MINNETONKA, Minn. - It’s a typical Tuesday for Ben as he logs into his computer at work and starts to hack into a Fortune 500 company.
“If I take control of this, I take control of the modem at the bank,” said Ben, whose real name we are not using to protect his identity.
It’s dark, except for the blacklight and three LED Christmas light strings spraying dots of vibrant color across the ceiling of the 12-cubical office.
Ben is a senior information security analyst at Minnetonka-based FRSecure.
You could also title him as an ethical-hacker or legal burglar, because essentially, he gets paid by companies to break in and steal their information, then report back how he did it.
“To be an attacker you got to think like the attacker,” he said.
He has stolen health records, trade secrets, social security numbers, you name it. He says he has stopped counting how many businesses he has hacked. He can also speak binary coding language with his fingers (meaning, he knows computer code sign language).
“That's one of the things that sets us apart from the bad guys, we have rules,” said Evan Francen, CEO of FRSecure, who started the company 10 years ago.
In that time, the business of benevolent burglary has boomed, growing from just one employee to 72.
“They might be doing some phishing attacks, they might be doing some penetration tests, they might be doing some reconnaissance on the next test they are going to run,” said Francen while overlooking the hackers at work.
The idea is to find any seam or weakness a company has and patch it before a hacker strikes.
Just last year, there were 1,579 data breaches in the U.S., a record, according to the Identity Theft Resource Center.
According to a report by Shape Security, last year more than 2.3 billion credentials from 51 different organizations were reported compromised.
But protecting businesses from online hacks isn’t only part of FRSecure’s business.
“We have a saying: It's easier to go through your secretary than it is to go through your firewall,” said Francen.
Francen says that businesses are most vulnerable because they have people. Unlike a firewall with passwords and two-factor authentication, which can be quite secure, it is the employee who is always more vulnerable.
In one undercover video, a construction worker escorts Ben through a secure door while saying, “Yeah, I was told a three-piece suit or some bum off the street, don't let them in unless they have clearance, so.”
In another video, Ben has gotten inside a company’s building and is looking to access the data center. In the video, a manager sees Ben’s fraudulent badge not working on the keypad to the server room. The manager then asks if Ben was the person who needed the new laptop. The manager proceeds to unlock the door with a higher-level badge and then types the four-digit passcode into the room in front of the undercover camera, giving Ben access to the business’s most sensitive data room.
“I could grab that, clone the badge, go back and have his code and have complete unescorted access into their most secure facility,” said Ben.
Sometimes, he doesn't even need to show up.
Ben played a taped phone conversation between him and a Minneapolis business human resources manager whom Ben cold called. He tells her he is a contractor trying to get employees' confidential ID numbers - which is actually the truth, Ben mentions.
At first, the manager asks the right questions.
“OK, what is your name again? Are you downstairs?” she asks. “I haven't heard of this going on so I wanted to make sure I'm not giving out information I'm not supposed to.”
A few questions later, she gives up the information.
I asked Francen if he’s ever been arrested while doing these tests.
“Booked and charged? No. Arrested, yes,” he said.
His team carries a note from the company they're breaking into with a phone number to the boss in the event security or the police question what they are doing, which does have to be used on occasion, they say.
So, why help companies when you have the know-how of any top-level nefarious hacker?
Why go the Superman route instead of the villain route?
“I love people. I love helping people. I hate cheating. I hate when people take advantage of other people. It bothers me. I take it personally,” said Francen.
So he's made his life's work personally breaking in, to keep the real criminals out.
Here are a few more stories from Ben and other "ethical-hackers"
Ben shares the story of a CEO who thought his company's security was rock solid. But Ben and his team got right in.
"We tailed some of the IT personnel with badges. Found out that they had a bowling night. We pocketed one of the badges while they were bowling, went back to the office, and with that badge we had full access," said Ben.
When they were done, they simply slipped the badge back to the employee at the bowling alley.
Here's another con Evan Francen, CEO and founder of FRSecure, says works all the time to get into businesses: dressing up like an exterminator. Francen says he "got a clear plastic specimen boxes, put a scary looking spider in it."
He then walked up to the front desk saying he was called to exterminate them. “Are there places around here that have high heat like a server room or electrical closet?” Francen said he would ask the receptionist. He said, every time, a person would lead him to the data security room where he would be left alone with a company’s most secure data.
Francen recalls once being questioned by a police officer while digging through a dumpster behind a company he was testing. He told the officer that he was hired as a contractor to test the company’s security. The officer bought it, and soon, Francen says, the officer was helping him in the search for sensitive documents.