Banking Security

June 09, 2010 By: erik Category: Geeky, Musings 108 views

Rate this post:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Fourteen Thousand EurosToday I went to my bank to pay my Spanish taxes, which, after avoiding double taxation, came to a whopping 4.87€. I had done the taxes on my computer with the downloadable java app and had generated a PDF for myself and one for my wife. However, when I printed them, they came out strangely formatted. I couldn’t understand why, so I loaded the PDFs onto a USB pen drive and took them to the bank along with the poorly printed versions. They said that my printed versions weren’t good enough and agreed to print the ones I had on my pen drive. So I watched as my local banker inserted the pen drive I gave him into his Windows machine and opened and printed the PDFs.

This strikes me as a huge security faux pas. He has seen me come into the bank over the past five years, granted, but still. He took a pen drive from a customer and double clicked on an icon on it that had an Adobe Acrobat icon. If I was a little smarter and a little more evil, I could now have access to his entire workstation, on the internal banking network.

My intentions were completely honest, and the guy helped me out…but talk about the future of bank robberies! Who needs a gun and a getaway driver when you can use a pen drive and show a little cleavage? My shirt was fully buttoned, but were one to take this to the professional level, I have little doubt that plan would be more successful with the role of in-bank operative played by an attractive woman.

From my experience with American banks, I can’t really imagine them opening files on a diskette solid state storage device that a customer brought in, but it might be possible.

Has anyone seen any crime novels, movies, or television episodes with this modus operandi?

 
  • I got an excellent comment via Google Buzz (which I didn’t even know was a way for people to comment on my posts) pointing me to this example of how this trick has been used.

    After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

  • Yeah, we talk about this kind of breach all the time at my work, but everytime convienence wins out over security. But there’s another aspect, one that probably keeps my local bank safe…. the people in the bank don’t actually have rights to anything sensitive.

    When we refinanced, they could print forms, make appointments, and few other things, but when it came down to actually dealing with money (e.g. paying something) we had to leave the branch and do it from the website. The especially surprised me since we use a small town local bank and I’m darn sure a hefty portion of their customers don’t have internet access. I guess they just don’t get some features of the bank.