cash! But I digress.
Let’s look at what else I found during my canvass of this institution’s branch in a medium sized city, somewhere in the U.S. I only took one day’s trash from the institution, and I haven’t finished going through it yet.
My preliminary surveillance yesterday afternoon outside of the branch consisted of walking in front of the building. I am reading a set of papers, and I drop one of them on the sidewalk near the branch windows. If some guard steps outside and asks me why I’m standing so close to the bank building and windows I can turn around and shuffle the papers together, and appear like I am putting them in order. Standing there after I picked the paper up, I was able to see computer screens inside the teller areas. I was able to take a photo with my small spy camera that fits in my hand. Later today, I have to use my telescoping camera lens to see if I can read off those screens from inside my vehicle, and if I can get useable account information off of them.
I then walk around the corner of the small two-story building that houses the institution. The building is part of a mall. I make notes of shared walls, and the locations and distances between the back entrance and windows. The big green dumpster that is shared by all the businesses in the mall is also located back there. It’s in an unlocked, unfenced, open area. One lone security camera overlooks the back, and it can be pushed/bumped with a broom handle to point away from the area where the dumpster is. (Which I already did. Nobody looks at this camera screen apparently, because it’s still pointing toward the corner of the building.) There’s even a parking space next to the dumpster where I parked last night. I waited until the pizzeria closed at 9 p.m. and carefully took their bags out before finding the institution’s trash bags underneath it. I knew it was the institution’s trash, because I saw it placed there shortly after 6 p.m. I sat in my vehicle and acted like I was talking on my cell phone and even waved at the cleaning lady who put the bags in the dumpster. She waved back and walked back into the back door of the institution.
So now it’s almost 9 a.m. on day 2, and the branch is ready to open. There are people lined up in front. I join them. I’m dressed in a non-descript pair of pants and a bulky sweater, and carry a small leather portfolio with a zipper. (That portfolio contains nothing, but I will have it bulging by the time I leave.) I get in the back of the line and then wander away looking at the front, and then move to stand in line again. I am making note of the placement of cameras, and the angles where they point. I find a blind spot near a corner past the teller area and stand there, feigning an attempt to fill out a credit card form I picked up while in line. While standing there, I can hear the tellers speaking to customers, and instead of filling out the form, I am writing down the account numbers and names being repeated back to the customers. Standing there for 10 minutes I am able to take down more than five customer account numbers, some with names. Then I decide to test the customer service representative sitting in her office.
Walking in, (there’s no one in the seating area) I ask her if she could answer a quick question for me. And then I hand her the credit card form. She notes that I’ve made some illegible marks in the form. “Did you want to fill out a credit card form with us today?†she asks. I reply yes, and she says to have a seat in her office and she’ll get me a new form. As she walks out to the far side of the teller area to pick up another credit card form, she finds there are no more forms. (That’s because I’ve picked them all up and they’re in my portfolio.) I see her buzz the teller door, and she steps into the teller area.
That’s my cue, I then stand up, look around with a quizzical look on my face (in case of a hidden camera) and look over her desk. I appear to be looking for a pencil. I see there’s a drawer. Is it open? I reach over and pull on it and it opens. Inside are forms for new accounts, and a change of address form. I pull out four of each. I then turn to her screen, which has a screen saver waving a tropical fish bowl on it. I touch the mouse, and wow, look at that, no password screen saver here. I quickly take a snapshot of the screen and sit back down, closing the drawer as I lean back over.
The customer service representative walks back in and has one copy of the credit card application in her hand. Handing it to me, she asks if I’d like to have something to drink. My reply is yes; of course I want her to leave me alone in her office again. But she doesn’t, instead she invites me back to the coffee break area while she proceeds to make a new pot of coffee. (There’s nothing like a friendly financial institution’s cuppa joe.)
We have a few minutes of small talk. I find out she’s not from the area, and plans on moving back to be near her aging parents who live several states away. I make a mental note of that, she may be hard pressed for medical care costs, so I inquire if they’re both retired. “Oh yes, they’re both in their late 70s, and in not so good health.†Hmm, I will want to follow up later on this lead to an insider at this institution. Why try to break in, when you can pay an insider to let you in?
I then politely ask if I could use the bathroom, and as she’s spooning coffee into the coffeemaker she points toward the door and says “It’s the door two doors away from where we left my office.†I nod my head and breath deep. Here is the ultimate test; can I get into any of the back office areas from here? I walk up the hall, trying doors as I go up, looking up and down the hall; no one is back there except the customer service representative. Two of her associates are out, one is sick, one is on vacation. I then see the door I’m looking for, “Electrical Room†I turn the door knob, and enter a small room with a set of what looks like electrical panels on one wall, and several small servers stacked neatly on a rack. I install my small USB loaded with a keylogger onto the back of one of the servers, and wait for a minute or two and then exit the room and walk back to the coffee room.
I manage to keep cool and calm. I finish my cup of coffee with the smiling customer service representative and tell her I will fill out the credit card application and bring it back in later in the week.
Upon leaving the branch, I casually walk up to my vehicle, and get it. I proceed to check if my laptops are picking up any wireless ports open inside the branch. I’ll be sure to go back to that branch -- they’re not following the institution’s security policies, thus making my job so much easier.
