Jim Stickley and his accomplice, Dayle Alsbury, adjust their fake fire-inspector uniforms, then saunter into a brown brick credit-union building. Their walkie-talkies are blaring with a recorded dispatcher's voice, downloaded from the Internet and transmitted from their getaway car. After they flash their homemade badges, the two men are waved behind the tellers' counters and into the inner sanctum of the credit union. Within just half an hour, they have gained access to the entire computer network, security system and customer data--unbeknownst to any employee on the premises.
Thankfully, they're not genuine bad guys. Their fake uniforms and IDs are supplied by TraceSecurity, a Louisiana-based outfit co-founded by Stickley that is hired by companies to test their security systems. And it's not much of a test. In four years, Stickley and his colleagues have never failed to crack those systems, mostly because people are too trusting, too unaware or simply too lazy to take the necessary steps that would deter thieves.
These criminals don't tote sawed-off shotguns and ski masks. Smart thieves steal data, not banknotes, because a financial institution's confidential customer information is often more valuable than what's in its vaults. Banks and credit unions know this and have policies to protect themselves from high-tech heists.
Still, Stickley has successfully breached health-care organizations, lotteries, retail companies and government offices. TraceSecurity offers traditional risk, compliance and IT assessments, but the part that Stickley loves best is what he calls a "social-engineering engagement." That's a polite term for a break-in. TraceSecurity engineers infiltrate a target organization posing as pest controllers, fire officials, OSHA inspectors and even foreign diplomats; once in, they trick employees into allowing them access to sensitive data. A one-off engagement costs anywhere from $5,000 to $25,000. There are dozens of outfits around the country engaged in some form of social-engineering work, from Atlanta-based Vigilar to Mitnick Security Consulting (principal Kevin Mitnick is an ex-hacker and author of The Art of Deception: Controlling the Human Element of Security). Many, however, offer testing only over the telephone.
TIME accompanied TraceSecurity on a recent string of in-person "heists" on the West Coast. At one credit-union branch, Stickley flirted with female staff members in the break room while Alsbury, who played the straight man to Stickley's goofy charmer, had four minutes alone in a credit union's communications hub--plenty of time to install a wireless "sniffer" that could later broadcast information going in and out of the bank. He could also have shut down the security cameras, alarm and telephone systems. The pair got access to the back side of the ATM and a room with boxes of backup customer data. Alsbury was able to drop a disc into an unattended, logged-on computer: a Trojan Horse virus could then download itself and allow him to hack the credit union's system. "There was nothing more we could have done," says Stickley laughing, when the pair returns triumphant to the parking lot. "We owned that place."