Inside Job: Secrets of a Hired Hacker
Sometimes a Breach is as Simple as Walking in the Front Door
Chris Koger is not an actual identity thief, but he may play one soon at a bank branch near you.
An Atlanta-based “ethical hacker” and information risk assessor, Koger specializes in human, operational and physical weaknesses of small- to medium-sized banks. He’s a certified information systems security professional (CISSP) for Brintech (www.brintech.com), an Austin, Texas-based security consultancy that performs third-party bank information security audits to fulfill federal regulatory requirements.
In short, Koger’s job is to expose potential breaches before an actual thief does. Oftentimes, it’s too late.
Dressed in crisp suits, usually gabbing to no one at all on a cellphone, Koger checks about 15 percent of a bank’s branches, operational networks, training regimen and staff behavior during an average weeklong visit. He never reports back on individuals, but presents his findings in aggregate. Still, officers are often shocked – as well as embarrassed, even angry -- at how easily their fortress can be scaled.
“I’m a paid criminal, that’s what it boils down to,” he says. “So, yeah, is there a rush to it? Sure. The good side of that rush is knowing that I’m not likely to be arrested, at least most of the time. I’m breaking the law on behalf of the bank.”
His wanderings reveal a laundry list of “gotcha” moments with critical lessons for bank officers at all levels:Most Vital Systems Are Least Secured
Gaining entrance to the back office is the easy part. “It’s not uncommon for me to find a CEO’s or president’s PC or laptop on the network and break right into it,” Koger says.
The problem? Ironically, it’s often the critical servers and officers’ computers that are last to be security-patched, since network administrators worry about introducing a bug or “messing up” the boss’ computer.
As a bank manager recently looked on in horror, Koger easily jumped a firewall into the network from a server in his office in Atlanta into a PC in her office -- a demonstration, of course, but all the result of a lazy patch that allowed him to hijack an internal resource to do the job.
Tellers and line folks tend to get the most training on information security; middle management a fair amount; and the corporate officers the least. That triangle should be inverted.
“C-level folks should have more awareness,” Koger says. “After all, in the end they are responsible for the bank and protecting its employees and customers from the potential for identity theft or fraud.”Social Engineering: “He Looks Like He Belongs …”
The bank had two lobbies: one for the account branch, the other for the mortgage business. Koger made a right, walking unchallenged past the receptionist and into the mortgage area. He snagged several open files full of mortgage apps from an empty desk and sauntered deeper into the branch. He walked past several open, but empty, offices with network plugs in the wall. He finally exited a door in the back, into an enclosed porch area, where he realized he was stuck. He started checking doors. A friendly man popped his head out and said, “Here you go. This is the way back in.”
It was the branch manager.
The problem, as in a lot of cases, Koger says, is that “there was no challenge, simply an invitation to re-enter from an area where I didn’t belong, and that invitation allowed me to leave with whatever information I had.”Physical Access to Electronic Data
Most banks have hidden crawl spaces or attic rooms. At one particular branch, Koger charmed his way into the kitchen area looking for a cup of coffee before a “meeting” with the manager. He spotted a steel ladder on one wall. He scurried up.
Above the dropped ceiling he found a five foot-high crawlspace from where he could look down upon the tellers through a vent. A pinhole camera with a zoom lens perusing customer information could be up there for months before anyone noticed. A similar setup in another bank had a plywood dormer that was easily dislodged, giving access directly to the outside -- and conversely, of course, to the inside.
The lesson? High-tech breaches are often deceptively low-tech.Ineffective Locks
The branch-operations building was brand-new. Koger checked the door, which required a card key to open between the reception area and the operations area. It opened easily. Turns out the electronic lock had been installed backwards.
As usual, Koger had his cellphone to his ear, talking earnestly to dead air. The receptionist never batted an eye.
On his way into the operations area, he spotted the telltale server closet. This lock had a two-factor authentication function. Koger took his hotel room key-card out of his pocket and slid it between the door and the jamb. A second later, he was in. He closed the door and considered his possibilities. A root kit – essentially a piece of hijacking software that operates invisibly on an unknowing “host” -- takes two minutes to install on a server, giving a hacker a way to jump the bank’s firewalls from the outside. Hidden from view, he had all the time in the world.
Koger’s tactics lay bare several basic lessons for bank managers. Situational awareness, empowering employees to not sacrifice alertness in the name of “customer service,” and using the right security technology for the right task, should all be top of mind priorities. And make sure the network security patches are all up to date. Even on the boss’ computer.
“I’m not trying to get to your money, I’m trying to get to your information,” Koger says. “We’ve been storing money for thousands of years, so we know how to keep an eye on it. But what we haven’t done is store information that can be accessed from multiple points on the same network. That’s where we’re failing.”
Question: How secure is your institution from some of these basic break-in attempts? Share your thoughts with Editor Tom Field.