Social engineering: My career as a professional bank robber
Today's criminals aren't stealing money -- that's so yesterday, according to Jim Stickley. He's broken into financial institutions large and small, but it's sensitive data he's after to demonstrate how vulnerable they are to a headline-making breach
By Joan Goodchild , Senior Editor
October 26, 2011 — CSO —
Jim Stickley got his first computer at age 12, and he was chatting with other computer "nerds" on bulletin board sites by the time he was 16. A wannabe hacker, Stickley said his first foray into playing the system was with free codes — codes that would exclude his phone and computer time from racking up charges that would incur the wrath of his parents.
"I started learning the phone systems early. I ended up getting my hands on a lot of old PacBell manuals and I figured out how systems work," said Stickley, now the CTO of TraceSecurity, a security consultancy based in both Louisiana and California.
As an adult, Stickley channeled his computer and hacking passions into a legitimate career in network security, but soon realized that hardware and software were only part of the security equation.
[Read about the latest scams in 5 more dirty tricks: Social engineers' latest pick-up lines
"When I was spending time testing the network for companies, I would see all these people come and go. You'd see the water delivery guy, or someone else, just come and wander around," he recalled. "It dawned on me I could probably just walk in and steal all the data that they were paying me to secure on the network."
So when Stickley founded Trace Security, he decided to place an emphasis on securing the network and testing the security of the people around it, too. It was a tough sell when the company first launched.
"Ten years ago it was a whole different world. When we first started talking to people about social engineering, it was like selling ice to Eskimos. No one wanted it. No one cared. No one understood the value in it."
But now, organizations, specifically financial institutions, who want to assess risk understand the importance of the human element of security. Stickley and his team regularly conduct "social engineering engagements" where he physically robs banks and "steals" potentially vulnerable items and information. (Read a detailed account of one of Stickley's engagements in How to rob a bank)
Stickley, who says robbing banks is "amazingly easy," explains how he does it, and why he never gets caught.
CSO: How often do you "rob banks" as a social engineering experiment for clients?
Stickley: Personally, I've done over 1,000 locations without getting caught. They run the gamut from very small community banks with just two branches to very large financial institutions; we're talking about several billion in assets in terms of the size.