How to rob a bank: A social engineering walkthrough
Professional social engineer Jim Stickley walks through the steps he typically takes to fool clients into thinking he's there for fire safety, while he's really proving they are an easy target for a data breach
By TraceSecurity's Jim Stickley, as told to Joan Goodchild
October 26, 2011 — CSO —
If a company hires us for a social engineering engagement, typically they want us to get in and get to their back-up tapes, or into the data in their document room.
Let's say I am posing as a fire inspector. The first thing I will have besides my badge and uniform is a walkie-talkie, like all firemen. Outside, we'll have our car guy. The guy that sits in the car, and basically his job in the beginning is to send chatter through to our walkie-talkies. We will have a recording of all that chatter you'll hear on walkie-talkies. He sits in the car and plays it and sends it through to our walkie-talkies.
[Jim Stickley explains his social engineering methods in Social engineering: My career as a professional bank robber
We walk into the facility and make sure that all the chatter is coming loudly into to the walkie-talkies as soon as we walk in their door so that we are immediately the center of attention. When I walk in, I want everyone to know that I mean business. My walkie-talkie is loud and everyone looks over as I apologize and turn it down.
I show the person at the front desk my badge. They'll say "Hi, how's it going?" I'll say "Good, I'm here to do a fire inspection." They say "Great" and assign someone to us, like a teller. It's generally someone who's nice. I'll start talking with them, flirting with them, or whatever it takes. We'll start walking around.
While I'm talking with the person who has been assigned to us, my partner knows his job is to immediately wander away from us. So, my partner will immediately walk off. In most cases our escort will say "Can you come back here? I need to keep you guys together." We say "Sure, sorry." But really that means nothing to us. All it means is that we keep doing it until she gives up. My partner will wander off two or three times more times and get warned until she finally stops and gives up. She just thinks he's a fireman and thinks "Let's just let him do what he needs to do."
For even more depth, read CSO's Ultimate Guide to Social Engineering [13-page PDF - free CSO Insider registration required]
At that point,