If you’re even slightly concerned about the privacy of your personal information, Jim Stickley is your worst nightmare.
The chief technology officer of TraceSecurity, a risk management firm based in Louisiana, breaks into banks and steals their customers’ most confidential information, such as Social Security numbers and the details of their banking transactions. He could take your cash too, but says you probably have less money in your account than he could get by starting new credit in your name.
Lucky for you, Stickley is honest and doesn’t use your information to apply for credit. Instead, he gives the stolen data back to the banks he’s taken it from with a stern lecture about security procedures. So what makes him such a nightmare?
His company has been hired by more than 1,000 banks to test their security measures, and there wasn’t one that he wasn’t able to break into. He generally doesn’t employ complex measures to do it, either. It can be time-consuming, he says, but easy.
His methods read like a scene out of the movie The Italian Job. He will call the targeted bank office, often posing as a pest control technician, fire inspector or electrician. It might take a few phone calls, but he’ll eventually find an unsuspecting bank employee willing to give him plenty of information about the real provider of the office’s pest control or electrical services. He uses that information to further break down the bank’s defenses.
If he knows who provides pest control services for the bank, for example, he can find out when they last serviced the branch. His next step is to come up with a plausible excuse for coming back—maybe a free review of the company’s past work or a semiannual inspection.
“The hardest part of robbing a bank is getting in,” Stickley says. “If they don’t expect you to come, they’re on their guard. But when you come in with an appointment, wearing a uniform, they’re not.”
Once in, the main goal is to get the bank employees to leave him alone.
“When they go away, I start stealing everything I can,” he says. “If you can get the backup tapes, you throw those into your little gear bag and you have everything you need. If I can’t find that, I can drop a CD-ROM in a computer drive and Trojan their computers. Now we can control that computer from our corporate offices.”
Another gizmo in Stickley’s bag of tricks bypasses the bank’s computer firewall, allowing him to get around all of its Internet security.
On occasion, bank employees do what they’re supposed to and keep an eye on him the entire time he’s in the branch, he says. More often, they leave him to do his “job.”
“If the employee truly escorts us, there is nothing I can do,” Stickley says. “But if I can get access to one location, they’re all networked, so I can get whatever I want.”
Where does that leave you, the bank customer? At risk, Stickley says.
If his firm can break into your bank without breaking a sweat, others can too. And unless you’re ready to turn into another Unabomber and hide all traces of your identity, going without a bank account is impractical.
So what can you do?
Watch your accounts: If you’re an online banking customer, check your account each day and just make sure there’s nothing amiss. If you don’t bank online, make sure you read through every monthly statement. The same holds true for credit cards. If you see a transaction you don’t recognize, call and find out whether it’s something you forgot or if it’s a sign of fraud.
Look for warnings: If you get a big spike in mail offering financial products, such as credit cards, mortgage services or personal loans, that can also be a warning sign, Stickley says. If you haven’t checked your credit lately, a surge in financial offers should tell you that it’s time.
Monitor your credit report: There are companies that do this for you for a fee, but you can do it yourself for free. Federal law requires that each of the three major credit reporting bureaus—Experian, TransUnion and Equifax—provide one copy of your credit report to you for free each year.
You can get this free copy at annualcreditreport.com. If you’re nervous, go to the site every four months and just alternate the company from which you request the report. Signs that somebody’s misusing your personal information include unfamiliar home addresses on that report or credit accounts that you don’t recognize.
Issue a fraud alert: If you see either of those problems, call the credit bureaus and place a fraud alert on your file. This requires credit grantors to call you at whatever phone number you specify before issuing new credit in your name.
Call the cops: If you see signs of fraud, call the police and file a report. That’s the first step that you need to take to have inaccurate items removed from your report and stop crooks from using your identity to charge it.
The price of convenience is eternal vigilance, Stickley says. “You’ve really got to pay attention.” Kathy Kristof’s column is syndicated by Tribune Media Services. She welcomes comments and suggestions but regrets that she cannot respond to each one. E-mail her at firstname.lastname@example.org.