Testing Bank Security: A Tale of Unexpected Intrusion
When entering a bank, one is immediately struck by all the security measures—thick glass separates tellers from customers, heavy vault doors, numerous cameras, and a security guard. But how much does one notice while standing there? Perhaps it is an unlocked door in the back, a barrier easily jumped over, or seeing areas free of camera coverage. This is a tale of a physical security test of a bank, not to steal cash, but to access the teller’s computer.
Jason E. Street, an InfoSec professional known for his unusual stories and love for Diet Pepsi, shared one such story of accidentally robbing the wrong bank in Beirut. Jason has been in InfoSec for nearly two decades, conducting penetration tests and security awareness engagements. Companies hire him to try to bust their physical security by walking into their offices, using random computers, and generally misbehaving to see if anyone stops him.
On one engagement, Jason was tasked with testing a bank’s physical security in Beirut. He met with a skeptical executive at the bank headquarters, who doubted his abilities. To prove himself, Jason compromised the bank branch downstairs by gaining access behind the teller line. Impressed but now wanting more, the executive challenged Jason to gain network access, user IDs, passwords, smart cards, and computers from three different branches. Jason accepted the challenge.
Without much prior planning, Jason relies on his charm. Dressed in a leather jacket, distinctive shoes, and carrying a badge, he enters the first branch. He confidently walks to the manager’s office, pretending to be meeting with him. He then moves to the executive’s office, convincing her he is an auditor from head office. She allows him to use her computer, where he plugs in a USB device to test its vulnerability. He then moves to another employee, gaining access to her computer and eventually the teller’s line, where he compromises every computer within minutes.
Jason even manages to convince the manager to give him a user ID, password, and a smart card by claiming he will replace their equipment. He leaves the branch multiple times with various items, including the manager’s badge, without anyone suspecting him.
At the next branch, he almost enters the wrong bank but is stopped by his driver. In the correct bank, he approaches from the trusted side and, without speaking, unplugs a computer and walks out with it. At the final branch, he simply asks a cleaning lady to open the network closet door, which she does without question. He photographs the equipment and leaves, completing all his objectives.
Jason’s success left the executives shocked. A few years later, he was hired again for a similar engagement but encountered a problem when the bank warned others about him. Despite this, he still managed to gain access, though he accidentally entered the wrong bank once again, causing a tense situation until his liaison explained everything. Jason’s story highlights the importance of verifying identities and being cautious of unexpected visitors to prevent security breaches.
Comments on 'Testing Bank Security: A Tale of Unexpected Intrusion' (0)
Comments Feed