The receptionist had gone home for the evening. The bank's operations office was dark and quiet, except for the glow of a computer screen and the faint sound of a lookout whispering, "Do it - quick"' to his partner.
Less than a minute later, the stealthy pair walked briskly from the building after installing a piece of software on a personal computer. The program recorded the PC user's system password and security code when he signed on the next morning.
That information, which was removed from the premises, when the intruders returned to recover their software the next evening, was the key to the. bank's computer system. It could have been used for a far more dangerous form of trespassing that can lead to the destruction, distortion, and theft of important data.
Luckily for the bank, the intruders were working on behalf of their victim.
Since 1990, a small team of computer specialists at the accounting and consulting, firm Price Waterhouse has been staging simulations of the activities of computer "hackers" to help banks and other data-intensive companies discover their vulnerability to computer crime.
Price's client list for this service already includes several of the top U.S. banks - which the firm's executives would rather not identify, due to the sensitive nature of their work.
But their services are becoming more necessary, said Robert Degen, assistant special agent in the financial crimes division of the Secret Service. "Kids who had previously been hacking: into systems as a purely iritellectual exercise have grown up and realized that there are some real [financial] gains to be made from this kind aictivity.
The Secret Sirvice splits responsibility for fighting computier-related financial crimes with the Federal Bureau of Investigation,.
Estimates from the FBI and other government agencies on annual business losses from computer crime vary wildly, from a low of $100 million to a high of $5 billion.
But all seem to agree that the best way for businesses to protect themselves from computer crime - which at banks can range from theft from automated teller machines to intrusions and manipulation of data on mainframe systems - is to understand what, areas are most susceptible to such activities.
Bank security experts say that it is getting harder to secure an entire computer system. One reason is the emergence of the personal computer as a common fixture in banks.
"The whole concept for distributed computing is creating more and more windows that computer criminals can crawl through to get into the main-frame," Jonathan D. Harris, lead data security partner with Price in New York.
"The whole concept for distributed computing is creating more and more windows that computer criminals can crawl through to get into the main-frame," said Jonathan D. Harris, lead data security partner with Price in New York.
Mr. Harris pointed out that there are many ways for unauthorized users to get passwords and security codes that will let the log on to bank systems.
For example, "demon dialing" software, which can run on a home computer, checks every phone number in a given telephone exchange for computer tones. This can help establish the initial link between outsiders and a company's system.
System dial-in numbers are also often posted in underground hacker magazines and computer bulletin boards, which many computer enthusiasts use to communicate with one another.
Once the dial-in line is found, a user who has a password and security code can log on to the system.
More Tricks of the Trade
But users lacking that information can use a number of ways to find it.
The password can often be found with the use of a dictionary program that tries every word in the English language as a possibility. And armed with a password, the intruder can call the company's computer help line and use what hackers term
social engineering" techniques to get a security code to go with the password.
"This is John Jones," the hacker might say. "My password is |Candy,' but I forget my security code. Can you find it for me?"
As hard as it may be to believe, experts said, such techniques can be quite effective.
Unfortunately, many companies learn where they are vulnerable only when victimized by some unwanted intrusion.
Probing for Vulnerability
Such intrusions may be harmless - the work of a teenage hacker with a comic-book pseudonym looking for a cheap thrill. But they can also come from sources with more insidious motives, such as destroying data depositing computer viruses, or, worst of all, stealing money electronically.
The data security penetration team from Price Waterhouse is often hired to help identify computer system weaknesses before they can be exploited. Using many of the same techniques as hackers, the Price team probes systems for security holes and recommends solutions, which can be as obvious as implementing companywide log-on procedures.
"The idea of this kind of security study is nothing new - companies have been hiring ex-computer hackers for years to check for holes in their systems," said Frederick J. Rica, a manager in the Price Waterhouse data security unit. "But now a lot of companies are asking themselves: Do I want to hire a guy who used to call himself |Captain Bazooka' to look for my weaknesses?"
Bank security professionals find these hacker studies useful, particularly in areas such as wire transfer.
An illegal wire transfer of eight or even nine digits could pass the initial scrutiny of many financial institutions, according to Leslie S. Chalmers, former chairwoman of the American Bankers Association's information systems committee. But "it only takes one $50 million loss to get you good," she added.
But banks are also clearly vulnerable in other areas.
In addition to the personal computer, the automated teller machine is also a weak link in many bank security plans. According the Secret Service. two sophisticated ATM scams this year have resulted in more than $10 million in bank fraud losses.
In addition. the Unix computer operating system, which many financial institutions are embracing, is notoriously easy for hackers to penetrate.
Still, banks are often reluctant to take the steps necessary to combat computer crime - until a crisis arises.
Ms. Chalmers said that if banks are to engage in studies of their computer security, they must also be prepared to address the problems revealed.
"If you are going to pay the money to bring these people in, also be prepared to spend money to fix what they find," she said.