IE 11 is not supported. For an optimal experience visit our site on another browser.

Companies hire ‘thieves’ to test security

The Federal Trade Commission reports that nine-to-ten million Americans will be victimized by identity theft annually.  But there is help for companies that want to test the effectiveness of their own safeguards against ID theft. NBC's Tom Costello reports.
By Tom Costello

Jim Stickley is a paid thief. The tools of his trade are the tools of a con man: fake uniforms, fake IDs, a pile of fake fire inspector badges bought on the Internet. He also has the gadgets of a computer hacker.

“People are gullible,” Stickley says. “People will do pretty much anything under the right circumstances."

But Stickley is no criminal. He's part owner of Trace Security and is hired by companies to test how well their employees guard supposedly secure computer databases that hold millions of customer identities.

For many companies, servers represent their entire infrastructure. They hold account information, financial data, Web hosting — the crown jewels for many companies.

That data can be so sensitive, GMFS Mortgage in Baton Rouge, La., hired Stickley's company to test its employees. They passed.

“We've got to be proactive,” says Terrell Brown Jr. of GMFS Mortgage. “This is people's financial information that we're dealing with. So we have to stay ahead of the people who are going to try to get this information.”

On one day, Stickley and a partner posed as fire inspectors to test the staff at a chain of West Coast banks. After smooth-talking their way in, they had plenty of time to attach wireless transmitters to computers and snap photos of customer files.

“They never doubted us for a second,” Stickley says.

No one in the bank ever questioned their fire inspector credentials. They were escorted around the server room but had free access everywhere else. Stickley says he’d give that bank a grade of seven, out of 10. 

“They did great on the server room,” he says. “They failed on protecting the documents in the file room.”

Stickley found open files, open teller computers and open data. 

“Confidential information,” Stickley says, “Social Security numbers, credit card numbers, names, addresses, all the stuff you don't want people to have.”

In a week, the bank and its employees will get a full report on the breach — and how they can prevent a real thief from getting in, by which time Stickley will be running the test somewhere else.

Tom Costello