Intruder 'steals' financial firm's data in social engineering exercise

Intruder 'steals' financial firm's data in social engineering exercise

An intruder has gained access to the offices of a FTSE-listed financial services firm and duped staff into handing over sensitive information, including staff usernames and passwords, during a social engineering exercise.

Siemens Enterprise Communications, which conducted the exercise, says organisations now spend fortunes to protect confidential information from cybercriminals who try to hack into their IT systems.

Yet they are still at risk through simple social engineering techniques where staff are manipulated into handing over information.

At the financial firm the intruder, a Siemens consultant, managed to enter the office without being challenged by security staff before basing himself in a third floor meeting room, where he worked for several days.

The intruder gained access to the company's data room, IT, and telecoms network. He then used the internal telephone system to call employees, claiming to be from the IT department, backed up by the caller ID, and requested information.

Of twenty users targeted, seventeen supplied their usernames and passwords giving the intruder easy access to confidential electronic data.

During the week-long exercise at the firm, Siemans says the consultant befriended a number of employees and was even on first name terms with the foyer security guard.

On two separate occasions, the consultant managed to escort a second Siemens staffer into the building who was able to perform further analysis of the company's IT network.

Colin Greenlees, security and counter fraud consultant, Siemens Enterprise Communication, says: "Social engineering is principally concerned with manipulating people into performing actions or divulging confidential information in order to access electronic or physical data. Hi-tech protection systems are completely ineffectual against such attacks, and most employees are utterly unaware that they are being manipulated."

Comments: (3)

Keith Appleyard
Keith Appleyard - available for hire - Bromley 07 May, 2009, 17:42Be the first to give this comment the thumbs up 0 likes

It is so easy to do if you just feel confident about yourself - I recall visiting a Client on the outskirts of Paris, and finding myself at 11am in an unattended Office suite, looking at the Laptop of the Financial Director of a large Pharmaceutical Company, reading his Q1 Cash Flow Forecast, with no ScreenSaver having kicked in - and no-one ever challenged me.

Another time I was visiting a Financial Services Company in Leeds, and was impressed by their due care within the office to ensure that confidential waste paper was deposited in secure containers. But the next morning I saw the local Security firm park their pickup truck unsecured & unattended in the car park, so to prove I could do it I climbed into the back of the truck (ostensibly as if to steal the confidential waste already in there) and no-one challenged me. The truck was covered by CCTV, but I could see that the on-site Security Guard had left his command post to go and unlock the room where the confidential waste had been stored overnight.  

In both instances my colleagues who with me were paranoid we were going to be arrested, but nobody batted an eyelid.

A Finextra member
A Finextra member 08 May, 2009, 10:31Be the first to give this comment the thumbs up 0 likes

A great post and one that reminds us where the real danger lies.

Just a quick note to he Brighton guy - I'm uneasy about what you did.

You may have been well intentioned, but it could have seen you prosecuted. I understood why you say you did it, but how could you prove you hadn't got maliscious intent?

Would you take a stranger's purse just because you saw she had an open handbag, or move a car because someone left the keys in it?


Keith Appleyard
Keith Appleyard - available for hire - Bromley 15 May, 2009, 12:59Be the first to give this comment the thumbs up 0 likes

To respond to the latter comments :

if I see a car with the keys in the ignition and I knew the owner I would take the keys to stop it being stolen

if I saw a handbag belonging to a co-worker lying unattended on the desk I would move it and put it out of sight in a desk drawer

if I saw a PC still switched on after 6pm when the owner has gone home I will switch it off, and if its unsecured I will remove it and lock it away.

Its called looking after your friends, neighbours & colleagues.