22 September 2017
visit www.avoka.com

Intruder 'steals' financial firm's data in social engineering exercise

07 May 2009  |  7923 views  |  3 happy city gent

An intruder has gained access to the offices of a FTSE-listed financial services firm and duped staff into handing over sensitive information, including staff usernames and passwords, during a social engineering exercise.

Siemens Enterprise Communications, which conducted the exercise, says organisations now spend fortunes to protect confidential information from cybercriminals who try to hack into their IT systems.

Yet they are still at risk through simple social engineering techniques where staff are manipulated into handing over information.

At the financial firm the intruder, a Siemens consultant, managed to enter the office without being challenged by security staff before basing himself in a third floor meeting room, where he worked for several days.

The intruder gained access to the company's data room, IT, and telecoms network. He then used the internal telephone system to call employees, claiming to be from the IT department, backed up by the caller ID, and requested information.

Of twenty users targeted, seventeen supplied their usernames and passwords giving the intruder easy access to confidential electronic data.

During the week-long exercise at the firm, Siemans says the consultant befriended a number of employees and was even on first name terms with the foyer security guard.

On two separate occasions, the consultant managed to escort a second Siemens staffer into the building who was able to perform further analysis of the company's IT network.

Colin Greenlees, security and counter fraud consultant, Siemens Enterprise Communication, says: "Social engineering is principally concerned with manipulating people into performing actions or divulging confidential information in order to access electronic or physical data. Hi-tech protection systems are completely ineffectual against such attacks, and most employees are utterly unaware that they are being manipulated."

Comments: (3)

Keith Appleyard
Keith Appleyard - available for hire - Bromley | 07 May, 2009, 17:42

It is so easy to do if you just feel confident about yourself - I recall visiting a Client on the outskirts of Paris, and finding myself at 11am in an unattended Office suite, looking at the Laptop of the Financial Director of a large Pharmaceutical Company, reading his Q1 Cash Flow Forecast, with no ScreenSaver having kicked in - and no-one ever challenged me.

Another time I was visiting a Financial Services Company in Leeds, and was impressed by their due care within the office to ensure that confidential waste paper was deposited in secure containers. But the next morning I saw the local Security firm park their pickup truck unsecured & unattended in the car park, so to prove I could do it I climbed into the back of the truck (ostensibly as if to steal the confidential waste already in there) and no-one challenged me. The truck was covered by CCTV, but I could see that the on-site Security Guard had left his command post to go and unlock the room where the confidential waste had been stored overnight.  

In both instances my colleagues who with me were paranoid we were going to be arrested, but nobody batted an eyelid.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 08 May, 2009, 10:31

A great post and one that reminds us where the real danger lies.

Just a quick note to he Brighton guy - I'm uneasy about what you did.

You may have been well intentioned, but it could have seen you prosecuted. I understood why you say you did it, but how could you prove you hadn't got maliscious intent?

Would you take a stranger's purse just because you saw she had an open handbag, or move a car because someone left the keys in it?

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Keith Appleyard
Keith Appleyard - available for hire - Bromley | 15 May, 2009, 12:59

To respond to the latter comments :

if I see a car with the keys in the ignition and I knew the owner I would take the keys to stop it being stolen

if I saw a handbag belonging to a co-worker lying unattended on the desk I would move it and put it out of sight in a desk drawer

if I saw a PC still switched on after 6pm when the owner has gone home I will switch it off, and if its unsecured I will remove it and lock it away.

Its called looking after your friends, neighbours & colleagues.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Fed bank IT worker charged with ID theft and fraud

Fed bank IT worker charged with ID theft and fraud

27 April 2009  |  12024 views  |  0 comments
Hackers steal 285m electronic records in 2008 - Verizon

Hackers steal 285m electronic records in 2008 - Verizon

15 April 2009  |  12705 views  |  0 comments
Two found guilty in £229 million Sumitomo spyware fraud case

Two found guilty in £229 million Sumitomo spyware fraud case

04 March 2009  |  11585 views  |  1 comments
Trojan steals 500,000+ bank and card details

Trojan steals 500,000+ bank and card details

31 October 2008  |  16434 views  |  0 comments
Branch security failings exposed by fake heists

Branch security failings exposed by fake heists

10 September 2008  |  10312 views  |  0 comments

Related blogs

Create a blog about this story (membership required)
visit www.capgemini.comvisit www.vasco.comdownload the paper now

Top topics

Most viewed Most shared
HSBC switches on selfie payments in ChinaHSBC switches on selfie payments in China
12747 views comments | 26 tweets | 42 linkedin
Dutch bank sentences teenage DDoS culprit to community serviceDutch bank sentences teenage DDoS culprit...
9577 views comments | 6 tweets | 3 linkedin
Apple P2P payments service nears launchApple P2P payments service nears launch
8278 views comments | 18 tweets | 27 linkedin
AXA launches blockchain to cover late flight compensationAXA launches blockchain to cover late flig...
8073 views comments | 13 tweets | 27 linkedin
SBI Ripple Asia advances on South KoreaSBI Ripple Asia advances on South Korea
7675 views comments | 16 tweets | 1 linkedin

Featured job

Competitive base, double ote, benefits
London, UK

Find your next job