By Paul Nowell
July 1, 2005
CHARLOTTE, N.C. . When two of the nation's largest banks were forced
to notify thousands of customers that their financial records may have
been stolen, there wasn't a hacker, a missing laptop or a lost box of
backup computer tapes to blame.
This time, police believe, customers of Wachovia Corp. and Bank of
America Corp. were the victims of bank employees, workers whose jobs
at the Charlotte-based banks granted them access to information
valuable enough to sell for $10 an account.
Security experts believe it's that battle against insiders . the theft
of Social Security numbers and other sensitive data by those with the
authority to access it . that will consume banks and other financial
institutions as they fight a recent run of security breaches that
doesn't appear to be waning.
"We've got a nasty problem and it keeps getting worse over the past
couple of months," said Peter G. Neumann, a security expert with SRI
International in Menlo Park, Calif. "Insiders have always been a
concern, it's just that (institutions) are finally admitting it."
Security experts like Neumann believe inside jobs have the potential
to be far more damaging to consumers than accidental losses of data,
or attacks by hackers similar to one disclosed June 17 at
Atlanta-based CardSystems Solutions Inc., which exposed 40 million
credit and debit card accounts.
And the protections banks use to thwart hackers . firewalls and
encryption, for example . have no ability to stop ill-intentioned
employees who have authorized access to secure information.
The insider case at Bank of America, Wachovia and two other banks.
involving a far smaller number of accounts than the hackers' assault
on CardSystems Solutions . could prove to be far worse for consumers,
said Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc.,
an information technology research firm.
"It may not be bigger, but that stuff is a lot more dangerous,"
Litan said. "These are people who have access to a lot more personal
information, so it's very serious."
Wachovia and Bank of America were forced to alert more than 100,000
customers in May after police in New Jersey charged nine people,
including seven bank workers, in a plot to steal financial records of
thousands of bank customers.
"About 70 to 80 percent of the risk is from insiders, although not all
of them are as malicious as the case in New Jersey," said Steve Roop,
vice president of marketing at San Francisco-based Vontu, a firm
specializing in data loss prevention. "Sometimes it is well meaning
but poorly informed workers."
As might be expected when the subject is security, neither Wachovia
nor Bank of America are willing to explain in detail efforts they take
to protect sensitive data from employees who want to illegally sell
private account information.
"All of our associates must adhere to a code of ethics and to company
policy," said Tara Burke, a spokeswoman for Bank of America. "And our
bank associates only have access to the information they need to
provide service to our customers."
The bank does perform criminal background checks on all new employees,
using fingerprinting and other screening methods. Contract labor
suppliers must perform criminal checks on temporary employees they
supply to the bank, she said.
But the problem with background checks is that they don't work, said
Jim Stickley, chief technology officer at TraceSecurity, a Baton
Rouge, La.-based security company.
"Sure, (it works) if you are looking at a murderer or someone with a
criminal record. But there are a million idiots out there who are
lucky so they don't have a record," he said. "No matter what you do,
all it takes is one person who is down on his luck or realizes he can
make a lot of money doing this. Then you have your biggest nightmare."
In all, Burke said, Bank of America spends about $250 million annually
on various security measures and protections, and has hundreds of
associates whose sole function is to protect information.
Wachovia spokeswoman Christy Phillips said the bank employs similar
protections, including offering programs and training to educate
employees how to safeguard information. Background screening is a
longtime policy at Wachovia and there are tools and procedures that
limit access to information to employees whose jobs require such
"We routinely review our processes and make changes as appropriate,"
Among the other difficulties the banks face when working with
employees, Roop said, is a high level of turnover.
"These banks hire hundreds of new people every month," Roop said.
Among the steps banks can take to fight insider ID theft is to
individually limit each employee's access to customer information,
Litan said. Such a system specifies exactly what customer information
each employee can see, touch and update.
But that also requires managers to constantly monitor the clearance
levels of thousands of individual employees.
Another way to police insider theft is "the intimidation factor,"
Stickley said. While some workers might complain that their rights are
being infringed by aggressive monitoring of their work activities,
Stickley said they need to understand "they are dealing with extremely
confidential information that can wreck a lot of peoples' lives."
And at the office, Litan said, bank employees working with sensitive
information know that aggressive security comes with the job.
"Their phone conversation are recorded all the time," she said.
"They know there are no rights when it comes to private business."
But in the end, even the experts said protecting sensitive information
from insiders comes down to basic human honesty.
"If someone wants to do it, they are going to do it," Stickley said.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.