Financial firms could have sensitive data stolen in 30 minutes or less

by Steve Ragan - Sep 10 2008, 16:15

TraceSecurity, in its five-year statistics on Social Engineering and Penetration Testing, said that, on average, 95 percent of U.S. financial institutions’ sensitive data, including bank account records and social security numbers, could have been stolen in 30 minutes or less.

Between 2003 and 2008, TraceSecurity’s engineering team, headed by Jim Stickley, compromised the security of more than 1,000 financial institution branches. Had the attempts been genuine, TraceSecurity said that tens of millions of records could have been compromised as a result.

“Personally, I've been able to bypass security policies, procedures and technology of any bank or credit union where I've performed social engineering engagements one-hundred percent of the time,” said Stickley, co-founder and CTO of TraceSecurity. “My job is to help companies understand and improve their security, and that’s exactly what happens with the tests we performed on financial services firms.”

Statistics were based on TraceSecurity’s own customers, which had asset sizes ranging up to $2.7 billion USD in 48 states and an average of four or more branch locations. The testing included: Penetration Testing; Remote Social Engineering; and Onsite Social Engineering -- the team used whatever it needed to gain access to records and information. TraceSecurity said engineers often disguise themselves as a fire marshal or pest inspector as part of their on-site Social Engineering engagements. They’re able to gain entry 95 percent of the time into bank areas that often contain sensitive data.

“When in disguise, TraceSecurity engineers were only questioned on a couple of occasions,” said Stickley. “One example included a situation where the engineer posed as a fire marshal was questioned by a bank employee married to a fire marshal; another example was an engineer who was busted when he showed up dressed as a pest inspector similar to the uniform I was wearing on the front cover of a recent industry magazine.”

Yet, backup tapes were cited as the easiest target for theft while being undetected by bank employees. So what else did the team snag? According to the company TraceSecurity has made off with loan applications, laptops, cell phones and PDAs, keyboard data and more containing common information such as social security numbers, bank account numbers, addresses/contact information, maiden names, driving license numbers and credit card numbers.

While government regulations such as FFIEC, NCUA, HIPAA, SOX, FCA and others recommend employing social engineering engagements, it’s not mandatory, unlike testing for vulnerabilities and adherence to the Information Security Program.

If you work for or manage a bank, do you use penetration testing as a measure of security? Let us know if you do, e-mail the security address from the contact section of the site. We want to hear from you.

Around the Web