November 22, 2006
Banks are pouring money into building formidable defenses against
computer hackers, but are only just waking up to what may be a bigger
threat--the physical theft of client information by people in the
"You can have a fortress-like security system, but if you are not
terribly discriminating with consultants and temporary employees, that
is a terrible vulnerability," said Carmen Oveissi Field, a New
York-based consultant on computer crime.
"If people can get physical access (to a bank's systems), the game is
over," said Oveissi Field, managing director of Daylight Forensic &
Advisory, a security consultancy.
Banks, especially in Europe and the United States, are investing vast
sums to make computer systems impregnable and have been warning
customers of the dangers of being duped into giving away confidential
information about their accounts.
Under one of the most widely used methods known as "phishing," a spoof
e-mail is sent out, leading recipients to a bogus bank Web site where
they may be fooled into keying in account usernames and passwords.
The information can then be used by criminals to ransack bank accounts
over the Internet.
Many banks have placed written warnings about phishing on their
electronic banking Web sites and are encouraging clients to forward
suspicious e-mail to them so they can then identify the phony Web sites
and have them closed down.
"It's like hosing down spray paint from vandalized walls," said Ken
Allan, an information technology expert based in Ernst and Young's
Glasgow, Scotland, office.
If phishing attacks go unchecked, they could undermine public confidence
in Internet banking, which is far less costly than branch banking, and
drive customers back to their local branches for even the simplest
"Surveys show customer concerns about security are one of the biggest
obstacles to increased Internet use by the general public," said Chris
Potter, a partner at PWC in London who advises financial institutions on
Banks should be far more active in informing their customers against the
dangers of Internet crime, said Oveissi Field.
Warnings on bank Web sites are "the moral equivalent of sending your
grandmother down a dark alley with instructions on how not to get
mugged," she said.
While banks are confident they can deal with phishing attacks by
constantly warning customers of the dangers, they are now getting
increasingly concerned about the physical theft of confidential client
data by insiders or impostors.
"Identity theft can happen through hacking into a bank system or
internally with someone walking out of the door, and that worries me
more than phishing," said a security officer at a major European bank
who asked not to be identified.
Outsourcing has exposed weaknesses
Widespread outsourcing of data management and other services has exposed
some weaknesses and made it harder to prevent identity theft by
"There are lots of weak links," said Oveissi Field. "Back-up tapes are
being sent to offsite storage sites or being mailed and getting into the
wrong hands or are lost through carelessness."
In what many regard as the biggest wake-up call in recent memory for
financial institutions, thieves disguised as cleaning staff last year
nearly stole the equivalent of more than $400 million from the London
branch of Sumitomo Mitsui.
They installed programs to record keystrokes on computers that were used
to handle international wire transfers of money.
After analyzing user identifications and passwords recorded by the
keystroke-logging programs, they used the information to make a huge
money transfer to an Israeli bank, but were foiled at the last minute
when police were tipped off.
"What banks worry about is that they may have a combination of
weaknesses such as staff vetting and physical security, which when put
together can let a sophisticated attacker get at their real crown
jewels," said Potter.
Banks are starting to respond to the threat by combining teams working
on physical and information technology security, which traditionally
have been separate functions, said Potter.
Story Copyright 2006 Reuters Limited. All rights reserved.
Subscribe to InfoSec News