August 2nd, 2016 I find myself in a high street bank. I’d just done a 3km run, which is like a marathon to a big bloke. I enter the doors and find a queue akin to the bread lines of post depression 1930’s America. I decide to sit it out on the sofa in the corner, whilst waiting I use the time to fight the email inbox on my phone down to a reasonable number.
My ears prick up as I overhear a member of staff on the phone. She is stood in the centre of the branch on a little stand, her job is to assist customers that wish to make appointments and don’t need a teller. But in her down time she is making outbound customer calls.
“Hello Mrs Powell, it’s Sharon the branch manager calling from [Redacted], I’m not sure if you know but it’s coming to the end of your fixed rate bonds and i’d like to book you in to visit the branch. Are you still at [Redacted] Address?”
My heart stops as she diligently books the customer in for an appointment, referring to her by her first name now. As the call comes to an end I decide to follow along with the next one.
She makes the next call and I am already waiting in a Facebook search field… Sure enough, I find 3 people that match the customer’s name, one in my local area. In a few seconds, I have identified the person she is on the call with. Again this customer is coming to the end of a 2 year fixed rate bond. She obviously has a list of customers coming to the end of bond agreements and this is her take at multi-tasking.
I sit for another 5 minutes simply observing this wonderfully insecure activity and leave the branch, the would-be attack is already whirling in my head and there is no way I can carry on my day without getting it reported to the seniors at the bank.
For those of you that missed it. Allow me to put my organised crime hat on and explain:
I enter the branch at 9.20am when busy, sit on the sofa again and install an audio surveillance device with external directional microphone pointed at the stand. It’s a small enough device with a battery and a SIM card in. I could use velcro to stick it to the back of the sofa, trailing the microphone lead through the join in the sofa. No finger prints, burner SIM card installed, identifying marks removed from the device I will never again touch. I am good for 48 hours of audio feed, I could dial in from anywhere in the world over GSM. I collate the list of customers and use OSINT to identify them. I then start making my vishing calls.
“Hello Mrs Powell it’s Dave the area manager for [Redacted], terrible news but your appointment for 10am on the 17th has to be shifted, before I proceed, can I confirm with you your date of birth, address and telephone banking passcode”
If I was feeling brazen I could don a nice suit and offer the chance to experience my award winning customer service skills and attend her property with the relevant forms. She is after all what a bank would consider a premium customer with a history of bonds + savings. When I attend the property with my suit and shiny name badge she will of course be happy to fill in the forms that I have printed out and I could return them via post to the branch, or use an accomplice to hand them in over the counter. I’d have to change a few details on the forms like address or telephone number because I need my wage and unlike an employee it sure as hell isn’t coming with a wage slip. I could even edit the forms to ask a few more questions than needed and copy them back to legitimate forms… You get the idea hopefully.
So what went wrong? Simply – the policy was not adhered too.
Policies are a brilliant little piece of paper designed to make everything safe and secure, they are the end result of years of lessons learnt, laws and acts and in an ideal world they should fix everything. Everybody should do what they say and live happily every after. Rarely this is the case. In this instance the employee broke the Data Protection Act and through a cavalier act disclosed personal banking details to the un-vetted public. She was probably just bowing to the demands of her her hectic day job, but these calls should of been carried out in a secure section of the bank.
The lessons here for all organisations dealing with sensitive financial data are apparent, but allow me to recap:
- Keep mum – Not a new concept, but take that private call… in private. I’ve lost track of the things i’ve overheard on trains, crowded London streets and pubs. You really never know who is listening. Day to day we can get a little complacent with what we do, but remind yourself of the impact of loose lips. These days ships aren’t going to be sunk, but you might just be assisting some little rogue in making his dreams come true.
- Policies – They are not worth the paper they are written on if you don’t follow them. Employees are not robots capable of remembering these documents to the word, they need much assistance to remember the key points contained in them. Organisations that are making millions a year should dip in to the pot and ensure they are following them. It’s going to cost 0.0001% of this financial organisations yearly profit to have a little spot check every now and again.
- Cost/Security – An app coder, pushed into a tight deadline to keep costs down, unable to look for mistakes in his work. A Bank employee with more on their shoulders than they can manage. A Pen-tester told they have to meet a budget. An I.O.T manufacturer that hasn’t factored in security. Many industries skip security because in the short term – it just doesn’t pay to be secure. It’s worth asking the corporate giants post-breach if security is worthwhile. It is, although you’ve got to think bigger than the short term. I applaud the companies that are making security pay! Be it in brand security, loss reduction, share price stability – I don’t care how or why, but thank you sincerely on behalf of your customers for having this foresight and being aware of something bigger than your gigantic balance sheet.
In these modern times, criminals aren’t running into banks with a shotgun shouting demands, these kind of people are still out there in society but they tend to be playing the smarter moves. If you ran into a bank with a gun today I’d give it a day before a forensic examiner is rifling through your house. They know this, I know this and it’s this mentality that is behind the rising figures of ‘online assisted crimes’.
Edit – The company in question has acknowledged the breach, they state an internal investigation is underway and have thanked us for reporting the issue. It is now a private corporate matter and I will not disclose the company – they were as concerned as myself, they are making changes.
Richard De Vere(@AntiSocial_Eng), is the Principal Consultant for The AntiSocial Engineer Limited, has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.