A short while back, I attended a meeting in the basement of a branch of a major, national bank. The bank didn’t know whether I was a hacker or not, but I was allowed in (kind of invited) anyway.
The meeting was not connected with the bank; the bank was providing the room as a community service. Evidently somebody from the group knew somebody at the bank.
As is my custom, I arrived early, a little earlier than normal, as it was my first meeting with this group. I told a bank staffer behind a desk that I was attending THE meeting. He smiled, led me to a basement door, and unlocked it. “Enjoy,” he said, as he turned and walked away. Amazed, I walked downstairs by myself.
Keep in mind that I did not have to sign in or even provide my first name verbally. I was anonymous. And alone.
The concrete stairs emptied into a big, carpeted room, obviously the meeting room. The room had several doors leading out of it, and they were all open. Through one door, I could see several electrical panels. I looked in.
In addition to the unlocked panels, I could see numerous network cables of various lengths hanging haphazardly as they twisted across the ceiling to somewhere important. No network jacks were visible.
Behind door #2 was the employee lounge: table, chairs, refrigerator, magazines, and a bulletin board where interesting bank information was posted. It looked like a second stairway in that room led up to the main floor.
Behind doors #3 and #4 were storage areas–big ones with broken tables, chairs, and boxes. I’d bet that a network jack was in at least one of those rooms, but I didn’t enter any of them–I just observed.
One hallway led to the bathrooms and a drinking fountain. I took a drink and used the men’s facilities.
I returned to the meeting room and sat down. At least 10 minutes passed before any others arrived. I had plenty of time to think about the following:
1. Does the bank have a policy regarding use of its non-public areas? Does the policy address use by outside groups? By bank employees? If a policy exists, is it enforced? Reviewed at least annually?
2. Why are visitors allowed to enter the bank’s non-public facilities without signing in? And unescorted?
3. Why would the room with the electric panel be unlocked? Are the servers, switches, and network devices supplied by one of those panels? Do they have good backups?
4. How much time would someone need to cut one of the network cables, add two RJ45 plugs, and insert a hub between them, giving them network access?
5. How much quicker could someone find a live network jack in one of the rooms? Could they easily hide a wireless access point in one of the unused rooms? How long would it remain undisturbed?
6. How much of the internal bank network traffic is unencrypted?
7. What were in those boxes next to the broken tables and chairs?
8. How sensitive was the information on the bulletin board?
9. Does a bank staffer check the basement after meetings like mine are over to ensure everyone left? Could someone hide in the restroom?
10. Given what I’d already observed, what vulnerabilities exist upstairs on the banking floor? What about the website and online banking application?
11. Do these same problems exist at other branch locations? At HQ?
12. How often are risk assessments done at the branch offices? Would the assessment have caught these issues?
All this reminded me of Robert Redford’s line in Sneakers, when the banker asks him why he was closing his account:
I just had this weird feeling that my money wasn’t safe here anymore.
Read the real life sequel to this adventure!