Confessions of an Identity Thief: Jim Stickley Robs Banks for a Living

NEW ORLEANS -- It's not every day that a bank robber volunteers to share the secrets to his craft, but Jim Stickley is no ordinary bank robber. With over 100 successful heists to his credit, he's arguably one of the most successful bank robbers of all time. But unlike traditional bank robbers, he's not after the cash in the till. He's after something more valuable -- identity. He steals personally identifiable information such as names, addresses, Social Security numbers, credit card numbers and passwords. Most bank robbers only get away with a few thousand dollars. Stickley gets away with information worth millions of dollars.

Luckily, Stickley isn't a criminal in the common sense of the word; he's a social engineer. Financial institutions hire Stickley's company, TraceSecurity ( http://www.tracesecurity.com/ ), a security compliance software firm based in Baton Rouge Louisiana, to perform vulnerability audits of their banks. Stickley's firm has been getting a lot of calls lately as banks begin beefing up their information privacy practices, motivated by the recent spate of high-profile identity thefts as well as by an increasing number of information privacy and disclosure regulations.

Social engineering is a concept that has been around the computer security industry for many years. Social engineers, not all of them law abiding citizens such as Stickley, use guise and subterfuge to prey upon weaknesses in human nature. Social engineers recognize that most people have similar desires, such as the desire to be loved, appreciated or recognized; and similar fears, such as the fear of getting in trouble or the fear of looking stupid. Social engineers prey on these human weaknesses to gain the trust of their victims, and then they trick their victims into unknowingly becoming the co-conspirators in the social engineer's grand plan, which usually involves stealing something.

'Most banks are surprisingly vulnerable to identity theft,' says Stickley. 'They spend millions of dollars a year on high tech computer security defenses, but often fail to address the simplest, most critical aspect of information security: the human element. A bank can have the strongest doors on their vaults, but if they invite me in and allow me wander their office, I can steal much more than their money.'

Stickley and his team successfully complete their heists 90% of the time. The other 10% of the time vigilant bank staffers thwart their heist. It's not at all unusual for a single TraceSecurity social engineering team to rob three or four bank branches in a single day. And it's surprisingly easy.

Stickley and his team start their social engineering adventures by impersonating someone of trust or authority, such as an air conditioning technician, a pest exterminator or a fire marshal. The team's planning for their heists begins weeks in advance, often by mailing a letter to a bank branch on forged stationary, informing them of a planned 'inspection.' By the time they show up in their fake uniforms with fake badges and fake identification cards, the front receptionist often welcomes them with coffee. Within minutes, they have free range of the bank as they crawl under desks, steal backup tapes, and instaall spyware on the computers.

In the evening, the TraceSecurity team returns to dumpster dive, an activity that often yields a surprising amount of sensitive customer account information.

Once the heist is completed, the TraceSecurity team returns the stolen information to the bank's executives who hired them, and provides recommendations on how to prevent actual criminals from perpetuating the same crime. And if by some chance Stickley's team gets caught, he always carries with him his 'get out of jail free' paperwork which confirms the bank hired him, and provides the bank's executives' cell phone numbers to confirm Jim's story.

'The secret to an effective information security strategy,' says Stickley, 'is to balance security technology investments with better employee training, and better policy and procedure enforcement. We address our clients' needs with our patent-pending TraceSecurity Compliance Manager software that automates vulnerability testing, policy management and employee education, and we back our software with a full range of professional services such as our social engineering audits. Our clients recognize that they cannot view security compliance as a one time static event. Instead, they view it as an essential business process that requires continuous monitoring and improvement to ensure compliance.'

Stickley recommends that if banks adhere to the following simple best practices, they can reduce identity theft risk by up to 80%:
1. Shred bins should be conveniently located near all bank employees
2. Confidential information and computers should not be left unattended under any circumstances
3. Sensitive data, including computer backup tapes, should be encrypted
4. To prevent phishing, all emails should be verified for authenticity
5. All bank employees must be trained on proper policies and procedures.

Shred Bins
Many banks use paper shredders, but unless shredders are conveniently located near all branch personnel, they don't get used properly. Stickley has found that unless the shred bins are within a few feet of employees, many documents will simply find their way into the trash bin, unshredded, and ready to be discovered by Stickley's dumpster diving team.

Unattended Computers
Most banks concentrate their security at the entry to the facility or branch. Beyond the initial greeting area, Stickley finds that security becomes more lax. Bank employees, assuming that anything on their desk is safe because they are located away from the front area, often leave sensitive paperwork on their desks, or leave Post-It notes on computer monitors listing log-on IDs and passwords. This is a major mistake because visitors, maintenance, and other individuals often receive access to this area. In addition, computers should not remain logged in while employees are away at lunch or after they've gone home for the day. Unattended computers put a bank's information systems at a much higher risk.

Encrypt all sensitive data
Confidential data should be encrypted at all times when not being used. This includes information stored on workstations and laptops. There are a number of applications available that will encrypt sensitive documents on the hard drive, so if a laptop or workstation is accessed or stolen, the data that has been encrypted will be protected from identity thieves. Additionally, all backup tapes must be encrypted and stored securely off-site. There are a number of storage security appliances that encrypt the data as it is stored to the tapes. This will reduce the risks associated with tapes being lost or stolen. According to Stickley, on numerous occasions he has stolen unencrypted backup tapes that were sitting on shelves in plain view. These tapes, often as small as a pack of cigarettes, have contained account information for thousands of customers.

Email verification
Bank's customers aren't the only people vulnerable to phishing attacks. Stickley and his team often use phishing tactics to extract critical information from bank employees prior to visiting a branch for an undercover social engineering audit. Employees need to understand that email that appears to come from another employee or legitimate source could be forged. If a manager requests confidential information from an employee via email, the employee should always contact the manager via the phone for verification. Stickley's team will also employ email spoofing and domain hijacking to trick the employee into releasing sensitive information. For example, if a bank's name is Pond Bank, and their domain name is pondbank.com, Stickley will register a fake domain name that replaces the letter 'o' in Pond with the numeral 'zero,' and then send spoofed emails to bank employees asking for sensitive information. Banks should also consider adding cryptographic signatures to enable authenticated email messages that can prevent forgeries.

Policy enforcement and employee training
Employee awareness training and strict policy enforcement are the most important methods to protect an organization from identity thieves. Monthly meetings should be scheduled to review security policies. For example, employees must understand that bank visitors must be accompanied at all times, and that unoccupied desks should be free of confidential information, and filing cabinets should locked when unattended. Additionally, policy management software should be an essential component of any security program to ensure that employees are contacted when policy and procedure changes occur.

About TraceSecurity, Inc.
Privately held TraceSecurity is a leading provider of on-demand security compliance software and services. The company's enterprise software helps customers satisfy national and international data security compliance requirements mandated by such regulations as HIPAA, Sarbanes-Oxley, and GLBA, as well as disclosure obligations stipulated by the Federal bank regulators and SB-1386. Over 100 global enterprises in the financial services, insurance, energy, government, manufacturing and services industries rely on TraceSecurity to continually monitor and improve the computer security of their companies. TraceSecurity's products and services include on-demand vulnerability and compliance assessment software, social engineering audits, comprehensive security assessments and security strategy consulting.