TraceSecurity revealed today its five-year statistics on social engineering and penetration testing. The statistics show that 95% of U.S. financial institutions’ sensitive data including bank account records and social security numbers could have been robbed on average in 30 minutes or less.
Between 2003 and 2008, TraceSecurity’s engineering team compromised the security of more than 1,000 financial institution branches. As an independent auditor for regulated industries including the financial services sector, TraceSecurity estimates that tens of millions of consumers’ personal identity could have been stolen if the attempts had been legitimate.
Statistics were based on a core group of TraceSecurity’s more than 800 U.S. customers which had asset sizes ranging up to $2.7 billion in 48 states and represented an average of four or more branch locations.
The tests from which statistics were drawn focused on three best practice solutions: penetration testing, remote social engineering and on site social engineering. Penetration testing employs hacking attempts on the company’s network through the Internet to check for vulnerabilities that may exist whereas social engineering tests include phishing, pharming, pre-text calling and onsite impersonation of a trusted third-party.
TraceSecurity engineers often disguise as a fire marshal or pest inspector as part of their onsite social engineering engagements. They’re able to gain entry 95% of the time into bank areas that often contain sensitive data which can be easily compromised.
Backup tapes storing sensitive data were cited as the easiest target to steal while being undetected by bank employees. Other items stolen in the test heists included loan applications, miscellaneous hardware such as laptops, cell phones and PDAs, keyboard data and more containing common information such as social security numbers, banking/account numbers, addresses/contact information, mother’s maiden names, driver license numbers and credit card numbers.
While government regulations such as FFIEC, NCUA, HIPAA, SOX, FCA and others recommend employing social engineering engagements, it’s not mandatory unlike testing for vulnerabilities and adherence to the Information Security Program.