Sometime this year somebody is going to try to rip off Numerica Credit Union — again.
The Spokane credit union has hired TraceSecurity Inc. of Baton Rouge to send impostors to several branches, where they will try to bluff their way into data centers and obtain sensitive financial information.
The goal is to find out whether branch employees can spot con artists.
This will be the second such security audit TraceSecurity has performed for Numerica. When TraceSecurity employees visited three of the credit union's 14 branches in 2005, the intruders were caught at only one.
At the other two branches, TraceSecurity employees posing as fire inspectors, complete with fake uniforms and badges, breached Numerica's defenses and left with data. (TraceSecurity provided Numerica's name to American Banker.)
"It opened our eyes," said Kelley Ferguson, the credit union's assistant vice president of network and security services. It learned a lot about where its security procedures need improvement, and branch personnel said they were determined not to fall for such a ruse again.
"Everyone in the branches has been really diligent," Mr. Ferguson said.
Jim Stickley, TraceSecurity's chief technology officer, said that his company offers a variety of security tests, and that these kind of mock intrusions, which his company calls social engineering tests, have become increasingly popular.
TraceSecurity has about 500 customers, 90% of which are financial companies; Mr. Stickley said that about 70% of his new customers are asking for the social engineering tests, up from about 5% three years ago. His employees uses a variety of disguises; beside firefighters, they sometimes arrive at a branch dressed as exterminators.
"Some sites are easier to get into than others," he said, but flashing a badge, even an out-of-state one, is usually all that is necessary to gain access. "People rarely ever look beyond the gold on the badge."
Once inside, the impostors' "main goal is to get into the server room," where they will try to steal backup tapes or attach an unauthorized wireless access point to the branch's computer network, Mr. Stickley said. Sometimes they connect a keystroke logger to a branch computer to steal any customer information typed on the machine.
The intruders also try to make their visit more effective by pocketing anything that might be important to the functioning of the financial company, he said. "If there's anything that's laying on people's desks, we'll steal it."
To help pull this off, at a key moment the intruders may ask a branch employee for a cup of coffee, which typically leaves them unsupervised for several minutes.
Such intrusions are not easy, Mr. Stickley said, and sometimes the intruders get caught. "We had one employee that actually got all the way to jail. There was a lot of miscommunication on that particular one."
When an intruder does get caught, it's usually because a branch worker is familiar with the industry the TraceSecurity employee is impersonating, "because somebody happens to know somebody," Mr. Stickley said.
That is exactly how a Numerica employee identified one of Trace-Security's fake firefighters in the 2005 test. A branch manager was able to quickly see through the ruse, because "his brother worked for the fire department," Mr. Ferguson said. "He knew right off the top that it was the wrong uniform."
Mr. Stickley said that Trace-Security likes to impersonate fire inspectors because they have to be admitted by law. However, they also are easy to bust, he said, since it takes only one call to the fire department to determine whether the intruders are legitimate.
To make its intrusions more convincing, TraceSecurity sometimes sets up bogus e-mail addresses that appear to come from within the target company, to give the branches advance notice that an "exterminator" will be visiting, for example.
In most cases, even when the police are called, his employees rarely go to jail, Mr. Stickley said. "We carry our get-out-of-jail-free paperwork," which lists TraceSecurity's contact at the client company.
Though the contact information is accurate, a branch employee who has become suspicious of the TraceSecurity intruder is unlikely to believe that the intruder is participating in a company-organized operation.
Mr. Ferguson said that the Numerica staff members who caught on to the intrusion reached him through their own channels, to confirm that he had helped stage the phony inspection.
The follow-up intrusion is expected to test how well the branch staff remembers the lessons of the first one.
Mr. Stickley said that in most cases, the staff remembers the experience quite well. "Our success rates drop dramatically" when they visit companies for a second time.
When the security vendor's staff do manage to dupe branch employees on subsequent visits, it is usually at branches that have had such a high turnover that many of the employees were not there for the first intrusion.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said that such a test is "a great tactic."
Many major data breaches occur because of unauthorized access to a company's network, and it's possible some scammers have planted devices like the wireless access point TraceSecurity uses, Ms. Litan said.
Improving the technology that protects bank networks is still a good idea, but any technology can be subverted through trickery, she said. "It's the human processes that are the fallible processes. Companies put policies in place, but they don't really check them."
Testing the diligence of branch staff "is a really important move, and it probably should be on everyone's security checklist," she said.
