I went into a bank wearing a fake badge with the client’s logo and the word ‘IT CONTRACTOR’ that I made from basic materials at Staples. Before I even said anything, the receptionist asked if I was there to fix the fax machine, and I said “Yes”. At that point, I also “fixed” other computers onsite including teller systems.
I was able to access everything because the bank’s staff fully trusted us. We gained physical access (including plugging in my own USB drive and launching applications off it) onto teller workstations, other workstations for creating new bank accounts, physical security systems (like the video monitoring system). The bank staff let us roam around accessing pretty much anything we wanted under the context of ‘we’re doing some routine maintenance and tightening up of security’. I kept a close eye on the bank’s security guard, who really didn’t pay much attention to me.
The bank had procedures in place that required bank employees to always call the official IT help-desk lines at the corporate headquarters to confirm all work authorizations as well as ask for identification. I came in during lunch hours as I figured the bank manager would not be there.