SAN FRANCISCO – With a startling success rate, security researchers disguised as fire inspectors, exterminators or government safety monitors were able to slip past tellers in nearly 1,000 bank branches and steal confidential data about customers, according to a study being released Tuesday.
Using little more than simple disguises, basic e-mail trickery and smooth talking, the researchers from Baton Rouge, La.-based TraceSecurity Inc. walked off with loan applications, laptops, backup tapes of customer databases and even big computer servers that they simply carried out the front door.
What they were doing was perfectly legal: The firm was hired by mostly mid-sized banks and credit unions — which the company would not name — to evaluate their computer networks and physical security. Most of the branches had 10 or fewer employees on staff at the time they were duped.
It was frighteningly effective: From 2003 to 2008, the researchers were able to compromise the banks' security policies and make off with sensitive data 963 times — out of 1,000 total attempts.
Six times they were caught for what TraceSecurity's chief technology officer and co-founder, Jim Stickley, describes as "something dumb," like wearing the wrong color shirt for the fire inspector's uniform — and having a teller who's also a volunteer firefighter notice the difference.
In the other 31 attempts, the researchers were able to get inside the branches but weren't able to steal any sensitive data.
Stickley said the biggest problem is that employees almost always left the intruder alone to wander the building.
"People are so nice and so willing to let you do these things — they don't ever for a minute suspect that you're somebody bad," he said.
The study alone isn't groundbreaking. Donning a disguise and concocting a clever cover story is a timeworn tactic for thieves. And companies like TraceSecurity can do brisk business selling services that spot security holes.
But it illustrates something provocative about the way security has changed with the rise of the Internet, which has shifted so much of the attention and dollars spent on security toward computer networks and threats from hackers. That has in many cases led to less training for employees on how to prevent physical breaches, Stickley said.
"They've kind of forgotten the basics," Stickley said. He said he was releasing the report to alert banks to be more vigilant.
The American Bankers Association didn't immediately return a call for comment on the report.
Stickley said the easiest disguise to pull off was the fire inspector, because with just a uniform and a badge, researchers were often given deep access to a facility even without an appointment beforehand. The other ruses were harder, requiring more advance planning with fake Web domain name registration and phony e-mails alerting employees that an exterminator would be coming by.