Last Updated on December 16, 2019
So the other day I managed to sneak into a bank’s ATM service room. I was left alone in there, looking wide-eyed at the back of the ATM machine. I could’ve downloaded some malware, installed surveillance cameras to capture credentials … I don’t think I was being monitored in any way. I have never felt more like Robert Redford in my life.
Fortunately for the bank that hired us for this physical security/social engineering test, I just took a blurry phone photo for documentation purposes and left as quickly as I came.
The whole point of this kind of engagement is to mimic the behavior of a malicious actor and see how far they could get. It’s a great way to test the effectiveness of a company’s security awareness program, for example.
“Banks and other organizations have physical security protocols for a reason. If employees aren’t aware of them or otherwise don’t follow them, the results can be very bad, indeed.”
Social engineering testing is inherently unique to the specific situation. In fact, there can be a lot of ad-libbing on the part of the tester.
In this case, the plan was basically to “show up and see if you can get in.” Gaining unintended access is typically not easy. Usually I’m quickly shooed away because I don’t have a proper ID and I don’t have an appointment. But in this case, when I presented myself to a branch employee and said I was there to “see about your ATM machine,” she signed me in and put me in the ATM service room with no questions asked, no ID check and no inquiry as to whether I was expected.
Having taken my photo, I waited a few minutes and then breezily left, telling the employee something about the machine not supporting the new button they wanted and that my company would be in touch about next steps. Thanks and have a nice day!
Banks and other organizations have physical security protocols for a reason. If employees aren’t aware of them or otherwise don’t follow them, the results can be very bad, indeed.
For expert help with testing your physical, network, application and/or database security perimeter(s), contact Pivot Point Security. We are a leader in penetration testing and vulnerability assessment and have been providing security testing services since 2001.