So that’s how I pwned a bank.

His identity is hidden by shadowy lighting. An anonymous hacker brags on-camera about how easily he broke into a bank, both literally and figuratively.

In this two-minute video, the hacker recounts how he hovered by the bank’s entrance just after closing time. He opens the front door by aiming a can of air at the lock’s infrared sensor, which responds to changes in temperature. Inside, he plugs a wireless ‘bug’ into an outlet. The next day, he uses the bug to hack into the bank’s IT system from his car in the parking lot.

“By the time I was done, I could make my own accounts. I could do all sorts of things,” he says. “So that’s how I pwned a bank.”

Although the hacker’s identity is obscured in the video, the bank (its identity also hidden, for obvious reasons) actually paid him to break in. The financial institution hired his company, Boston-based Rapid7, specifically to find blind spots in its cybersecurity. As proven by the Rapid7 video, the mission had been accomplished.

An old Irish proverb from the 1530s says, “The devil you know is better than the one you don’t.” Almost 500 years later, companies are similarly putting their own IT systems to the test, hoping to spot and fix infosec vulnerabilities before real hackers can do irreparable damage.

White hat hacking

What Rapid7 did at the bank is known as ethical or ‘white hat’ hacking. It’s more formally known as penetration testing, or ‘pen testing’ for short.

As explained on TechTarget, pen testing “is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit.”

“The process involves gathering information about the target before the test, identifying possible entry points, attempting to break in – either virtually or for real – and reporting back the findings,” Margaret Rouse writes. “In a pen test, the good guys are attempting to break in.”

The irony is that ‘white hats’ use the same hacking techniques as ‘black hats,’ the bad guys who hack for the purposes of theft, fraud, vandalism, bragging rights or just twisted thrills.

Sometimes, as in the bank’s case, hackers do this with the full knowledge and permission of the targeted organization. On other occasions, so-called gray hat hackers find IT vulnerabilities on their own (sometimes accidentally), and report the bugs to the appropriate developers or site owners.

The irony is that ‘white hats’ use the same hacking techniques as ‘black hats,’ the bad guys who hack for the purposes of theft, fraud, vandalism, bragging rights or just twisted thrills. Like Luke Skywalker, however, white hats use their powers for good instead of evil.

Hackers for hire

Hiring white hat hackers is a common strategy for testing security measures. Rapid7 performs more than 1,000 pen tests on clients’ IT systems every year, though not all are as dramatic as the bank cyberheist.

Ethical hacking has become a lucrative industry. Rapid7 is just one of many firms offering such services. Another, RedTeam Security, was hired in 2016 to test cybersecurity at an undisclosed utility company in the U.S. midwest. When RedTeam successfully hacked into the facility, it raised concerns about the cybersecurity of public power grids.

Santiago Lopez poses with the new car he was able to buy with the $1 million bounty.

Even individual white hats can make big money. In 2018 Santiago Lopez, a 19-year-old from Argentina, became the first hacker to collect more than $1 million in bounties from HackerOne. The cybersecurity platform pays money to ethical hackers who find security flaws for clients such as Google, Twitter, General Motors and the U.S. Department of Defense. Over 330,000 ethical hackers and 1,200 clients use HackerOne, which paid out $19 million in bounties last year to white hats who discovered 250 security holes.

An inside job

Companies don’t always have to put pen testing in the hands of outsiders. There are many DIY tools and solutions available, including automated programs to scan for malicious code, vulnerable applications and weak encryption, usernames or passwords. Companies can even test and educate their staff with fake phishing emails.

Phishing was named the top internal cybersecurity risk to companies in CA Technologies’ 2018 Insider Threat Report. Insider threats originate from trusted actors within an organization, like employees, partners, suppliers and customers. While insider threats can be malicious (i.e., instigated by a disgruntled employee), most are accidental (like that phishing email you clicked on that one time at work).

Whether a company hires a white hat hacker or does its own pen testing, it should consider both external and insider threats. It should also look for threats that aren’t just digital, including physical vulnerabilities (like that can of air that opened the bank’s front door). Another non-digital threat is social engineering, which exploits human nature to trick people into doing things that compromise cybersecurity.

Want to see social engineering in action? In this video, an infosec pro fools a client’s employee into divulging his staff security badge number over the phone. Don’t worry if you’re short on time; the video, like the hack itself, is shockingly quick.