Organized crime infiltrates financial IT

Organized crime infiltrates financial IT
Organized crime infiltrates financial IT 

By Matt Hines
July 23, 2007

In Martin Scorsese's hit movie "The Departed," actor Matt Damon plays 
the part of a mole -- someone who helps his connected mob friends stay a 
step ahead of the cops by becoming one of the very law enforcement 
officials assigned to stop them.

A new report published by anti-fraud software maker Actimize on July 23 
says a similar ruse is being carried out inside the walls of enterprise 
financial businesses, with the same employees and IT workers whose 
responsibility is handling and protecting sensitive information being 
trained and recruited by organized criminals to steal it.

Based on the New York-based company's research, drawn from interviews 
with 40 large financial services companies in the United States and the 
United Kingdom, about 50 percent of those surveyed indicated they 
believe they have employed workers who have either been trained or 
recruited by outsiders to carry out fraud.

Eighty-five percent of the respondents have been affected by employee 
fraud in general, and 65 percent see the threat becoming even more 
serious in the future, the survey found.

More than 50 percent of participating companies admitted their belief 
believe that only half, or less, of all employee fraud occurring within 
their organizations is currently being caught.

And while the test group represents a relatively small cross-section of 
business, it's worth noting that half of the financial services 
companies interviewed by Actimize claim assets of over $30 billion.

Actimize executives said that there was little doubt among those 
surveyed that organized criminals are increasingly working inside firms 
with large volumes of sensitive information to get first-person access 
to valuable data that can be used by others to carry out fraud.

"People are getting caught and it's clear that they are representatives 
of organized crime in some way, we had a lot of people telling us 
unsolicited that they feel that this is actively happening," said Amir 
Orad, executive vice president of marketing and business development of 
Actimize. "It's not a fairytale; it's an established method being used 
by these groups to carry out significant fraud."

Among the factors contributing to the criminal trend are increased 
access to technology by rank-and-file employees, as well as poor hiring 
and screening processes within end user firms, according to the report. 
Data availability and a lack of dedicated resources for fraud detection 
technologies were other issues identified by respondents as fueling 
internal attacks.

More than 75 percent of those companies surveyed said that they expect 
insider fraud schemes to grow even more sophisticated, with 73 percent 
charting the financial services industry's preparation for such attacks 
as only "poor" or "somewhat acceptable."

About half of the companies involved in the research said that they have 
experienced a data theft within the last 12 months, with the cost of the 
largest such incident within each firm coming in at an average of 
roughly $875,000 per incident. The largest such incident cited in the 
Actimize research totaled $6 million in losses.

A lack of automation among the anti-fraud technologies being utilized by 
the companies is a hallmark of their defeat, Orad said.

"All of these companies have been using data mining for years 
externally, but less than ten percent told us that they were using it 
internally to fight fraud, which doesn't make sense," Orad said. "Less 
than 50 percent said they had any form of automation in place to fight 
fraud, which tells us, the majority have been using reactive processes 
or manual reporting to investigate suspected problems, which isn't going 
to prevent incidents from happening and only addresses the issue after 
the fact."

Among the types of scams that Actimize was told about by the respondents 
were instances of self-dealing, skimming, data-theft, embezzlement and 

In the case of one of the most common methods for carrying the schemes 
out, so-called "identity shielding," through which perpetrators gain 
access to data using another worker's credentials, only 28 percent of 
those participating in the survey said they had some manner of stopping 
or detecting the attacks.

While data-handling regulations such as the Sarbanes-Oxley Act and the 
Payment Card Industry (PCI) compliance requirement have been proposed by 
some experts as helping to solve the insider fraud issue, those surveyed 
by Actimize said that isn't necessarily the case.

An overwhelming 70 percent of respondents said that government 
regulation or standards regarding employee access to customer accounts 
and data would actually "hinder" their company's ability to detect or 
prevent employee fraud.

As with many other types of IT projects, the shortfall in more 
comprehensive insider fraud protection can be tied largely to a lack of 
sufficient budgeting for tools such as those his company markets, Orad 

"We see some visionaries who are making the commitment to buy technology 
that will help automate the process, and it's a growing group, but it is 
still a comparatively small minority of all businesses," Orad said. "All 
of these companies know that they want to keep their names out of the 
headlines related to fraud, and most recognize that it is a problem they 
aren't adequately prepared to deal with, but as with a lot of IT issues, 
the biggest obstacle appears to be a lack of budget."

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2014 CodeGods