How to Social Engineer Your Local Bank

by Rob

Warning: Do not try this unless you work for a financial institution and are conducting a penetration test.

Banks.  We love them, right?

Some people look at banks and think, "They must have their act together, big building, hundreds of branches, thousands of employees..."  Others think, "What a bunch of morons."

As an insider, I can tell you that I tend to agree with the second train of thought.  Let me tell you why...

Banks come in all shapes and sizes, however we will be focusing on medium sized 50+ branches and up.

In any business with 50 locations, there is no way for everyone to know each other.  So if my customer comes to your location and you have a question for me, how do I know it's you calling me on the phone?

Sure, I can look at the Caller ID, but what about mortgage lenders who work on the road from their cell phones?  Or relationship bankers who are at people's houses?  Caller ID is out of the picture.

So how do we authenticate who we are talking to?

Most banks use a password system that changes on a daily or weekly basis.  Some call it the "daily authentication code," some call it the "password of the day."  There are many names, but they are all basically the same thing.

By having this "daily auth code," we have our first step into social engineering a bank.

But how would an outsider get this code?  Easy.

By pretending to be working for the bank's internal audit department.  Banks hate auditors, but they are a necessary evil.  The auditor can make your life a living hell if you don't cooperate with them.  So let's see how we can exploit this relationship.

Let's say we call the bank and have a conversation something like the following:

Banker:  "Hello, this is Marcy, thank you for calling XYZ bank.  How may I direct your call?"

You:  "Hey Marcy, this is Oswald Cobblepot.  I'm working with internal audit to do some security assessments and I'm supposed to talk to (insert common name here) on the teller line."

One of three things happen here:

1.)  Banker:  "We don't have (name) here."

No problem.  You just say, "Geez, they gave me this big list to work off of and it seems to be wrong more than right.  I just need to talk to someone on the teller line to get your branch done so they don't keep bugging you guys.  Can I talk to whoever is free next?"

2.)  She's busy.

You say, "I just need to talk to someone on the teller line to get your branch done so they don't keep bugging you guys.  Can I just talk to whoever is free next?"

3.)  Banker:  "Hold on."

At this point, you should be on the line with a teller.  Why did we ask for a teller?  Tellers are busy and are generally younger and less experienced, and this makes them distracted and better targets.

So we are on the line with a teller...

Teller:  "This is (name)."

You:  "Hey (name).  (insert small talk) I was just talking to Marcy (make sure to drop the name of the first person you talked to in order to build credibility) about some security assessments we are doing in internal audit.  Basically, I just need to ask you a few quick questions so we can assess your branch."

  1. Who are you allowed to share your logon password with?  (They should say nobody.)
  2. Once you log into your PC, who is allowed to use it besides you?  (Nobody again.)
  3. If someone calls from another branch asking for information, how do you verify who they are?  (They should answer by saying they use the daily authentication code that we talked about earlier.)
  4. How do you find the daily authentication code?  (It's usually on an intranet site or mailed out daily.)
  5. Do you check and verify it with all callers requesting information?
  6. What is today's code?  (Believe it or not, this works.  I have done this a few hundred times and only one person did not give it to me.)

Finish up the call with some small talk and hang up.

You now have the daily authentication code for access to a bank.  But how do you use it?  Here is one scenario, but I'm sure you can come up with others...

Call a local branch and say, "Hey this is Bill from IT.  I have a contractor going on site to look at your (printer problem, slow PC, alarm system, whatever).  He should be there in an hour or so.  Make sure you have him sign in and verify the daily auth code.  kthxbye"

You can now walk into a branch and they are expecting you and you have the right code to get in and have access to files, folders, records, whatever.

We had fun doing this, but the key here is that once you are done doing your pen-test, you follow-up with everyone involved and let them know why it worked and what they need to change to make sure it doesn't happen again.  Then you need to wait a few months and test them again to make sure it's being implemented.

Oh, and if you haven't already, you should switch to a small community bank or credit union.

Those big banks are just way too insecure... at least that's what I hear...
Return to $2600 Index