Insider Attack Against Citibank

Insiders are the biggest threat:

The Pune police have unearthed a major siphoning racket involving former and serving callcentre employees.

They allegedly transferred a total of [15 million rupees (US $350,000)] from a multinational bank into their own accounts, opened under fictitious names. The money was used to splurge on luxuries like cars and mobile phones.

The call center was in India. The victim was Citibank.

Posted on April 11, 2005 at 9:14 AM • 9 Comments

Comments

Israel TorresApril 11, 2005 10:47 AM

wow it sure would be nice to have a set of checks and balances to make sure this type of activity isn't allowed. Sounds like something should have thought up ages ago.

Israel Torres

Shyam ManiApril 11, 2005 10:50 AM

I do agree with the fact that insiders are a threat, but do banks tell customers that it is okay to give out passwords over phone even to support staff? I guess the users have to be blamed as well, for divulging passwords, and the if bank does have such a policy, then they need to rethink the whole thing.

ChirayuApril 11, 2005 11:37 AM

Even if the bank tells that to customers, how many will really follow?
Its the same with passwords and post-its!!

Richard BraakmanApril 11, 2005 6:06 PM

It's not enough to refrain from telling them that it's okay. If you're serious about it, you have to give it to your customers as a promise ("We will NEVER ask you for your password"), and plaster it all over the relevant documentation. Otherwise they will quite reasonably assume that a representative from the bank who asks them for a password is following correct procedure.

Thomas SprinkmeierApril 11, 2005 7:29 PM

My bank asks for my PIN when I do phone banking.

I asked the operator why I should tell her, given that the bank's documentation warned my never to disclose my pin.

She replied that, as an office of the bank, she could be trusted.

EricApril 11, 2005 9:37 PM

In the July 15, 2004 Crypto-Gram Newsletter, Bruce Schneier wrote:

"It's a big deal to have confidential information leave an organization's building, and it's been a big deal since long before computers. In the end, you have to trust your employees. If they want to steal information, or if they make mistakes, they'll do it regardless of your precautions. You can change the mechanisms of those actions, but don't confuse changing mechanisms with making things safer."

Now to be fair, the comment above was made in the context of certain employers banning employees from bringing USB thumb drives into work. Nonetheless, protecting your own information and the information about your customers is paramount. This example and many others (e.g., the AOL employee who sold email addresses, Wen Ho Lee and the tapes he made of U.S. nuclear design and testing information) show the dangers of blanket trust, and speaks of a striking naivete.

MarcApril 12, 2005 5:38 AM

In the Netherlands we know for quite a few years that aproximately 50% of all theft is committed by bank employees.

This figure was even in the Media News highlights.

But the dutch bank (and i think every bank in the world) sees this as a calculated risk not th be avoided.

THey understand that in the end,
"were only humen".

Greetings,
Marc

Clive RobinsonApril 12, 2005 5:53 AM

@Eric

Your comment,

"show the dangers of blanket trust"

Ignores a fundememtal problem of trust or the limitation of it, there is no point at which trust cannot be abused.

The first area is that people have to be able to perform their jobs, implicit to this is that they have to be trusted with confidential information to do this (ie a receptionist needs the company telephone directory to connect calls, but they should not give the information out to callers etc).

The follow on from this is that at some point in the organisation somebody has to be trusted sufficiently to be able to see all information (even though they may not be aware of it's existance untill they need to see it). Even in the most secret of organisations this is true.

However the cost of trying to limit access to more information than is actually required is usually prohibitivly high so only certain types of organisation do this (and usually not very well).

These costs are not just in the systems put into place to limit trust but also in the form of lost oportunities where trust has prevented the linking of information to provide critical information to the organisation.

So you end up with a trade off, the cost of trust vis the cost os secrecy. As your first problem, how ever there are other problems as the US goverment amongst otheres have realised there are two basic types of secret that have to be protected,

1, Those that are known to people
in positions of trust.

2, Those that can be deduced by
those who are not trusted, from
"publicly available" information.

The "agrigation of information" is a very very difficult problem (see Ross J Anderson's book ( http://www.cl.cam.ac.uk/~rja14/book.html ) or his home page ( http://www.cl.cam.ac.uk/users/rja14/ ) for more information on this problem.

In the UK there have been a number of cases where the "agrigation of information" has given rise to attempts at prosecution under the Official Secrets Act. In one case a journalist was accused of releasing secret information (The address of GCHQ) and much to the prosecutions embarisment he simply produced a copy of an internationaly circulated magazine (Wireless World) that had a full page job advert for GCHQ with the address prominently displayed (it was shortly after this the case colapsed).

Then there are problems with releasing data to people who need it in an anoynomous way (such as medical records to drug researchers). Inveriably it is not possible to stop inadvertant leaks of information, especially when you only control or have access to part of the available data set.

There are a whole load more problems to do with "Trust" it is an extreamly difficult subject, and has been the subject of much research over the years and in the case of computer security well over 40 years in the public domain.

Basically there is no level of trust that in some way cannot be abused either accidently or deliberatly, most organisations are aware of this, and have to accept the fact that every so often there is going to be a "bad apple in the barrel".

QuadroApril 13, 2005 6:38 PM

Surprisingly, it seems that many if not most US banks give their employees too much access. As I've said before, a friend of mine who works as a bank teller has access to the entire database, including SSNs. I probably should cease to be a customer at that bank...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..