Dumpster Diving Can Uncover Valuable Client Data

7/21/2011

Believe it or not, a wealth of information can be found in the dumpsters behind financial institutions. Dumpster diving has uncovered information such as account numbers, loan files, GL entries and much more. Banks are required to have a social engineering assessment performed every 12 months, but to be thorough, they should consider including a test of outside garbage receptacles in the assessment. Garbage receptacles may contain a wealth of information that crackers (“crackers” not “hackers” is the proper term for the “bad guys”) can use to their advantage. Banks will try to secure their containers behind a lock and key. Banks will shred all paper and magnetic material prior to disposal to ensure that the items going curb-side are properly destroyed. Or do they?

One tactic we use to unlock a secured garage receptacle is quite simple. We wait for the garbage truck to arrive, then as they unlock the security chains, we simple approach them and explain that we work for the bank, and a customer lost a wallet. Would they mind if we grab a few bags out of the dumpster to search for the wallet?

As we rummage through the bags we are looking for a number of items that would appear to be harmless, thus not worthy of shredding. Customer’s return addresses on envelopes. A cracker now knows that these people send payments into the bank. That customer could then in turn be phished for information, as a cracker would pose as a loan officer and use readily available technology to make a call appear as if it is coming from a bank phone number.

Carbon copies are often not shredded. Finding an unshredded carbon copy can yield customer names, account numbers and signatures.

There are times when documents put through a shredder are not fully destroyed. Some shredding machines require that material is fed into the machine at a 45 degree angle, with a maximum of 10 pages per pass. Sometimes we will find reams of sensitive banking statements forced through the shredder. This lump of paper will pass through the shredder; however, because the bank employee attempts to be more efficient, the end result is paper information containing sensitive information that is not destroyed.

Birthday lists, internal phone numbers lists that are both outdated are very useful to crackers. Sticky notes, desktop calendars and desktop blotters with passwords written down on the backs, scratch paper and old notebooks contain information that crackers can use against the bank or its customers are often improperly disposed of. People assume that notebooks with metal spiral binders cannot be shredded so they are simply thrown away.

Disgruntled employees may clean out their desks and dump information directly into the trash can. Has your bank considered adding the accounting for the employee’s written data and notebooks to the employee exit process?

Taking alone, these tidbits of information may not mean much, but, to an experienced cracker, can be pieced together to cause serious damage. Technical controls, compliance, policy and procedures are quantifiable. However, people remain the greatest threat to banking. Does your bank sample trash at its various locations from time to time?

During your next IT exam, insist that these controls are included in the scope of the assessment.