The First Time I Robbed A Bank
By Jim Stickley

The first time I robbed a bank, I was 27 years old. On numerous occasions throughout my youth, I had often thought about different ways that I could pull it off. Never actually thinking there would come a time that I would actually do it, of course. However, in life, circumstances do change and suddenly the opportunity presented itself.

When most people think of robbing a bank they picture the guy in the ski mask wielding a gun and demanding that money put into a canvas bag. For me that always seemed far too dangerous and really I doubted the payoff would be the worth the risk. Personally, I always favored the idea of sneaking in, in the middle of the night, bypassing the alarm system and somehow breaking into the safe. Of course as technology changed, so did my ideas. And so it came to be that in the summer of 1997, I ended up with access to millions of dollars, without so much as triggering a single alarm. Nor did I even raise so much as a suspicion that I had even been in the bank.

I guess I should clarify that I do not have a criminal record, and though I have broken into hundreds of secured sites from financial institutions to government facilities, in reality I never actually broken the law. While there is no doubt that I do perform criminal acts, I have what I like to refer to as a “get out of jail free card.” You see, I am a hired thief. Organizations that hold confidential information such as banks and credit unions, for example, need to be certain the security they have implemented actually works in real situations. Of course, finding out there is a flaw in the security after a major breach has taken place could be detrimental not only to the organization, but to their thousands of customers that have come to trust them.

That’s where I come in. Organizations hire our company to find their security flaws and exploit them. Sure, not every job requires me to physically break in and there are many cases where we have been able to gain access to the targeted information without ever having to step foot on site. But at the end of the day, I will do whatever it takes, stopping just short of showing up with a gun, in an effort to obtain the targeted objective.

Strategy for Larceny
So getting back to the summer of 1997. For this particular engagement, I had been assigned to obtain access to the data center of a large bank. Because the data center was not a publicly accessed site, this meant there was already a major obstacle. Obviously I would not be able to just walk into the facility, as it was secured and visitors were required to be buzzed in. Then approval was required before you could get past the front reception area.

At that time I had drawn up numerous scenarios that could potentially get me in past the reception area, including everything from a flower delivery guy to a scheduled sales meeting. With each scenario, I was not satisfied that it would give me the proper access to all areas of the facility. The problem was if, for example, I used a flower delivery guy, I could get in and potentially talk my way into personally delivering the flowers, but then what? There is no guarantee that I would be able to roam free throughout the rest of the facility, not to mention that more than likely, the truly secured areas, such as the main server room, would have additional door locks that I would not be able to bypass.

Ultimately I settled on pest control. At first you might think to yourself that pest control could not possibly gain the kind of access needed. And even if it could, how would you guarantee that the organization would be willing to hire you to do the job? These same questions ran though my head, but one by one each problem was addressed and resolved.

The first thing I was required to do was find out who was responsible for dealing with pest control issues. This took nothing more then a phone call to the corporate office. I explained that I was from my fictional pest control company and that I was interested in gaining their business. They told me who I would need to talk to and then promptly transferred me to that extension. Rather than talking to him, I just hung up. I didn’t really expect that they would hire my fictional company anyway.

I also needed to get a few other names before I would be able to get the ball rolling. Next, I had a different person call on a separate day to find out who the manager was at the data center. This was done under the guise that the person wanted to submit a resume and hoped to be able to put the proper contact names down. They first tried to give their hiring managers information, which we also took, but we still insisted that we get the data center manager’s name so we could make the resume look official. This conversation was taking place in a very friendly, “aw shucks” kind of manner to keep suspicion low and make the employee on the line feel like she was helping out some poor soul looking to make a good first impression. Ultimately, we got the data center manager’s name.

For this breach to be a success, we would also need to get the email address for these people. Fortunately, most organizations make this extremely easy. Simply create a hotmail account and then send out a fake spam message to one of the people. Now, since you don’t know their email address, you can guess at a number of different addresses all at their domain. For example, if their name was John Doe, you would send an email to jdoe@theirdomain.com, john.doe@theirdomain.com, johnd@theirdomain.com, johndoe@theirdomain.com, etc. Most organizations will follow a naming convention that will remain the same for all employees. When you send all of those emails, simply watch your hotmail account and see which addresses bounce back. In most cases, all will bounce back and return to sender / unknown email address except for one. The one that doesn’t bounce back is your correct email address. You can find the email accounts you are looking to contact. In this case, we quickly had the email address to the manager responsible for hiring pest control and the email address to the manager of the data center.

Next we registered a domain that was similar to the organization that we were breaking into. In this case, the organization’s domain name had an “O” in the name. This was very helpful to us, as we could simply register the domain name using a zero in place of the O. When you type capital letters, a zero looks just like an “o,” which most people will not pick up on when reading their email. In other words, if the domain was notabank.com, we would register n0tabank.com. When in capital letters, it looks like N0TABANK.COM. As you can see, it is difficult to distinguish the zero from an “o.” I next modified a mail server on our network to begin hosting email for the similar domain and setup a mail client on my computer that would be used to send and receive email as needed using this new domain.

The last thing that is required to remove any suspicion from the minds of any employee was the addition of an 800 phone number. People always feel more comfortable if they have a phone number they can call to reach a person live. I imagine that the idea is that if you can call them, then they must be legitimate. To that I can only remind people that an 800 number can be picked up on the internet for a few bucks a month and can be forwarded to any number you like, including pay phones and cell phones.

Setting the Plan in Motion
The day I launched the attack, I have to admit I was extremely nervous. I went through everything over and over making sure I had not left anything to chance. Of course, when you’re planning to walk into a secured facility during regular business hours and gain access to accounts where there are millions of dollars, there is always going to be something left to chance.

I started the process by sending an email. The email was sent as though it came from the manager at the bank who was responsible for contracting with pest control. The email was sent to the operation center manager. As mentioned earlier, this information was not difficult to obtain. The email was sent using the domain I had registered that looked identical to their real domain. The message in the email was very simple and to the point. “Hello John, I just wanted to let you know that we have contracted with Exterminx pest control to spray for bugs at our branches. Apparently several of our managers have been getting complaints about roaches and other bugs. Someone from Exterminx should call you within the next week to schedule a time to come on site…”

As you can see, this email was designed to not set off any red flags, not require the manager to have a verbal conversation about it, and still open the door to allow me to walk into their facility. A couple of hours after the email was sent, I did receive a reply to the email. In it, the person acknowledged receipt and asked if there would be any risk to the computer equipment from the chemicals. I responded back that we were told there would be no risk, but to double check when Exterminx contacted him. I received one more reply that he would do that and the conversation ended.

A few days later I had a lady from our office called the data center manager (women are trusted more than I am on the phone). She introduced herself as being with Exterminx and explained that she was calling to setup a time for us to spray the facility. She put his mind at ease, explaining that it should take about an hour, and that the company’s computers were not at any risk. The conversation was kept light and a date was set. Before hanging up, she gave her 800 number, in case he have any additional questions.

And so it came to be, that a little over a week later, I was dressed in overalls walking around a secured facility, carrying a toolbox and a pressure bottle filled with water. Once I was inside, it took very little time to become comfortable with the employees. Because it was a secured facility, I found it was actually quite easy to get around. The employees understood that no one could get in unless they were given access, so obviously, I was allowed to be there. Since my job required me to go into every room in the facility, I had more access than many of the employees.

My main objective was to gain access to the organization’s backup tapes which contained the names, addresses, account numbers, loan information, and every other piece of confidential information that people give to banks. But beyond that, I was told to gain access to anything and everything.

When I was given this challenge, I am pretty certain they never imagined I would actually be walking through their facility unescorted. I spent the majority of my time loading Trojans onto servers that were left logged in. This was simple, since I could just drop a CD into the computer and within a few seconds the software would be loaded. In addition, I placed a wireless access device on their network. Because this was a large facility, it was simple for me to tuck the device between two cubicles and plug it into a live network patch. Though I will not focus on it in this article, the wireless device turned out to be a great avenue back into their network as I was able to sit in the parking lot all evening hacking from one computer to the next, bypassing their firewall and external IDS server.

When I entered one area of the facility I came upon the digital surveillance equipment. What amused me most was that this server was left logged in with administrative access. I assume this was so they could view the numerous video streams that were coming in. Rather than disabling the device and deleting the contents, I simply placed a sticker on the keyboard. There was no need for me to actually disable their surveillance for real, but I wanted to be certain they understood the situation that they had been in. Before leaving the facility, I did find the backup tapes that I had originally been hired to obtain. They were neatly labeled on a large rack that covered a portion of a server room wall. I placed the tapes into my empty toolbox and quickly left the facility.

For my first bank robbery, it was a complete success. I gained access to the facility, placed trojans on servers to allow me future access, inserted a wireless device to allow me onto their network while in the parking lot, gained access to their surveillance system, and ultimately gained access to their complete customer database. Had I been a real bank robber, I would have gained access to millions of dollars worth of account information, not to mention it would have really ruined someone’s day.

You would think that times may have changed by now and with the identity theft awareness that seems to be out there, the heists I performed would be far more difficult. In truth, not much has really changed. People are always going to be the weakest link to an organization and it only takes one to make a mistake and allow complete and total compromise of confidential information. If I were to give only one piece of advice that would greatly reduce my level of success, it would be to never leave visitors unescorted at any time. It doesn’t matter who they are or what they do, they do not belong in your facility and therefore should be under constant supervision.

About the Author
Jim Stickley is the CTO of TraceSecurity, Inc. (www.traceSecurity.com), a provider of enterprise-class vulnerability management solutions and security assessments. He can be reached at jstickley@tracesecurity.com.