MEREDITH VIEIRA, co-host: And we are back at 7:45. You know, time was when bank robbers went on a heist they carted away bags of money. But these days, thieves are after something much more valuable: your identity, stealing your Social Security number, your passwords, even your name from databases that should be secure. It costs billions. We tagged along with one company hired to act like bad guys in order to keep the worst from happening to you.

In 2005, CardSystems Solutions had 40 million credit card numbers exposed to hackers during a security breach. Bank of America lost 1.2 million federal employee records, and it's exposing a new trend in crime, one that doesn't go after the money in your bank account, but the account itself.

Mr. JIM STICKLEY (TraceSecurity): Let's say you have a million dollars in the bank. Once that million bucks is gone, it's gone. With identities, you can use those for life, and you can keep ripping off the same person over and over and over. It's exponential. I mean, it just goes on and on.

VIEIRA: Jim Stickley is the new-age bank robber, but don't expect him to end up in handcuffs. He is hired to do it. His company, TraceSecurity, works with more than 400 global institutions to test the vulnerabilities in their security systems to ensure your account doesn't end up in the wrong hands.

Security specialist Bill Stanton went to TraceSecurity's headquarters in Baton Rouge to find out how it's being done.

Mr. BILL STANTON (Security Specialist): So, walk me through this. You go in as the phone repair man, the pest control man.

Mr. STICKLEY: The pest control, fire inspector. Any position at all that'll get us into the facility is what we'll do.

I mean, you could put in $100,000 technical system that has, you know, firewalls and all of the greatest stuff to keep your network perfectly secure, and then have one employee let me walk in and steal your backup tapes.

VIEIRA: Backup tapes contain Social Security numbers, account information, even passwords.

Mr. STANTON: Most people think the most valuable asset in a bank is the cash in the vault. Well, that's not necessarily true. Today, these guys, hired by the bank, are going to infiltrate a branch and see if they can get the most valuable information: account numbers, Social Security numbers, names.

VIEIRA: First, the ruse is set up. TraceSecurity calls a branch their client asked them to test to schedule an appointment. Suited up in hidden cameras, Jim and his accomplice Dale prepare for a job, claiming to be pest control inspectors. Bill played a customer and caught it all on tape.

Mr. STICKLEY: I'm Jim. So we're here to look for bugs.

VIEIRA: Within five minutes, the employee walks away and Jim and Dale are left alone to do their work, and they do. Moving quickly from room to room, gaining access to offices, computers, and finally the jackpot: the main server, walking out with everything they needed and no one on their trail.

Mr. STICKLEY: She escorted us for the first minute or so, and then just said, 'OK, do whatever it is you need to do,' and from that point on we just had full run of the building.

This is a hub that links down to the main network for the whole branch. In this case, as you'll see, I plugged a wireless device in which gives me full access to their entire corporate network from the parking lot.

VIEIRA: The next bank wasn't much different.

Mr. STICKLEY: We're here to do pest inspections.

Offscreen Voice #1: The kitchen is that way and the bathrooms are this way.

VIEIRA: Within minutes they are in the document room and with no one supervising them, they take what they came for, again walking away with account numbers, passwords and Social Security numbers: the keys to the castle.

Mr. STICKLEY: We got all sorts of documentation. No, this information you can sell, you can use it yourself, you can become any one of these people. If you have somebody's Social Security number, basically tomorrow, you can become that person.

VIEIRA: Jim says these results aren't uncommon.

Mr. STICKLEY: This is the norm. I mean, the first time we go in, they're generally going to fall victim. It's just--it's how it is. It's rare that they'll catch up.

VIEIRA: But the third bank we visited brought comfort that with the right policies in place, the bad guy won't get in.

Mr. STICKLEY: We're scheduled to do pest control today.

Offscreen Voice #2: Do you have any of your business cards?

Mr. STICKLEY: Oh, yeah, sure.

Voice #2: (On phone) I have someone wanting to do a pest inspection. I just need to know that it is legit, that we have scheduled it, thanks.

I'm sorry.

Mr. STICKLEY: No, hey, you got to do your thing. And trust me, it just means less work for us.

Voice #2: I can't verify.

Mr. STICKLEY: It's not a problem at all--not a problem at all.

Voice #2: I will keep this and give it to him to reschedule with you.

Mr. STICKLEY: All right. No problem, no problem at all. I completely understand.

And they asked for identification, they asked for us to, you know, show who we were. Went through all of that. They could never reach anybody that could verify that we were supposed to be there. She couldn't have done anything more perfect than she did.

VIEIRA: Companies that hire TraceSecurity are looking to ensure every branch follows protocol.

Mr. STICKLEY: The best thing is that banks are hiring us to protect themselves. They are out there actively trying to do--to make sure that if they do have risks, they are preventing them before they could happen for real.

VIEIRA: And Bill Stanton is TODAY's security specialist.

Bill, good morning to you.

Mr. STANTON: Good morning.

VIEIRA: I think what's most disturbing about that is, except for that last bank, how easy it is for these people to get in there and steal your identity.

Mr. STANTON: Getting high-tech information in a low-tech way.

VIEIRA: And what about other scams? I mean, this is one example of a security scam. But there are others that we need to worry about.

Mr. STANTON: Well, this is why it should concern you, the average citizen. They could send it over a physical mail where they duplicate the letterhead, e-mailing scams and Internet scams, all claiming they're the good guy, when in actuality, they're the bad guy. Do your diligence, just like the bank should.

VIEIRA: And once your identity is stolen, how hard is it really to get it back?

Mr. STANTON: You virtually never get it back. It's out there. It's stolen, You have to work real hard to protect it.

VIEIRA: So always be vigilant.

Mr. STANTON: Yes, ma'am.

VIEIRA: Bill Stanton, thanks so much...

Mr. STANTON: Thank you.