FFIEC News

TraceSecurity Reports 95% of Financial Institutions Tested Still Vulnerable to Both Physical and Virtual Data Theft

(Sept 10, 2008)-- TraceSecurity, provider of comprehensive IT risk assessment and security compliance solutions, revealed today its five-year statistics on Social Engineering and Penetration Testing. The statistics show that 95% of U.S. financial institutions' sensitive data including bank account records and social security numbers could have been robbed on average in 30 minutes or less.

Between 2003 and 2008, TraceSecurity's engineering team, headed by co-founder and CTO Jim Stickley, compromised the security of more than 1,000 financial institution branches. As an independent auditor for regulated industries including the financial services sector, TraceSecurity estimates that tens of millions of consumers' personal identity could have been stolen if the attempts had been legitimate.

Statistics were based on a core group of TraceSecurity's more than 800 U.S. customers which had asset sizes ranging up to $2.7 billion in 48 states and represented an average of four or more branch locations.

"Personally, I've been able to bypass security policies, procedures and technology of any bank or credit union where I've performed social engineering engagements 100% of the time," said Stickley, co-founder and CTO of TraceSecurity and author of the newly released book The Truth about Identity Theft. "My job is to help companies understand and improve their security, and that's exactly what happens with the tests we performed on financial services firms."

The tests from which statistics were drawn focused on three Best Practice solutions: Penetration Testing, Remote Social Engineering and Onsite Social Engineering. Penetration Testing employs hacking attempts on the company's network through the Internet to check for vulnerabilities that may exist whereas Social Engineering tests include phishing, pharming, pre-text calling and onsite impersonation of a trusted third-party.

TraceSecurity engineers often disguise as a fire marshal or pest inspector as part of their onsite Social Engineering engagements. They're able to gain entry 95% of the time into bank areas that often contain sensitive data which can be easily compromised.

Backup tapes storing sensitive data were cited as the easiest target to steal while being undetected by bank employees. Other items stolen in the test heists included loan applications, miscellaneous hardware such as laptops, cell phones and PDAs, keyboard data and more containing common information such as social security numbers, banking/account numbers, addresses/contact information, mother's maiden names, driver license numbers and credit card numbers.

"When in disguise, TraceSecurity engineers were only questioned on a couple of occasions," said Stickley referencing the five-year statistics. "One example included a situation where the engineer posed as a fire marshal was questioned by a bank employee married to a fire marshal; another example was an engineer who was busted when he showed up dressed as a pest inspector similar to the uniform I was wearing on the front cover of a recent industry magazine."

While government regulations such as FFIEC, NCUA, HIPAA, SOX, FCA and others recommend employing social engineering engagements, it's not mandatory unlike testing for vulnerabilities and adherence to the Information Security Program.

"Financial institutions are often under attack via physical breaches or the Internet," said Stickley. "That's why it's important to take a proactive approach like more companies are doing today, and hire experts who understand the nuances of cyber crime and data heists. It takes only one branch location for all customers' sensitive data to be at risk, and recent data breaches have shown these losses can amount to billions of dollars -- a huge cost for what's usually a small, avoidable error." 

For more information, please visit www.tracesecurity.com .

Share or bookmarklet this web page at: