Schneier on Security
A blog covering security and security technology.
« Class Break of TiVoToGo DRM |
| Gift Card Hack »
December 8, 2006
Insider Identity Theft
Banks are spending millions preventing outsiders from stealing their customers' identities, but there is a growing insider threat:
Widespread outsourcing of data management and other services has exposed some weaknesses and made it harder to prevent identity theft by insiders.
"There are lots of weak links," said Oveissi Field. "Back-up tapes are being sent to offsite storage sites or being mailed and getting into the wrong hands or are lost through carelessness."
In what many regard as the biggest wake-up call in recent memory for financial institutions, thieves disguised as cleaning staff last year nearly stole the equivalent of more than $400 million from the London branch of Sumitomo Mitsui.
Posted on December 8, 2006 at 8:39 AM
• 13 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Insiders have always a lot more chances to attack a system then outsiders. I think the numbers are still to small to convince the banks from creating a good structure. As I look to the acceptation of loss in credit card systems - or the leaking Internet banking systems – I think it make no sense to them. The rules don’t force the banks to solve the problems. As long as the loss is cheaper to take as the security measures how prevent this, it will be going on.
"In what many regard as the biggest wake-up call in recent memory for financial institutions, thieves disguised as cleaning staff last year nearly stole the equivalent of more than $400 million from the London branch of Sumitomo Mitsui."
I have seen it many times. To get a job with a company you have to go through weeks of checking and background checks. To get into the building all you need to do is show up at the day labor place and get in the van.
ever since banks were invented, it's always been easier to steal money from them from the teller's side of the counter, not the customer's side.
Isn't this exactly the point of risk management - deciding when something is worth mitigating?
DO banks realy care who steals from them?
They insure against theaft, they will only realy do something about it when they find the cost of not doing it hits the bottom line....
Tip the balance on the ROI or Public Confidence and they will go a long way to do something about it otherwise not
Most large organization pay insurance rates based on estimates generated by their own past claims experience. If they can reduce the incidence of theft, they will see the effect in their insurance rates over the long run.
OK, so my personal info is stolen from a bank. How, precisely, does this hit the bank's bottom line, again?
Clearly, unauthorized withdrawal, etc is a concern. But if "all" they get is my name, DOB, and SSN, I may be at increased risk but I haven't suffered any damages that a US court will recognize, so from the bank's POV this is all "reputational risk". Exactly how X amt of personal info being "lost" translates into a reputational hit, which translates into lost investor confidence isn't exactly a cut+dried matter. Give me a cause of action against a bank that loses my info, and it will "clarify matters" substantially. I'm not holding my breath :^)
Everyone has a price and everyone is for sale as long as there is someone interested in buying.
It doesn’t care the bank that your information is stolen. Most of the loss is for you, not for the banks. You are right that it is exactly the point of risk management – if you look only to the banks. The big picture is only a little bit different in my opinion. As costumer you ask the bank – a proxy for you – to take care about your money. But they have a different agenda as you, they don’t want to spend money on security for you, only for them self’s. As costumer you must take that disadvantage or not use the bank. I think the last is not a realistic option…
I think Clive Robinson got it right. But I would add that the ROI is the public confidence. Banks around the world have spend the last 6 years shutting down the branches in favour of online transactions making huge profits. Now they will need to spend some of the money to make it safe. Or old will become new, with the return of branches on every corner. Its already happening in Australia with BOQ's franchise model.
In terms of bank security ramifications...
Banks do have a very high sense of Brand Equity. If people feel that their data is not safe at one bank, they will simply switch to another bank (banks typically have very low switching costs though bill-pay is a fairly stick feature).
In terms of the London back hack...
Although the news reports do not detail the specific circumstances of the crime, it is probably worth assuming that it could have bene prevented through a better security training program. As the bank was infiltrated via a keylogger, the keylogger must have at some point been installed on a computer with the "right" access. Company employees should have been more dililgent about finding USB devices, utilizing anti-virus / anti-logging software, not falling for phishing attacks etc. The hacker probably got in via one of these methods which are fairly easily prevented.
Curious readers can find here :
more informations about how to "address the Online Identity Theft issue using home made tools."
@Clive: "DO banks realy care who steals from them?
They insure against theaft, they will only realy do something about it when they find the cost of not doing it hits the bottom line...."
Actually banks tend to self-insure when it comes to most fraud exposures, which means that they will hit the balance sheet directly.
The main insurance decision for the bank is whether it will provision for potential losses in the next year, which is a call made by the risk teams. Of course if the risk is seen as high enough then it will be cheaper for the bank to spend more on security measures.
In general I would think that banks spend far more on insider threats than external ones; insider attacks have always been part of banking.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.