Hackers For Hire

By Amanda Bower

Jim Stickley and his accomplice, Dayle Alsbury, adjust their fake fire-inspector uniforms, then saunter into a brown brick credit-union building. Their walkie-talkies are blaring with a recorded dispatcher's voice, downloaded from the Internet and transmitted from their getaway car. After they flash their homemade badges, the two men are waved behind the tellers' counters and into the inner sanctum of the credit union. Within just half an hour, they have gained access to the entire computer network, security system and customer data--unbeknownst to any employee on the premises.

Thankfully, they're not genuine bad guys. Their fake uniforms and IDs are supplied by TraceSecurity, a Louisiana-based outfit co-founded by Stickley that is hired by companies to test their security systems. And it's not much of a test. In four years, Stickley and his colleagues have never failed to crack those systems, mostly because people are too trusting, too unaware or simply too lazy to take the necessary steps that would deter thieves.

These criminals don't tote sawed-off shotguns and ski masks. Smart thieves steal data, not banknotes, because a financial institution's confidential customer information is often more valuable than what's in its vaults. Banks and credit unions know this and have policies to protect themselves from high-tech heists.

Still, Stickley has successfully breached health-care organizations, lotteries, retail companies and government offices. TraceSecurity offers traditional risk, compliance and IT assessments, but the part that Stickley loves best is what he calls a "social-engineering engagement." That's a polite term for a break-in. TraceSecurity engineers infiltrate a target organization posing as pest controllers, fire officials, OSHA inspectors and even foreign diplomats; once in, they trick employees into allowing them access to sensitive data. A one-off engagement costs anywhere from $5,000 to $25,000. There are dozens of outfits around the country engaged in some form of social-engineering work, from Atlanta-based Vigilar to Mitnick Security Consulting (principal Kevin Mitnick is an ex-hacker and author of The Art of Deception: Controlling the Human Element of Security). Many, however, offer testing only over the telephone.

TIME accompanied TraceSecurity on a recent string of in-person "heists" on the West Coast. At one credit-union branch, Stickley flirted with female staff members in the break room while Alsbury, who played the straight man to Stickley's goofy charmer, had four minutes alone in a credit union's communications hub--plenty of time to install a wireless "sniffer" that could later broadcast information going in and out of the bank. He could also have shut down the security cameras, alarm and telephone systems. The pair got access to the back side of the ATM and a room with boxes of backup customer data. Alsbury was able to drop a disc into an unattended, logged-on computer: a Trojan Horse virus could then download itself and allow him to hack the credit union's system. "There was nothing more we could have done," says Stickley laughing, when the pair returns triumphant to the parking lot. "We owned that place."

Consumers know by now they are at risk of identity theft, of "phishing" e-mail attacks and of other scams designed to get them to cough up their account information (and then, too often, the contents of that account). Fake heists show that customers aren't the only weak link in the chain. "We have hacked into every single online banking application that we've tested, except one," says Stickley. So even if you follow all the rules--never respond to an e-mail purporting to be from a bank, shred every piece of paper containing personal information, only return a phone call to a financial institution using the number on the back of your card--you could still have an account cleaned out because of sloppy security at your financial institution. "Bringing in Trace gave us a sense of security, a sense of awareness, and it definitely brought in some new internal training and controls," says Kelley Ferguson, director of network-and-security services at Numerica Credit Union, where TraceSecurity conducted social engineering last spring.

So how does a company that boasts the ability to crack any system convince clients that it's safe to hire that firm? Stickley says the company's 50 employees have extensive background checks, supplied to clients if requested. Typically, employees are drawn from lines of work such as corporate security and computer engineering. But hackers need not apply. "We don't hire anyone who we believe was a former hacker," Stickley says. "Someone who can program and do network administration, you can teach them to hack. It's just too dangerous to put a hacker in a bank." Says Ferguson: "I think we were more nervous about having someone not do this than having someone do it."

So how do you keep Stickley or, more important, the real criminals out of the customer data? If your company handles any sensitive information whatsoever--including something as simple as an e-mail address or a phone number--TraceSecurity recommends the following:

IF IT'S PAPER, SHRED IT Stickley regularly dives into his clients' Dumpsters; he says even a Post-it note with a customer's name and phone number gives him enough to begin a scam. Employee names, positions and work schedules are invaluable to con artists.

ALWAYS ESCORT STRANGERS Never let pairs split up, and never, ever leave them alone--no matter what the reason. Stickley has stooped to faking illness, and then spending as long as it takes in a bathroom until the most vigilant escort gives up.

VERIFY IDS Take the time to ensure that a stranger is whom he claims to be, even at the risk of giving insult. Check the name on a badge against a driver's license, then call the purported employer--fire department, pest control--to make sure the person is legit.

DOUBLE-CHECK E-MAIL REQUESTS Stickley sets up a fake e-mail address and credit-union website, then sends out e-mails claiming to be from the credit union's IT manager, asking employees to "test" the new website by entering their own account and password information. They often give Stickley all he needs to empty out those accounts.