Login | sign up  | help
19 June 2013
» View all news Next story »

Intruder 'steals' financial firm's data in social engineering exercise

07 May 2009  |  6656 views  |  3 happy city gent

An intruder has gained access to the offices of a FTSE-listed financial services firm and duped staff into handing over sensitive information, including staff usernames and passwords, during a social engineering exercise.

Siemens Enterprise Communications, which conducted the exercise, says organisations now spend fortunes to protect confidential information from cybercriminals who try to hack into their IT systems.

Yet they are still at risk through simple social engineering techniques where staff are manipulated into handing over information.

At the financial firm the intruder, a Siemens consultant, managed to enter the office without being challenged by security staff before basing himself in a third floor meeting room, where he worked for several days.

The intruder gained access to the company's data room, IT, and telecoms network. He then used the internal telephone system to call employees, claiming to be from the IT department, backed up by the caller ID, and requested information.

Of twenty users targeted, seventeen supplied their usernames and passwords giving the intruder easy access to confidential electronic data.

During the week-long exercise at the firm, Siemans says the consultant befriended a number of employees and was even on first name terms with the foyer security guard.

On two separate occasions, the consultant managed to escort a second Siemens staffer into the building who was able to perform further analysis of the company's IT network.

Colin Greenlees, security and counter fraud consultant, Siemens Enterprise Communication, says: "Social engineering is principally concerned with manipulating people into performing actions or divulging confidential information in order to access electronic or physical data. Hi-tech protection systems are completely ineffectual against such attacks, and most employees are utterly unaware that they are being manipulated."

Comments: (3)

Comment on this story (membership required)
Keith Appleyard - available for hire - Bromley | 07 May, 2009, 17:42

It is so easy to do if you just feel confident about yourself - I recall visiting a Client on the outskirts of Paris, and finding myself at 11am in an unattended Office suite, looking at the Laptop of the Financial Director of a large Pharmaceutical Company, reading his Q1 Cash Flow Forecast, with no ScreenSaver having kicked in - and no-one ever challenged me.

Another time I was visiting a Financial Services Company in Leeds, and was impressed by their due care within the office to ensure that confidential waste paper was deposited in secure containers. But the next morning I saw the local Security firm park their pickup truck unsecured & unattended in the car park, so to prove I could do it I climbed into the back of the truck (ostensibly as if to steal the confidential waste already in there) and no-one challenged me. The truck was covered by CCTV, but I could see that the on-site Security Guard had left his command post to go and unlock the room where the confidential waste had been stored overnight.  

In both instances my colleagues who with me were paranoid we were going to be arrested, but nobody batted an eyelid.

0 thumbs up! (Log in to thumb up)
Report
A Finextra member | 08 May, 2009, 10:31

A great post and one that reminds us where the real danger lies.

Just a quick note to he Brighton guy - I'm uneasy about what you did.

You may have been well intentioned, but it could have seen you prosecuted. I understood why you say you did it, but how could you prove you hadn't got maliscious intent?

Would you take a stranger's purse just because you saw she had an open handbag, or move a car because someone left the keys in it?

 

0 thumbs up! (Log in to thumb up)
Report
Keith Appleyard - available for hire - Bromley | 15 May, 2009, 12:59

To respond to the latter comments :

if I see a car with the keys in the ignition and I knew the owner I would take the keys to stop it being stolen

if I saw a handbag belonging to a co-worker lying unattended on the desk I would move it and put it out of sight in a desk drawer

if I saw a PC still switched on after 6pm when the owner has gone home I will switch it off, and if its unsecured I will remove it and lock it away.

Its called looking after your friends, neighbours & colleagues.

0 thumbs up! (Log in to thumb up)
Report
Log in to receive notifications when someone posts a comment

Related blogs

Create a blog about this story (membership required)

Related stories

Fed bank IT worker charged with ID theft and fraud
27 April, 2009
Hackers steal 285m electronic records in 2008 - Verizon
15 April, 2009
Two found guilty in £229 million Sumitomo spyware fraud case
04 March, 2009
Trojan steals 500,000+ bank and card details
31 October, 2008
Branch security failings exposed by fake heists
10 September, 2008
More news »
Find out more

Featured job

Resourcing Manager

Excellent salary with uncapped commission
Milton Keynes

Find your next job

All jobs »

Finextra Logo Small
© Finextra Research 2013

 
About Finextra
Community Rules
Terms of use
Privacy policy
Contact us
Editorial
Sales and Membership
Follow us
LinkedIn
Twitter
RSS Feeds
Daily newsletter
Apps and platform versions
Android
iPhone
Kindle