Kevin Mitnick, who once topped the FBI's list of most wanted hackers before re-inventing himself as a "white hat" IT security adviser, has warned that Australian banks bulking up with anti-cyber attack systems are missing the point.His theory is that it's always the customers, closely followed by loyal and well-meaning staff, who are the weakest links.  Mitnick will be in Australia at the end of August to share his insights on current trends in cyber threats and the role of social engineering.He spoke to Banking Day while on a private visit to Australia last week. Early in the interview, he was shown comments attributed to Andrew Dell, National Australia Bank's newly appointed chief information security officer, suggesting NAB could remain one step ahead of the cyber criminals.Mitnick was unimpressed: "I'm very suspicious of people in the IT security industry that say 'we're unhackable'. The best that businesses can do is to analyse their risk and mitigate the vulnerability to an acceptable degree - there is no such thing as 100 per cent security. "Maybe what Andrew Dell was saying is that they take security seriously and they have all these processes in place to make it difficult to compromise their bank."However, his view is that having the most unbreakable coding does not address the main game: the greater danger is almost always much more low-key. Variations of "spear phishing" (when an email appears to come from a person or business you know) and exploitation of web applications are still the most common ways into IT systems."By manipulating the people in the system, the primary attack vectors are targeting the humans behind the system, using the systems," he said.And he has observed one national characteristic he says makes Australians particularly vulnerable target for cybercrime: "people are very trusting here...That really opens them up to the social [engineering] type of attacks.""When clients allow us to use social engineering in the scope of a security test, we've never failed. We have a 100 per cent success."Mitnick recalled a large company in the US where his team tested a "very large financial institution".  Mitnick's colleagues were able to get themselves into the bank's computer centre by cloning information on staff access cards. "We have a way of being able to remotely steal the ID credentials from an employee's building swipe card and be able to reuse those credentials to get physical access to the building and physical access to the computers which we can exploit."Once in there, we were able to compromise their entire network by getting their secret encryption key," Mitnick said.