|Jim Stickley: Dumpster diver, crime fighter
|By Leslie Hunt Bankrate.com
He digs in garbage, likes to play dress up and has more fake IDs than a teenager.
It's all part of the job for Jim Stickley, whose duties
as the chief technology officer and vice president of engineering
for TraceSecurity, a Baton Rouge, La., security compliance software firm,
include elaborate social-engineering schemes designed to test the
security of bank branches he and his team are hired to assess.
The point of social engineering, he says, is getting
people to do things they wouldn't normally do, through deception.
This he accomplishes best by showing up on the premises of a bank
branch posing as a trusted visitor, such as a fire inspector, an
Occupational Safety and Health Administration inspector or a pest-control
man. To make it believable, those on his team who are involved in
the information heist wear uniforms and bring official-looking ID
cards, badges, papers and related equipment. They make appointments
"We show up as a role, as someone you expect and trust to be there," says Stickley.
Happy con day
Proving that appearances and a little acting can deceive effectively, his team has even gone sans uniform into a branch inside a grocery store and put up birthday decorations. No one seemed to notice when the team members went from standing on top of the counter at the branch putting up a banner, to slipping behind the counter, stealing cashier's checks.
More typically, his team gets asked to test the security
of regular bank branches. The team's objective includes getting
past the counters of the bank and, while unattended, stealing as
much sensitive information as possible by installing wireless devices
and seizing backup tapes. "Only 1 percent of all financial institutions
encrypt their backup tapes," he says. The number of accounts Stickley's
team can steal, then, is limited only by how many accounts can be
stored on those tapes.
The action can only start if employees leave these
social engineers to their own devices. Eighty percent of the time
bank employees leave you unattended, he says. If they do hover while
Stickley or his team members pretend to make inspections, they ask
for a cup of coffee or documentation on the equipment they are checking
-- anything to make the employee disappear for a few
minutes. While they're gone, devices are installed or tapes stolen.
When the employee returns, the phony pest-control serviceman simply
walks away from that area.
|Security firm probes for weaknesses