“Startling” Gaps in US Bank Security

The San Francisco Chronicle notes that you can easily fool American bank employees with a uniform and a webpage:

With a startling success rate, security researchers disguised as fire inspectors, exterminators or government safety monitors were able to slip past tellers in nearly 1,000 bank branches and steal confidential data about customers, according to a study being released Tuesday.

Startling indeed. It begs the question of why tellers are so unaware or unconcerned.

Using little more than simple disguises, basic e-mail trickery and smooth talking, the researchers from Baton Rouge, La.-based TraceSecurity Inc. walked off with loan applications, laptops, backup tapes of customer databases and even big computer servers that they simply carried out the front door.

The bottom line is that there is an education and training issue here. I disagree with the following conclusion:

But it illustrates something provocative about the way security has changed with the rise of the Internet, which has shifted so much of the attention and dollars spent on security toward computer networks and threats from hackers. That has in many cases led to less training for employees on how to prevent physical breaches, Stickley said.

False correlation. The change is not directly a result of the Internet but more likely from a shift in American business and banking culture. Tellers used to be far more vested in the welfare of their company and were far more qualified for the job. The cost of education was undervalued by banks, which led them to cut corners and hire more temporary, unskilled and contract/outsourced workers. The new model appears to be based on an assumption that no one will exploit frail (not to be confused with inexpensive) defenses, or if they do that the cost of liability transfer will still be below the cost of maintaining skilled and security-aware employees.

Stickley said the easiest disguise to pull off was the fire inspector, because with just a uniform and a badge, researchers were often given deep access to a facility even without an appointment beforehand. The other ruses were harder, requiring more advance planning with fake Web domain name registration and phony e-mails alerting employees that an exterminator would be coming by.

What this really shows is a much greater problem than physical security. In the next years far more scrutiny will be paid by regulators to the trust model that financial institutions have setup for partners, vendors, and other service providers. Outsourcing might have solved a financial riddle, but that was before the cost of security and compliance were factored properly.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.