CEO at Stickley on Security; and Mahalo Banking
By Roy Urrico
Jim Stickley has hacked credit cards, phone lines, and Social Security numbers, and breached banking and government facilities. But he is no criminal. For over 25 years, Stickley has made cybersecurity his business and taught organizations and individuals how to make it theirs.
Stickley continues his focus on helping organizations reduce security risks. As founder and CEO of Stickley on Security (SoS), he provides meaningful education and awareness solutions for employees and customers.
Stickley also serves as the CEO for Mahalo Technologies — a mobile and online banking partner for credit unions. Mahalo provides a platform designed and built on robust and secure feature sets across all delivery platforms for a “true” omnichannel experience.
Hacking Inherently Learned
Stickley, who grew up and still resides in the San Diego, Calif. area, admits that he learned how to break into computer systems at a young age. “I got my first computer when I was 12. That was back in 1982. It was a Texas Instruments TI 99. It just turned out I had a knack for programming.” With a penchant for learning new computer languages, he was able to pick up some development work for corporations as a teenager.
Then while in high school, Stickley learned how to hack phone systems (by accident). “You used to have to pay a toll if you called any other place. Remember this is before the internet, so everything was on a BBS (bulletin board system).” This required one computer calling another computer via a phone line. “You could rack up quite a phone bill for your parents' phone if you did not know any better.”
So Stickley researched phone systems. He would ride his bike around town until he spotted an unattended Pac Bell (Pacific Bell) van. “I would climb in and borrow all their manuals and take them home and study all their phone systems. I learned free codes allowed me to call anywhere in the world. Once I learned what free codes were, it was very easy to write programs to get more free codes. And that was kind of the beginning of hacking for me.”
The Internet Opens Backdoors
In his later teens, Stickley discovered an early form of the internet, although it was only accessible through a dial-up into a college. “This was even before there were web browsers or anything. I was really into going to BBSes where people would post stolen credentials so you could get onto servers at colleges. And then once I would get on them (using stolen accounts), then the accounts would last for a few days and then someone would realize I was in their account, (and) kick me out. So, I started writing backdoors. I would just compromise a server to where they could not keep me out anymore.”
Stickley confessed he would just bounce from server to server. “This is back in the eighties; it is not like there was some sort of criminal intent. It was just a fun pastime. I do not even know if it was technically considered a crime back then.”
By his late teens, Stickley said he started to figure out that what he was doing was probably illegal and that he would not do well in prison. “I started trying to be a little bit smarter about what I was doing and not be quite so risk-taking.”
Stickley Learns Security
Stickley graduated from high school in 1988 and was prepping to further his education. However, “I was still doing computer programming work for corporations. That seemed more lucrative and was just more fun than college. So, I did not go to college.”
Then companies started hiring him to set up their networks and help out with their computer technology. “I got involved with a number of cybersecurity companies through the years and it just kind became my career. Most of my early career was helping companies set up their infrastructure for security,” said Stickley.
Stickley recalled, for example, Symitar had him install its first firewall. “This is obviously a long time ago, but I was helping all those early credit unions get online.” That led to Stickley co-founding TraceSecurity (from 2004-2014), where he also served as chief technology officer (CTO) and vice-president; and founding Stickley on Security in 2012.
Gaining a Reputation
As his knowledge and experience grew, so did his reputation as cybersecurity expert. In the early part of the 21st Century, Stickley recalled discovering a weakness in the Gauntlet firewall that was used by most of the big government agencies, as well as many other companies and organizations.
Said Stickley, “I discovered a vulnerability that gave me remote access to every Gauntlet firewall, which was protecting everybody. I could be at my desk at home and I could take over any firewall including full access to any computer inside of the firewall. I could actually use that to attack every company. It did get a lot of press at the time. It was kind of a big deal.”
Stickley is now known for his long-time involvement in cybersecurity. “In the early years it was always just hacking into everything. People would say, ‘We want you to hack into this, see if you could break in and steal whatever.’ And I would hack in and steal whatever.”
Over time Stickley also got into physically breaking into facilities and stealing. “Once I started physically going and robbing places, then all the television networks started coming to me and they would want to go and tag along and rob a bank with me. And then from there it just kind of blossomed to where now I work for a number of different networks and media outlets.”
Stickley has been involved in thousands of security services for financial institutions, Fortune 100 corporations, healthcare facilities, legal firms, and insurance companies. Through the years Stickley has discovered numerous security vulnerabilities in products such as firewalls, public key infrastructure (PKI) servers, online banking applications, and personal digital assistant (PDA) devices.
A large portion of Stickley on Security’s business centers on the education side, explained Stickley. That includes the latest cybersecurity news and SoS Advisor, which, according to Stickley, is designed to address organizational customer security education and awareness needs. “It goes right into their website, teaches them all about cybersecurity and it continually gives them updates. That gets a lot of love in the financial sector just because it is incredibly important to keep your members aware and educated on what is going on out there in the world.”
Other SoS tools include Powered Cybersecurity Training and Employee EDU, Bad Phish, SoS WorkRemote and Domain Assure, designed to help organizations protect again cybersquatting and spearfishing attacks. “We launched Domain Assure to lock down those domains, monitor what's going on,” said Stickley.
When it comes to Mahalo Banking, which provides credit unions with a mobile and online banking platform, Stickley has served as chairman of the board since 2018 and CEO since 2021. He maintained his investment and involvement in Mahalo was not about creating another digital banking platform. “My goal is to help design a secure solution from the ground up that will actually reduce fraud and protect members from would-be cybercriminals.”
Asked if Mahalo achieved its goal yet, Stickley replied, “That is a lofty goal that will never end, because cybercriminals do not stop. If you are not constantly trying to achieve that exact goal, you are in trouble because everything you have done will be completely dated in just a matter of months.”
However, Stickley noted some successes. “When I came into Mahalo a year and a half ago (as CEO), they were going through growth pains. We faced those growing pains head on. Once you start getting those customers, then the next phase is how do you support them and how do you maintain and keep your customers happy while getting new customers and handle that heavy growth.”
Stickley added, “If you have good personnel and a good product, you can weather the growing pains and you can get through those. And that is exactly what we did with Mahalo. We just launched our new version of our product and just absolutely crushed it.”
The Biggest Threats
Regarding cybersecurity operations for Mahalo, Stickley admitted, “I think I'd do it a disservice just because I wouldn't be able to give it the full attention that it needs.” However, he still keeps close tabs on it. “Whenever we're doing development, looking at any kind of new projects or new designs, cybersecurity always gets a lot of extra love just because I can't help it.”
Overall, Stickley identifies the biggest threat to any company as “supply chain attacks, which is when an organization that provides software to another organization is compromised.” He cited as an example the 2020 cyberattack against SolarWinds Corporation that generated a much larger supply chain incident that affected thousands of organizations, including the U.S. government. The company develops software for businesses to help manage networks, systems and information technology infrastructure
When it comes to the top security cybersecurity dangers to financial institutions, such as credit unions, Stickley responded, “It is just compromise in general. That just comes down to employees at any level making simple mistakes, clicking on links or opening attachments and emails, having their computer compromised and then having a criminal use that to compromise the whole network.”
Stickley pointed out that almost every major ransomware “gang” now has a blog on the dark web built on compromised data. “They literally post a logo, a little blurb about the organization, whatever information they have, and then they will post the date they stole the data and then a link to every bit of data that was stolen. And you could just access it all for free.”
Plus, it is not easy protecting the perimeter. Said Stickley, “If you are the IT department, you have to basically prevent and or detect every possible threat to your organization. And all it takes is one mistake by one employee that is missed and the damage can be pretty catastrophic.”