Solutions

Overview TraceSecurity IT Security Audit Manager TraceSecurity Risk Manager TraceSecurity Compliance Manager TraceSecurity Compliance Manager PCI Security Compliance Tools

TraceTunnel TraceAssurance Program TraceAuthenticate

Security Compliance Services

Digital Forensics Risk Assessments Security Assessments Penetration Testing IT Audit Social Engineering Application Testing

Security Awareness Programs

Security Training

Industries

Financial Services Healthcare Retail State & Local Government Education

Resource Center

Ask TraceExperts Tools/Downloads

TraceToolbar Trace ScamAlert Free PCI DSS Scan

Customer Successes Whitepapers

News & Events

Press Releases In the News Events Webcasts

Company

Overview Management Board Partners

Industry Alliances Partner Program

Careers Support Contact Us

Donny Deutsch Show “The Big Idea” featuring Jim Stickley, TraceSecurity, CTO

, 04/23/2007

DONNY DEUTSCH, host: Welcome back to THE BIG IDEA. OK, tonight the American dream is coming to you straight out of left field. I've got the most bizarre, crazy, wacky jobs in the world tonight. Jobs you didn't know existed. But they do, and they pay pretty damn well, also. Tonight you might start taking your own ideas a little more seriously.

And my next guest is Jim Stickley. He's a master of disguises. He carries a ladder as the perfect decoy. And he frequently embarrasses security departments. What's he do? He actually gets paid to rob banks, financial institutions, or any other company for that matter, and he's paid by the company.

He's Jim Stickley, co-founder of Trace Security. Welcome to bizarre job night on THE BIG IDEA.

Mr. JIM STICKLEY (Trace Security): Thanks.

DEUTSCH: Now this is basically--as I understand it, you get paid by companies, banks, or what-not to test, basically, their own security systems, but not in the way we would think, which is obviously--'OK, can you break into my computer systems?' We all know identity theft. Yours is from a different angle.

Mr. STICKLEY: Yeah, they tell us you know, 'OK, we've tested our network, and we're pretty comfortable with that, but what about our employees? What are they doing to stop us--and stop us from getting hacked?' And so we actually physically break in to these facilities.

DEUTSCH: For instance you got the idea of this business as you were working with institutions where you were kind of hacking away and you'd see guys delivering water coolers--all this access of random people walking around all this obviously this priveledged information.

Mr. STICKLEY: Yeah, it was absurd. I mean they'd have us in there and be like, 'ooh, we're so worried about our network.' And I'd be like testing and I'd be like looking around and there's the water cooler guy over there and there's the delivery guy over there and these people are just wandering aimlessly around through the facility, and I'm like, 'what about those guys?'

DEUTSCH: Yeah.

Mr. STICKLEY: You need to be worried about them too.

DEUTSCH: So basically, what you do, is come up with heists. You've come up with a thousand of them.

Mr. STICKLEY: Yeah.

DEUTSCH: Give me a for-instance of the kind of disguise and what you do and how you would get this information.

Mr. STICKLEY: There's a zillion. I mean everyday we come up with a new one. My favorite is to play fire inspector. And that's where you dress up in full uniform and you go in and you show them your badge, and you have a badge like that.

DEUTSCH: OK.

Mr. STICKLEY: And you walk in and you say, 'hi, I'm here to do a fire inspection.' And your in your uniform and people just look at you and they go, 'oh, OK, sure.'

DEUTSCH: So, basically, the person--if you just walk into any bank--I'm not going to name a bank--the bank on the corner. The person you would show this to at the bank is who?

Mr. STICKLEY: Generally the first person I see.

DEUTSCH: The first person you see. It could be a security guy at the front gate, a teller--

Mr. STICKLEY: Exactly. Most of the time it's going to be a teller.

DEUTSCH: So basically your access, this is what they want to the test, so you go into a teller...

Mr. STICKLEY: Uh-huh.

DEUTSCH: ...and now you're wandering around the place.

Mr. STICKLEY: Sure. And if they're smart--and what they're supposed to do is, they're supposed to stay with you. You know you're not going to stop a fire inspector from coming in. They've got a legitimate job to do, but they shouldn't be allowed to just wander aimlessly throughout the whole facility.

They need to have an employee that stays with you. So if I'm going into the server room, or if I'm going where all this data is being stored, they have somebody in there with me, so I can't just start loading my bag up with this stuff.

DEUTSCH: So theoretically though, if they don't have somebody with you, what can you actually do now? Once you're inside the bank that's worth millions of dollars?

Mr. STICKLEY: Oh, I'll rob them blind.

DEUTSCH: Meaning what?

Mr. STICKLEY: I'll take their back-up tapes, first thing. Back up tapes control, day-to-day, everything. You go to a bank and you give them your social security number. If you have a loan with them, you've given them all of your basic information.

DEUTSCH: Basically now, with a fire inspector's uniform you can get into a bank and get every one of their customer's personal information.

Mr. STICKLEY: Everything.

DEUTSCH: Give me another instance of how you would break into a bank.

Mr. STICKLEY: I like doing repairman. Pest control--pest control works really well. When we do that one, a lot of times we'll do that one as a team. We'll do some back history on it, and find out who they've used in the past, find out who is responsible for doing the hiring. So then we can send out an email on behalf of whoever does their hiring at one location to all the other locations.

And say 'hey, we're going to have a pest inspection coming out next week.' It's an email. It's benign. Why not? So then we schedule it up, and say the pest inspector is going to come on such-and-such date.

We go down there. We bring in ladders. A ladder is your best friend when you go in. So what we'll do is, like, we'll go into their server room and if they are with us we'll say, 'oh, can you get us a cup of coffee?' Or 'we're going to need this,' or 'I need to know about that.'

The minute they walk out, we put the ladder in front of the door and one of us climbs on the ladder. Well, now they can't open the door to get back into the server room. So we're on it, the other person's robbing.

DEUTSCH: OK, now obviously you--you report back, to the dismay of the CEO, or the head of security, of the various-backed financial institutions.

You can never protect against this stuff. How--what's the end result? Basically, is the one lesson, 'OK now, nobody can ever be left alone?' What's the learning effect?

Mr. STICKLEY: That's it.

DEUTSCH: Other than that, well, you can't--you know--

Mr. STICKLEY: That's exactly what it is. It's teaching their employees. People don't want to offend other people. So, if I say, 'hey, you know, I need you to go do this.' They go, 'well, do I do it or do I stay with this person?' And so most of the time--and if you're friendly and I'm a easy-going guy, very non-assuming...

DEUTSCH: Yeah, you know.

Mr. STICKLEY: ...and they go, 'oh, OK.' And they go away. Once we've done this, management can say a hundred times, 'don't leave people alone, stick with them no matter what you do.' And they go, 'yeah, yeah, yeah.'

And they do this. After this happens to them, they'll never do it again. Because then they're just like, 'I can't believe I fell for it.'

Some of the other stuff. We always have props. Props are everything. As long as you can make the uniform look good, you must be that real person. I mean, I have no clue how to use this thing. (Visual of repair tool) But it hooks onto a belt and it looks really cool.

So, you know, I'm there to do some sort of phone repair or you know, cable. Or if they're having Internet problems, anything like that. This one's great when we are fire inspectors. I don't know if you'll be able to hear this or not, but let me see.

(Soundbyte of pre-recorded audio dispatch)

This is actually recordings, so when we walk in and our walkie-talkies are on, this is playing through our walkie-talkies. So, we look very official when we walk in and there is no reason for them to doubt us whatsoever.

DEUTSCH: So you--have you ever been rebuked?

Mr. STICKLEY: No, I've--

DEUTSCH: Rebuffed. Rebuked. Whatever that word is--

Mr. STICKLEY: A member of our staff had been caught over time, but I've got a very good track record and I have not been caught.

DEUTSCH: Never been busted?

Mr. STICKLEY: No, never been busted.

DEUTSCH: What would you charge, for--to back a--to go through a bunch of their things? What's a good--

Mr. STICKLEY: I try to stay out of the press. I'm more on the engineering side, but I would imagine it would generally start at about a five to seven grand. That's for a very small job, and it can get extremely--

DEUTSCH: Big money.

Mr. STICKLEY: Yeah, it can go up there.

DEUTSCH: Basically, the only qualification you need is to be kind of a clever imposter.

Mr. STICKLEY: You got to be able to just carry a good tune.

DEUTSCH: Carry a good tune, and then basically know how to download stuff. Which anybody can do.

Mr. STICKLEY: Yeah, you got to hack a little. You've got to know some other things on the other side.

DEUTSCH: But the point is, obviously these companies spend hundreds of millions of dollars, even billions I'm sure, to fight the hackers. The real kind of vulnerability, is just in the humans.

Mr. STICKLEY: That's it--that one employee.

DEUTSCH: Yes, it's all kept in the computers but basically--

Mr. STICKLEY: Yeah.

DEUTSCH: When you get inside the doors, it's frightening stuff.

Mr. STICKLEY: Yeah.

DEUTSCH: Any--any kind of lessons out there for any bank presidents watching right now, that want to keep their finances a little more secure?

Mr. STICKLEY: Yeah, just look around. Walk into one of your locations, and just see who's got access, where. And what's laying on desks.

DEUTSCH: It's very funny. I would always, when I was running the ad agency, I would always--and frankly we were very good at this--of course a lot of times, computers had been stolen or a woman's purse in a desk.

Nobody was ever walking around the ad agency by themselves unescorted, who wasn't--you know, there was somebody, a media rep. You can't just let people wander around your office. And that's how it happens. It's amazing what happens when people just let people wander around their offices.

Mr. STICKLEY: Yeah, it is.

DEUTSCH: Jim Stickley, co-founder of Trace Security, and a guy who will come and break into your company if you need him to. He'll charge you a lot. It's one of the most bizarre jobs in the world, because tonight it's bizarre jobs making un-bizarre bucks tonight, on THE BIG IDEA.