USB Drop Penetration Test Highlights Ongoing Human‑Factor Risk at Credit Unions
What Happened — Dark Reading revisited a 2000‑era penetration test in which a security researcher left rigged thumb drives in a credit‑union parking lot. Curious employees plugged the devices into their workstations, triggering malware that demonstrated how easily a simple USB can compromise a network. Why It Matters for TPRM — • Physical‑social engineering remains a low‑cost, high‑impact attack vector. • Third‑party risk assessments must include policies for unknown removable media. • Failure to control USB usage can lead to data exfiltration or ransomware infection across the supply chain.
Who Is Affected — Financial services (credit unions, banks), any organization that permits employee use of removable media, and their third‑party technology providers.
Recommended Actions — • Enforce strict USB device control (disable autorun, whitelist approved devices). • Conduct regular employee awareness training on “USB drop” attacks. • Deploy endpoint detection and response (EDR) solutions that monitor removable‑media activity. • Include USB‑policy compliance checks in third‑party risk questionnaires.
Technical Notes — Attack vector: physical USB drop (social engineering) leading to malware execution; no specific CVE involved. Potential data types at risk include credential stores, internal documents, and network‑access tokens. Source: Dark Reading – How the Story of a USB Penetration Test Went Viral