Small Business: Hackers For Hire

Consumers know by now they are at risk of identity theft, of "phishing" e-mail attacks and of other scams designed to get them to cough up their account information (and then, too often, the contents of that account). Fake heists show that customers aren't the only weak link in the chain. "We have hacked into every single online banking application that we've tested, except one," says Stickley. So even if you follow all the rules--never respond to an e-mail purporting to be from a bank, shred every piece of paper containing personal information, only return a phone call to a financial institution using the number on the back of your card--you could still have an account cleaned out because of sloppy security at your financial institution. "Bringing in Trace gave us a sense of security, a sense of awareness, and it definitely brought in some new internal training and controls," says Kelley Ferguson, director of network-and-security services at Numerica Credit Union, where TraceSecurity conducted social engineering last spring.

So how does a company that boasts the ability to crack any system convince clients that it's safe to hire that firm? Stickley says the company's 50 employees have extensive background checks, supplied to clients if requested. Typically, employees are drawn from lines of work such as corporate security and computer engineering. But hackers need not apply. "We don't hire anyone who we believe was a former hacker," Stickley says. "Someone who can program and do network administration, you can teach them to hack. It's just too dangerous to put a hacker in a bank." Says Ferguson: "I think we were more nervous about having someone not do this than having someone do it."

So how do you keep Stickley or, more important, the real criminals out of the customer data? If your company handles any sensitive information whatsoever--including something as simple as an e-mail address or a phone number--TraceSecurity recommends the following:

IF IT'S PAPER, SHRED IT Stickley regularly dives into his clients' Dumpsters; he says even a Post-it note with a customer's name and phone number gives him enough to begin a scam. Employee names, positions and work schedules are invaluable to con artists.

ALWAYS ESCORT STRANGERS Never let pairs split up, and never, ever leave them alone--no matter what the reason. Stickley has stooped to faking illness, and then spending as long as it takes in a bathroom until the most vigilant escort gives up.

VERIFY IDS Take the time to ensure that a stranger is whom he claims to be, even at the risk of giving insult. Check the name on a badge against a driver's license, then call the purported employer--fire department, pest control--to make sure the person is legit.

DOUBLE-CHECK E-MAIL REQUESTS Stickley sets up a fake e-mail address and credit-union website, then sends out e-mails claiming to be from the credit union's IT manager, asking employees to "test" the new website by entering their own account and password information. They often give Stickley all he needs to empty out those accounts.