RESTON, Va.—Frank Abagnale, Jr. seemed almost disappointed as we chatted about the low level of sophistication he’s observed in the system breaches he’s investigated with the Federal Bureau of Investigation.
In reality, the breaches he’s investigated weren’t the result of some brilliant hack, but rather because someone created a vulnerability that a hacker exploited. “Someone in every breach did something they weren’t supposed to do,” he explained.
If Abagnale’s name seems familiar, it’s because his life was depicted in the Steven Spielberg movie, “Catch Me if You Can.” Abagnale was played by Leonardo DiCaprio. He captivated an audience of several hundred IT security pros with tales about his life as a con man and forger at the Raytheon Cyber Security Summit here on Dec. 2.
However, for the past 38 years, he has worked full time as an unpaid consultant for the federal government and other law enforcement agencies, primarily the FBI. It was the FBI that got him out of prison if he agreed to work for the agency and he’s stayed with them ever since. However, he makes a living from speaking engagements, books he has written and some corporate consulting.
These days, Abagnale works with the FBI on cyber-security investigations including the Target breach, and every other breach since then. He also consults with the federal government in the design of secure software and systems.
His job, he said to eWEEK, is to think like a criminal. “The people designing these products don’t know who they’re designing for,” he said. His job is to tell them what they’re up against, and to then help make sure that all of the possible means of getting past the security product are plugged.
The single biggest hole in the security of most organizations is a lack of training, he said. Abagnale said that few organizations really explain to their employees what to expect when someone is looking to find a weak point that they can exploit. As an example, he told about a test he puts companies through when he comes to talk or to consult.
“I always bring a few USB sticks with me,” he said. “Then, instead of parking in the visitor’s lot, I park in the employee parking lot. When I get out of the car, I scatter those USB sticks on the ground.” Abagnale said that before he starts his talk or his meeting, he checks to see how many of those USB sticks have been used. Invariably, he said, all of them have.
“When they look to see what’s on the stick, there’s a message that this was a test, and they failed,” he said with a chuckle. His test serves a purpose, which is to illustrate to the people at the company he’s visiting that there’s a gap in their training.
Reformed Con Man Frank Abagnale Now Works to Plug IT Security Holes
Abagnale said that companies rarely take the time to really run employees through the scenarios they should expect when someone is trying to find a way into their company. He said that employees need to know what to expect when they get typical leading questions from a variety of sources.
Not only should they be aware of phishing emails, for example, but they should be aware of leading questions on the phone. He used a conversation his wife had had with a sales agent when she was ordering something online. He noticed, for example, that she gave her age and her place of birth as part of the conversation. “This is part of what you need for identity theft,” he said he pointed out to his wife.
The same thing can happen at any organization in which seemingly innocent conversations can provide a caller with pieces of information which, when combined with other pieces gathered at different times and from different sources, can provide everything needed to take someone’s identity long enough to create a breach.
Unfortunately, cyber-criminals are getting better every year. Abagnale said that one way this is happening is that call center workers are being paid large sums of money to request personal information, such as social security numbers and birth dates, when they take orders over the phone as part of their jobs.
Then after they place the order with their employer, they pass the information, including the personal data that they gathered in addition to cyber-criminals and collect a nice additional paycheck.
It’s things like this and situations where a criminal pretends to be a legitimate caller from the IRS, a bank, or another source that people are comfortable with and then ask for personal information. The fact is, they aren’t with the bank or the IRS and the personal information ends up being used for fraud, and in many cases, for use in a breach of an otherwise secure system.
Abagnale explained that the real problem in many cases isn’t having access to secure technology. It stems from the lack of a security mindedness. Because employees aren’t trained adequately, they don’t know how to spot a potential problem and they don’t know what to do if they find one. He said that employers need to show employees what they should expect, but he added one more thing.
“Employees will work to help prevent breaches once they understand what they can do,” he said. It pays huge dividends if the employees also realize that their job is important and that they play a critical role in helping keep their organization secure. “The majority of people are honest,” he said.