CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Hacker breaks down how they hack into banks - with Jason Haddix

Jason Haddix is a legendary penetration tester and hacker. In this clip he shares how he managed to hack into several different banks, the methodology they would use as well as some stories from real-life scenarios.

Video Transcript

maybe a little bit out of left field I've heard that you've hacked into a bank with some teams yeah how do you start I mean I've actually targeted a ton of banks in my in my history through through like full scope red teaming through bug Bounty through just application pen tests and stuff like that so A Bank is no different than any other Enterprise and in fact in some ways is is worse or better um than some other Enterprises so my first job was where I had the most exposure to hacking Banks and so our basic methodology was to basically profile all of the employees at the bank and to Target for fishing right which if it's a big bank there's a lot of opportunity there to profile the technology they use for email and you know what type of filters might be in place and what type of protections might be in place so we could try to get around that and then send out phishing campaigns to try to get from external to internal and pivot and install like a you know back door C2 malware or something like that um eventually when that wouldn't work uh we would do physical reconnaissance on the bank to understand what their physical security controls were you know hours of operation when when employees left when people were doing like the deposit drop-offs and you know where they held their shred bins you know where their trash was all that kind of stuff as part of redspin we would we would do the external and try to fish and then also look for any application vulnerabilities right we found many banks who had web application flaws where we were able to you know like get into things we weren't you know we weren't supposed to but you know some of the funner stories I have are like actually the physical things I remember one of the credit unions we were part of we literally just waited for somebody to come to the back alley of this bank to open the door we walked up in a shredman uniform of the company that managed the shred bins we had found a shirt at a thrift store that looked like the same color it was a button up and we made our own patch for it we walked in said we were here to pick up the shred bin they hadn't locked it physically to the premises and we just walked out and put the shred bin in our truck and took off and inside the shred bin hadn't been any anything shredded and had a bunch bunch of passwords on sticky notes and all this kind of stuff and so immediately we got like more access than pretty much we had gotten through the phishing campaign and the external and stuff like that you know that's kind of stuff that can happen you know always wear a hats so that the overhead cameras can't identify you you know dress the part have confidence to social your way in there we've also you know like as as part of those I've dumpster dived you know in the rain where I'm in the trash and it's like nasty and I'm digging through trash bags to find credentials and stuff like like when you're targeting like those kind of physical assessments it's um you know it's not always glamorous you're you know sometimes you're falling through things sometimes you get caught but some of the better stories are you know ones like that where we we pulled off some other stuff so you know I write some of my hacking exploits I obviously nuke the names of the customers and you know uh but I talk about them and like how I did them and like I mean I I you know like one of the stories that I wrote about um you know some are as easy as like you know I disassembled a mobile app and found a hard-coded credential in a mobile app for a major bank and then wrote that password down and then was doing and you know Recon on their whole web footprint which was massive found a couple sites for that credential work logged into there pivoted from there found you know an S3 bucket I had access to managed to grab a whole bunch of pictures of checks managed to Pivot to the internal network of the bank and then it was Off to the Races from there so like um really every every test is different um but uh one of the things I tell testers is is like always write down credentials that you find because if they don't work where you are at they will work somewhere else eventually so like don't just discard them [Music] thank you