Social-Engineering Bank Robbery

Two of them:

On Wednesday, a man dressed as an armored truck employee with the company AT Systems walked into a BB&T bank in Wheaton about 11 a.m., was handed more than $500,000 in cash and walked out, a source familiar with the case said.

It wasn't until the actual AT Systems employees arrived at the bank, at 11501 Georgia Ave., the next day that bank officials realized they'd been had.

[...]

And on Thursday, about 9:30 a.m., a man dressed as an employee of the security company Brink's walked into a Wachovia branch in downtown Washington and walked out with more than $350,000.

The man had a badge and a gun holster on his belt, said Debbie Weierman, a spokeswoman for the FBI's Washington field office. He told officials at the bank, at 801 Pennsylvania Ave. NW, that he was filling in for the regular courier.

About 4 p.m., when the real guard showed up, a bank official told him that someone had picked up the cash, D.C. police said. The guard returned to his office and told a supervisor that he did not make the pickup at the bank. The supervisor called a Wachovia manager, who in turn notified authorities. Police were called nearly 11 hours after the heist.

Social engineering at its finest.

EDITED TO ADD (1/16): Seems to be an inside job.

Posted on January 16, 2008 at 6:36 AM • 39 Comments

Comments

PaeniteoJanuary 16, 2008 7:16 AM

I am amazed that the stuff we all have seen "Faceman" doing in "A-Team" actually (still) works.

From relatives working in retail stores I know that they have lists with the "allowed" couriers, including pictures. You're not on the list, the money stays in the safe (and the courier firm gets nasty calls for not keeping the list up-to-date).
And the amounts of money they handle there are much much smaller than what was stolen here.

SteveJJanuary 16, 2008 7:22 AM

Banks are probably better-insured that retail stores, so they can better afford to give away cases of cash to criminals...

AnonymousJanuary 16, 2008 7:47 AM

At face value, something had to be out of place or missing from the courier's uniform or appearance.

JoeJanuary 16, 2008 7:53 AM

"My experience has been that we all keep a very close eye on uniforms and company IDs," [Kyle Patterson, chairman of the board of the Independent Armored Car Operators Association] said.

Good idea. Because no one could possibly fake a uniform or company ID.

AnonymousJanuary 16, 2008 8:05 AM

Georgia Ave in Wheaton and Silver Spring, MD is lined with banks. I think there are more than 8 banks in two blocks as you get closer to DC. I'm surprised they only hit one.

sooth_sayerJanuary 16, 2008 8:14 AM

"Georgia Ave in Wheaton and Silver Spring, MD is lined with banks. I think there are more than 8 banks in two blocks as you get closer to DC. I'm surprised they only hit one."

Hey .. there is so much money gushing out DC they hardly can give it away .. go get some, you might have dress up as congressman; and they won't even report it missing.

AndrewJanuary 16, 2008 8:23 AM

My daughter is a teller at a downtown bank, and they know the armored car crew by name and face and voice, as well as time of pickup. No one can just show up and say they are "filling in" and get a dime until the branch manager has called headquarters (note: NOT the other way around) and verified all sorts of things. Even if the real crew shows up at the wrong time, or the wrong crew member comes in for pickup, the call is made.

bobJanuary 16, 2008 8:29 AM

Never liked the idea of ID cards, since (in most cases) the person doing the authentication has no idea what a real one should look like. Like if someone comes to my house and says they are a sheriff's deputy and shows me a badge/card. Unless it says "mattel" on it I got no idea if its real or not. (does mattel still make toys?)

DavidJanuary 16, 2008 8:30 AM

Kudos to Andrew:

This is exactly right. Behind the counters at most banks are the photo IDs of all the valid money couriers. Unless it's an inside job this can't happen. If it is an inside job they know who did it.

FNORDJanuary 16, 2008 8:34 AM

@Anonymous:
"Georgia Ave in Wheaton and Silver Spring, MD is lined with banks. I think there are more than 8 banks in two blocks as you get closer to DC. I'm surprised they only hit one."

Maybe only one bank was stupid enough to fall for it, where the rest employed security procedures like those described by other commenter's. Or, they had a confederate at just that bank to be "fooled" by their trick.

HarryJanuary 16, 2008 8:47 AM

@bob: if an apparent law enforcement officer showed up at my house, I know I could face the dilemma of either letting in someone based on ID I could not verify on sight, or annoying a LEO by getting his badge & district # and checking on his bona fides.

I hope I would choose the latter, and sometimes practice the scenario in my head. But it would take strength of will to make it happen.

Anonymous CowardJanuary 16, 2008 8:56 AM

Funny, but I can't get over the fact that in the second heist, the cops weren't called until 11 hours later...

Brinks guy: Hi, I'm here for the money.

Bank guy: Oh, some other dude picked it up already.

Brinks guy: Oh, okay... Take it easy then.

Bank guy: Same to you.

(later, at Brinks HQ...)

Brinks guy: Hi boss, how's it goin'?

Brinks boss: Pretty good, thanks. How'd that pick up go?

Brinks guy: Oh, some other guy had already picked up the cash...

Brinks boss: You're kidding right?

Brinks guy: Uh...

All I have to say is thank goodness for the FDIC.

The Other AndrewJanuary 16, 2008 9:29 AM

SteveJ >> Banks are probably better-insured that retail stores, so they can better afford to give away cases of cash to criminals...

Anonymous Coward >> All I have to say is thank goodness for the FDIC.

Yup. Poor security generally ends up being taxpayer funded, once one traces it back. Most of the risk for this transaction is paid for by you and me.

I can neither confirm nor deny that a signature and picture list is used for this type of transaction. Doesn't anyone else think it's odd that their bank uses better security to give them $500 than the same bank's managers use to give a courier service $50K?

As for couriers, the real test is "Did they bring a truck?" These are very hard for even authorized personnel to get their hands on, let alone bad guys. For a plethora of excellent reasons.

The Other AndrewJanuary 16, 2008 9:42 AM

@Harry

Except in an emergency, no peace officer will object if you call his agency to verify his employment. Uniforms are cheap (galls.com) and patches can be obtained on ebay, patch collectors and/or forged from photographs. Undercover / plainclothes officers know that IDs are easily forged and badges are freely available, so they will not object if you call the police and ask for a marked unit to come out.

Even in an emergency, a real peace officer has no objection to you calling 911 from inside your house or locked car. (On the street you shouldn't be handling weaponlike objects and in most cases wouldn't reach a dispatcher on your cell phone in a useful time frame anyway.)

Now if you're pulled over by a clearly marked unit with a full light array, driven by a sharply dressed officer carrying a working radio, the odds are that it's a legit stop and that you're going to traffic school.

Trust your intuition. If as a layperson you think it's odd, that is something you can explain to the officers if it turns out you were wrong. The other way around is a much less fixable mistake.

AnonymousJanuary 16, 2008 9:45 AM

@Jon

Inside jobs can also be social engineering, although this gang was spectacularly inept.

"Other employees said they saw no 'AT' patch on the man's clothing, just an all-black outfit, with a black hat, gun belt and semiautomatic handgun. They also didn't see a badge, Pak wrote. Bank video corroborated their accounts, according to the charging documents."

Heh.

RichJanuary 16, 2008 9:56 AM

@ the Other Andrew
"Now if you're pulled over by a clearly marked unit with a full light array, driven by a sharply dressed officer carrying a working radio, the odds are that it's a legit stop and that you're going to traffic school."

Correct, the odds are it is legit. However, exceptions exist. About ten years ago in my locale someone made at least two stops with full uniform and full light array (at night which allows some imprecision). All he did was give a warning. He was never caught. It was really weird.

HarryJanuary 16, 2008 10:07 AM

@ The Other Andrew - you should be right. But given the variability of human nature and the possibility of someone simply having a bad day, I have to accept the possibility that being careful would piss the cops off.

If I'm an innocent witness or they're canvassing the neighborhood, they're less likely to be annoyed. If I'm a suspect, they're going to be anti-Harry to start with, and this isn't going to help.

Sometimes things seem odd only in retrospect. Such as when I was pulled over at night for having a nonworking headlight in a borrowed car, the cop asked me to sit in his car while he filled out the ticket. Only later did it occur to me that I should have said no.

KevinJanuary 16, 2008 10:40 AM

The robber still left some trace: his face on the camera - unless he can get some insider's help to wipe out the video.

How this simple attack worked makes it looks like a insider job.

MikeJanuary 16, 2008 10:54 AM

In the state that I am from, we had a situation where there was a guy that was dressed up as a police officer. He had the uniform, a badge, and a car. He would stop people and rob them. In a specific instance, raped a woman.

This instance, just shows that it is possible to get convincing uniforms and badges. It got so bad that the police suggested that citizen *not* pull over in any place that was secluded. They encouraged citizens to pull over in gas stations and what not. The guy was finally caught. However for the 6 months that he was on the loose, every police car was regarded with skepticism.

wheaton residentJanuary 16, 2008 10:55 AM

sooth_sayer: "Hey .. there is so much money gushing out DC they hardly can give it away .. go get some, you might have dress up as congressman; and they won't even report it missing."

Uh, no. Wheaton is not an affluent area. Suburban, pleasant enough if a tad homely, but definitely not affluent, and situated well outside DC. I oughta know--I live there (here).

So kindly pull your head out of your butt.

KeithJanuary 16, 2008 11:09 AM

This was done on a BBC TV show called "The Real Hustle", but on a series of retail outlets rather than banks. They watched the trends of the cash pickups, worked out the earliest and latest times the van would arrive, dressed up as the guards and arrived at exactly the earliest time allowed. The staff, of course, handed over the cash drawer contents and they walked away. It was two hours later when the real security guys arrived that the fraud was noticed.

KeithJanuary 16, 2008 11:13 AM

@Kevin:
"The robber still left some trace: his face on the camera - unless he can get some insider's help to wipe out the video."

If he was wearing the regulation (in Europe, where these guards aren't usually armed) anti-attack helmet, his face won't be properly visible.

Worthless CamerasJanuary 16, 2008 11:34 AM

@Kevin and Keith:
"The robber still left some trace: his face on the camera - unless he can get some insider's help to wipe out the video."

"If he was wearing the regulation (in Europe, where these guards aren't usually armed) anti-attack helmet, his face won't be properly visible."

Security cameras are worthless in preventing crime anyway. We all know that. That's why the banks have them.

uhohJanuary 16, 2008 11:37 AM

If the US Government can't afford to pay Social Security or Medicare will it be able to cover FDIC?

andyinsdcaJanuary 16, 2008 11:59 AM

I used to work for an armored car company as a driver/courier/guard, so I'm getting a kick out of these replies.

Durable AlloyJanuary 16, 2008 12:16 PM

@AC,mpeg31337:

The FDIC doesn't cover losses due to theft or fraud (according to Wikipedia).

Money From Thin AirJanuary 16, 2008 12:25 PM

@mpg31337

"The FDIC isn't tax-payer funded. Banks pay for the insurance."

Right. Just like the banks paid for insurance from the Federal Savings and Loan Insurance Corporation (FSLIC).

That didn't cost taxpayers 150 billion. Oh, wait.

uhohJanuary 16, 2008 1:44 PM

Read the website a bit closer.

When the US government is unable to meet its financial obligations (because of medicare, social security, and runaway government spending) and there is a run on the banks, what will happen? The FDIC's $49 Billion of insurance money is kept in US Treasury securities, which will be worthless if the US Government can't pay them off. They're currently insuring $3 Trillion worth of deposits (which is more than the $49 billion they have set aside). If the FDIC can cash their securities, will it be first come, first serve in paying out the claims? How long do you think it will take for the US government to pay this out during a national panic (think about the Katrina response for a few minutes before answering)?

./erJanuary 17, 2008 1:19 AM

Inside job or not, this still seems stupid. One teller is allowed to pick up 500K? Can Anyone say time lock?

AnonymousJanuary 17, 2008 3:48 AM

> If he was wearing the regulation anti-attack helmet

What's that? I am from Europe and have never seen one.

> (in Europe, where these guards aren't usually armed)

Says who? Many of them are armed. Depending on the country they might be armed with full-auto assault rifles!
Don't over-generalize! Europe is a damn big place.

C KrugerFebruary 18, 2008 6:01 AM

In the UK they are not generally armed and have very dorky looking helmets that look like they are designed to protect the wearer from head injuries. Often, I was surprised to notice - they look pretty scruffy.

In Germany, Austria and France I've seen them pretty heavily armed and well uniformed.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..