RESTON, Va.—Frank Abagnale, Jr. seemed almost disappointed as we chatted about the low level of sophistication he's observed in the system breaches he's investigated with the Federal Bureau of Investigation.
In reality, the breaches he's investigated weren't the result of some brilliant hack, but rather because someone created a vulnerability that a hacker exploited. "Someone in every breach did something they weren’t supposed to do," he explained.
If Abagnale’s name seems familiar, it's because his life was depicted in the Steven Spielberg movie, "Catch Me if You Can." Abagnale was played by Leonardo DiCaprio. He captivated an audience of several hundred IT security pros with tales about his life as a con man and forger at the Raytheon Cyber Security Summit here on Dec. 2.
However, for the past 38 years, he has worked full time as an unpaid consultant for the federal government and other law enforcement agencies, primarily the FBI. It was the FBI that got him out of prison if he agreed to work for the agency and he's stayed with them ever since. However, he makes a living from speaking engagements, books he has written and some corporate consulting.
These days, Abagnale works with the FBI on cyber-security investigations including the Target breach, and every other breach since then. He also consults with the federal government in the design of secure software and systems.
His job, he said to eWEEK, is to think like a criminal. "The people designing these products don't know who they're designing for," he said. His job is to tell them what they're up against, and to then help make sure that all of the possible means of getting past the security product are plugged.
The single biggest hole in the security of most organizations is a lack of training, he said. Abagnale said that few organizations really explain to their employees what to expect when someone is looking to find a weak point that they can exploit. As an example, he told about a test he puts companies through when he comes to talk or to consult.
"I always bring a few USB sticks with me," he said. "Then, instead of parking in the visitor's lot, I park in the employee parking lot. When I get out of the car, I scatter those USB sticks on the ground." Abagnale said that before he starts his talk or his meeting, he checks to see how many of those USB sticks have been used. Invariably, he said, all of them have.
"When they look to see what’s on the stick, there's a message that this was a test, and they failed," he said with a chuckle. His test serves a purpose, which is to illustrate to the people at the company he's visiting that there's a gap in their training.