We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
How a man used social engineering to trick a FTSE-listed financial firm

How a man used social engineering to trick a FTSE-listed financial firm

Holding the door for someone can get you hacked

Article comments

A security consultant managed to talk his way into a FTSE listed financial services firm and access company data in a social engineering exercise.

Colin Greenless, a security consultant at Siemens Enterprise Communications, targeted a client company for a week in a special investigation to see what information he could achieve using social engineering tactics.

Without the use of any special equipment, Greenless was able to enter the company's office without being challenged by security staff. Greenless then based himself in a third floor meeting room, where he worked for several days.

The consultant also freely accessed different floors, store rooms, filing cabinets and confidential data left on desks, and entered the company's data room, IT and telecoms network

Posing as an IT worker, Greenless used the internal telephone system to call staff and request information. During the exercise, 17 out of 20 users gave away their usernames and passwords, giving Greenless easy access to electronic data.

"The scary thing is, it's all simple stuff. It's just confidence, looking the part and basic trickery such as 'tailgating' people through swipe card operated doors or, if you're really going for it, carrying two cups of coffee and waiting for people to hold doors open for you," said Greenless.

During his week at the financial firm, Greenless befriended a number of employees and was even on first name terms with the foyer security guard.

Greenless even brought a second Siemens consultant into the building, who was aple to perform further analysis of the company's IT network.

Social engineering, or confidence tricks, is the art of manipulationg people into divulging information, or performing actions that would give the fraudster access to data.

"Hi-tech protection systems are completely ineffectual against such attacks, and most employees are utterly unaware that they are being manipulated," said Greenless.

A Siemens Enterprise Communications White Paper, written by Greenless, details the findings of the exercise, and also provides recommendations for executives.

Share:

Comments

Advertisement
Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *