I used to do audits for private companies with a team. Most of them where black box audits and we were allowed to physically manipulate certain machines in and around the building, as long as we could get to them unnoticed.

Usually when doing such jobs, you get a contract signed by the CEO or the head of security stating that if you're caught, and your actions were within the scope of the audit, no legal action will be taken against you.

There was this one time a company hired us to test their badge system, and our main objective was to scrape the data on the smartcards with a skimmer on the scanner at the front of the building.

It's easy to get to as it's outside and almost everyone has to scan their card there in order to enter the building. They used ISO 7816 cards so we didn't even really need specified tools or hardware.

Now, we get assigned this task. Seems easy enough. We receive the "Stay-out-of-jail"-contract signed by the CEO for Company xyz. We head to the address stated on the contract, place the skimmer etc etc all good.

One of our team gets caught fetching the data from the skimmer a week later (it had to be physically removed). Turns out: wrong Building, wrong company. This was a kind of "building park" (don't really know how to say it in English) where all the buildings looked very similar. The only difference between them was the streetnumber, painted on them in big. They gave us the wrong address.

I still have nightmares about this from time to time. In the end, because the collected data was never used and we could somewhat justify our actions because we had that contract and we had the calls and mails with the CEO of xyz. It never came to a lawsuit. We were, and still are pretty sure though that the CEO of xyz himself was very interesed in the data of that other company and sent us out to the wrong building on purpose.
I don't really know what his plan after that would have been though. We don't just give the data to anyone. We show them how they can protect it better and then we erase everything. They don't actually get to see the data.

I quit doing audits some time ago. It's very stressful and I felt like I either had no spare time at all (when having an active assignment) or had nothing but spare time (when not on an assignment). The pay also wasn't that great.

But some people just really are polished turds.

  • 3
    This rant gave me anxiety.
    So I have a question, can you guys not file a case against that CEO of XYZ if he knowingly gave you the wrong address?
  • 3
    @notSoCoolGuy We could, but it is almost never Worth suing a company bigger than yourself. They would also have a strong case if they stated we were not competent enough to figure out that that address was in fact not correct. If an audit ends in an unexpected way, it's almost never something that ends in court/with the Police. Most of the time some sort of agreement is made. In this case we upgraded the badge system for the "victim" company for free and we agreed to not ever do audits for company xyz and their associates ever again.

    I've done quite a few audits but this is the only one where I was actually scared for my career.

    Having a crime in your file is very bad when you work in security.
  • 0
    @LameCode20 I feel you, I also used to work with security(larms) even a small offense can give you big grief
  • 3
    @LameCode20 How the hell were you at fault and responsible for damages when you did everything you were asked? XYZ provided the wrong address; XYZ is at fault.

    If in your country they can make a case for your incompetence, you could make thrice the case for their own incompetence. How did XYZ not even know their own bloody address?

    They should be responsible for the other company’s intrusion and paying you for the audit.
Add Comment