AOH :: ISN-3311.HTM

Banks face growing threat of identity theft from insiders

Banks face growing threat of identity theft from insiders
Banks face growing threat of identity theft from insiders 

By Reuters
November 22, 2006

Banks are pouring money into building formidable defenses against 
computer hackers, but are only just waking up to what may be a bigger 
threat--the physical theft of client information by people in the 

"You can have a fortress-like security system, but if you are not 
terribly discriminating with consultants and temporary employees, that 
is a terrible vulnerability," said Carmen Oveissi Field, a New 
York-based consultant on computer crime.

"If people can get physical access (to a bank's systems), the game is 
over," said Oveissi Field, managing director of Daylight Forensic & 
Advisory, a security consultancy.

Banks, especially in Europe and the United States, are investing vast 
sums to make computer systems impregnable and have been warning 
customers of the dangers of being duped into giving away confidential 
information about their accounts.

Under one of the most widely used methods known as "phishing," a spoof 
e-mail is sent out, leading recipients to a bogus bank Web site where 
they may be fooled into keying in account usernames and passwords.

The information can then be used by criminals to ransack bank accounts 
over the Internet.

Many banks have placed written warnings about phishing on their 
electronic banking Web sites and are encouraging clients to forward 
suspicious e-mail to them so they can then identify the phony Web sites 
and have them closed down.

"It's like hosing down spray paint from vandalized walls," said Ken 
Allan, an information technology expert based in Ernst and Young's 
Glasgow, Scotland, office.

If phishing attacks go unchecked, they could undermine public confidence 
in Internet banking, which is far less costly than branch banking, and 
drive customers back to their local branches for even the simplest 
banking operations.

"Surveys show customer concerns about security are one of the biggest 
obstacles to increased Internet use by the general public," said Chris 
Potter, a partner at PWC in London who advises financial institutions on 
technical risks.

Banks should be far more active in informing their customers against the 
dangers of Internet crime, said Oveissi Field.

Warnings on bank Web sites are "the moral equivalent of sending your 
grandmother down a dark alley with instructions on how not to get 
mugged," she said.

While banks are confident they can deal with phishing attacks by 
constantly warning customers of the dangers, they are now getting 
increasingly concerned about the physical theft of confidential client 
data by insiders or impostors.

"Identity theft can happen through hacking into a bank system or 
internally with someone walking out of the door, and that worries me 
more than phishing," said a security officer at a major European bank 
who asked not to be identified.

Outsourcing has exposed weaknesses
Widespread outsourcing of data management and other services has exposed 
some weaknesses and made it harder to prevent identity theft by 

"There are lots of weak links," said Oveissi Field. "Back-up tapes are 
being sent to offsite storage sites or being mailed and getting into the 
wrong hands or are lost through carelessness."

In what many regard as the biggest wake-up call in recent memory for 
financial institutions, thieves disguised as cleaning staff last year 
nearly stole the equivalent of more than $400 million from the London 
branch of Sumitomo Mitsui. 

They installed programs to record keystrokes on computers that were used 
to handle international wire transfers of money.

After analyzing user identifications and passwords recorded by the 
keystroke-logging programs, they used the information to make a huge 
money transfer to an Israeli bank, but were foiled at the last minute 
when police were tipped off.

"What banks worry about is that they may have a combination of 
weaknesses such as staff vetting and physical security, which when put 
together can let a sophisticated attacker get at their real crown 
jewels," said Potter.

Banks are starting to respond to the threat by combining teams working 
on physical and information technology security, which traditionally 
have been separate functions, said Potter.

Story Copyright 2006 Reuters Limited. All rights reserved. 

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods