Researchers Find Vulnerabilities In Bank Security
Posted on: Tuesday, 9 September 2008, 11:35 CDT
According to a study released Tuesday, security researchers disguised as fire inspectors, exterminators or government safety monitors were able to slip past tellers in nearly 1,000 bank branches with a startling success rate and steal confidential data about customers.
The researchers from Baton Rouge, La.-based TraceSecurity Inc. walked off with loan applications, laptops, backup tapes of customer databases and even big computer servers that they simply carried out the front door using only simple disguises, basic e-mail trickery and a little smooth talking.
The firm was hired by mid-sized banks and credit unions in order to evaluate their computer networks and physical security. Most of the branches had 10 or fewer employees on staff at the time they were duped.
The researchers were able to compromise the banks' security policies and make off with sensitive data 963 times - out of 1,000 total attempts from 2003 to 2008.
TraceSecurity's chief technology officer and co-founder, Jim Stickley, said they were caught only six times by what he describes as "something dumb," like wearing the wrong color shirt for the fire inspector's uniform - and having a teller who's also a volunteer firefighter notice the difference.
The researchers were able to get inside the branches but weren't able to steal any sensitive data in the other 31 attempts.
The biggest problem is that employees almost always left the intruder alone to wander the building, Stickley said.
"People are so nice and so willing to let you do these things - they don't ever for a minute suspect that you're somebody bad," he said.
Companies like TraceSecurity can do brisk business selling services that spot security holes.
However, these services highlight the way security has changed with the rise of the Internet, which has shifted so much of the attention and dollars spent on security toward computer networks and threats from hackers. Stickley said that has often led to less training for employees on how to prevent physical breaches.
"They've kind of forgotten the basics," Stickley said. He said he was releasing the report to alert banks to be more vigilant.
The easiest disguise to pull off was the fire inspector, because with just a uniform and a badge, Stickley said. Researchers were often given deep access to a facility even without an appointment beforehand. Other security breaches included more advance planning with fake Web domain name registration and phony e-mails alerting employees that an exterminator would be coming by.
---
On the Net:
Source: redOrbit Staff & Wire Reports
Related Articles
- Virginia Heritage Bank Secures Cash Management Solution and Employee Access With VASCO DIGIPASS
- Securities America Trusts Cox Business for Reliable Data Transport
- Researchers Find That Employees Who Are Engaged In Their Work Have Happier Home Life
- Reminder - Cisco to Reveal Latest Global Research on Effectiveness of Corporate Data Protection Policies
- Cisco to Reveal Latest Global Research on Effectiveness of Corporate Data Protection Policies
- CA Releases CA Gateway Security R8.1 to Provide Businesses With Comprehensive Data Safeguarding System
- New Research From TheInfoPro(TM) Shows Data Encryption Overtakes Compliance As Top Information Security Project Within F1000 Organizations
- Energy Ups Security Efforts After Loss of Employee Data
- Online Banking Report Publishes New Research on Branch Banking Vs. Direct Banking
- The U.S. Food and Drug Administration Will Use GeneGo's MetaCore for 'OMIC's' Research and Reviewing of Genomics Data
 |
 |
User Comments (0)
RSS Feeds