Schneier on Security
A blog covering security and security technology.
« Paris Hilton Cellphone Hack |
| Touch-Screen Voting »
May 24, 2005
Massive Data Theft
During a time when large thefts of personal data are dime-a-dozen, this one stands out.
What is thought to be the largest U.S. banking security breach in history has gotten even bigger.
The number of bank accounts accessed illegally by a New Jersey cybercrime ring has grown to 676,000, according to police investigators. That's up from the initial estimate of 500,000 accounts police said last month had been breached.
Hackensack, N.J., police Det. Capt. Frank Lomia said today that an additional 176,000 accounts were found by investigators who have been probing the ring for several months. All 676,000 consumer accounts involve New Jersey residents who were clients at four different banks, he said.
Even before the latest account tally was made public, the U.S. Department of the Treasury labeled the incident the largest breach of banking security in the U.S. to date.
The case has already led to criminal charges against nine people, including seven former employees of the four banks. The crime ring apparently accessed the data illegally through the former bank workers. None of those employees were IT workers, police said.
One amazing thing about the story is how manual the process was.
The suspects pulled up the account data while working inside their banks, then printed out screen captures of the information or wrote it out by hand, Lomia said. The data was then provided to a company called DRL Associates Inc., which had been set up as a front for the operation. DRL advertised itself as a deadbeat-locator service and as a collection agency, but was not properly licensed for those activities by the state, police said.
And I'm not really sure out what the data was stolen for:
The information was then allegedly sold to more than 40 collection agencies and law firms, police said.
Is collections that really big an industry?
Edited to add: Here is some good commentary by Adam Fields.
Posted on May 24, 2005 at 8:49 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This isn't intended as a troll, but why is it that we never hear about this sort of problem in Europe? Is it because we simply don't hear about overseas breaches, or do the European consumer and personal privacy laws seem to be working? How radical a rethink of American buisness practices would be required if we _really_ did own our personal data....
>Is collections that really big an industry?
Yes. Many collection agencies receive 1/2 of the money obtained. Smaller companies might get a smaller cut of the debt, bigger ones can demand more. One employer I used to work at, used to be a bank, but the collections business was so profitable, that they left the deposit/loan part of the banking industry and concentrated on collecting on delinquent accounts. It may be rather hard for you to imagine a "bank" that doesn't accept deposits, but that is the sort of kludge our financial system has encouraged.
I think if you look into it, you'll find more and more of the larger financial institutions have their own "in house" collection agency operating as a separate profit center, and doing it that way for tax reasons.
>"Is collections that really big an industry?"
America is a representation of its citizens, which both live with debt.
You got that right. The government and financial institutions love you to be in debt. And stupid Americans fall for it, thinking they need two or three cars and SUVs, a 3,000-sq-foot home, and every adult toy imaginable. Too bad they truly own none of it.
But anyway, these news stories scare me every time. I'm just waiting to be one of the next victims.
My father-in-law is VP at a local bank in a small rural US town of about 12,000 people, and he once told me that their bank averages about $20,000 *per month* in bad check fees. This was a surprising revelation to me, but explains quite a bit... so yes, I can imagine collections being a huge industry in the U.S.
Also, there is a whole cottage industry of people who buy distressed debt and then try to collect it themselves.
A database of Name-SS#-Bank Info is incredibly valuable in that business. Although given the manual information acquisition, my guess would be the attacker isn't constructing a database, but rather providing a service, acting as a broker between collection agencies and corrupt bank officials who will conduct searches based on name/SSI in the bank computer.
w/ the bankruptcy bill that was recently passed, wouldn't that have made collections a very important growing industry?
Regarding the first comment by anonymous above: you should see a recent Wall Street Journal article about some of the steps European banks take to secure customers' data: "How European Banks Keep A Tighter Lid on Online Data" (WSJ, April 20, 2005; Page B1). Click my name to see where we blogged it.
Apparently U.S. laws and regulations are silly when it comes to data protection and that's probably what generally encourages things like this to happen.
95714 Screen Prints per Bank Employee seems like a stretch. We are missing something here.
Collections is a huge industry! Just take a look at how much debt is charged off each year by the credit card companies. The company my father works for (nearing a quarter billion in yearly revenue) is now a major player now in debt buying, but is still a small fish in a large pond.
The mastermind of this scheme was a skip tracer who had contracts with a lot of attorneys and collection agencies to find people, and concomitantly, their assets. He sent the lists provided by the attorneys to his contacts in the bank (usually branch managers), who in turn gave them to the rank & file workers to do the search. For every hit, he paid the manager $10, who in turn, gave $3 to $6 to the worker bees. The ringleader, Orazio Lembo, was paid $70 to $100 for each hit he got; the attorneys then were able to file suit against the debtor and/or garnish wages, because they had received the exact list of the debtor's assets.
This guy's crimes, while not identity theft as currently understood by the general public, were just as nefarious. Even though this is considered "white collar" time, I see a lot of hard time here, to Lembo, and to a lesser degree, the accomplices in the banks.
On another note, I am not surprised by the apparent amount of "manual labor" involved. Taking a screen print or copying an address and bank account number get around most kinds of auditing. As someone who regularly reviews IT security at financial institutions such as Credit Unions and Banks, I've yet to see anyone auditing printing at that level. In fact, at some places, they use software that allows them to print screen caps easier! That's probably the easiest means of getting the data to the (illegal) end user.
One final piece in the puzzle...did the attorneys or collection agencies have any knowledge of how this guy got the data?
This is over a considerable period of time (think years), so yes that is reasonable.
>"Is collections that really big an industry?"
Yes, and growing larger recently due to medical clients - doctors and hospitals.
"Is collections that really big an industry?"
Yes. Years ago I worked for a marketing and promotions company, that handled all kinds of consumer feedback, rebate, and lottery type deals.
I ran the computers in that company, and from time to time, I was offered various deals to hand over the names and addresses we possesed.
This was nearly 20 years ago, and I imagine the business of accumulating names and addresses, from any source, has only grown since then.
What I find fascinating in this is how you're supposed to safe-guards against these types of manual data-thefts.
You could of course monitor what every employee does, but I guess the average bank-teller accesses several hundred accounts every day.
I honestly don't think that we can secure against manual theft of data and I would think that it will not happen very often, at least not on this scale. Isn't this an isolated issue?
"This isn't intended as a troll, but why is it that we never hear about this sort of problem in Europe? Is it because we simply don't hear about overseas breaches, or do the European consumer and personal privacy laws seem to be working? How radical a rethink of American buisness practices would be required if we _really_ did own our personal data...."
Personal data is 1) not collected as widely, and 2) much less valuable as a tool to commit fraud. The second reason is far more important.
@Martin Nilsson: It has a lot to do with the integrity of your employees. I firmly believe that everyone can be bought (though not necessarily with money) so it's a matter of trusting your employees - but for the correct reasons. Regular background checks might help there. OTOH, as Bruce mentions, a different approach to collecting and using personal data (especially that which can easily be abused) might help much better.
"This isn't intended as a troll, but why is it that we never hear about this sort of problem in Europe?"
Perhaps they have bigger problems to worry about? The growth forecast in the Eurozone has just been revised down to 1.2% for this year. Unemployment in Germany is around 10%. Italy has just slid into recession.
European business practices clearly don't work very well.
"Unemployment in Germany is around 10%"
Would you rather have them hired for gathering and selling your personal information? You see, that's where EU and US differ. Here in EU money isn't always priority number one. You see, usually those unemployed in EU get unemployment fee (or equivalent) until they get a new job and can get along just fine without having to do stupid things just to get some money.
Regarding Richard R. Blake's account of how the collection agenices and law firms allegedly provided Lembo with the lists of deadbeats whose bank records they were seeking...is this accurate? There have as yet been no official accounts of this arrangement. Where does this information come from?
Anonymous, I don't think that European banks are more secure. I think the answer lies partially with California's SB1386 (requiring disclosure of some breaches to Californians) and the massive backlash suffered by Choicepoint when they chose to disclose a breach only to Californians.
There's a completely new standard in the US. The Europeans have no such requirements, and thus, don't disclose their problems.
@Axel (Posted by Axel at May 25, 2005 07:12 AM)
"European business practices clearly don't work very well."
Right. So they should use practices like Enron and Worldcom. US Corporations, showing the world how it is done.
I'm not sure why you claim that fraud is a distinctly US process.
@Adam Shostack (Posted by: Adam Shostack at May 25, 2005 05:55 PM)
"I'm not sure why you claim that fraud is a distinctly US process."
Because they do it bigger and better. No, seriously, my comment was tongue-in-cheek. It was in response to an earlier comment claiming European business practices "clearly don't work very well" based on unemployment rates. My reply matched the rationality of the earlier comment. I'm from Australia, hence neither the US nor Europe (although at times you can't tell from our government's policies :-)). I see plenty of merits and faults in both places, I just react to stupid logic.
Peter Goldman: This information comes from watching the case develop, and from an insider's knowledge (my father's actually) of aspects of the collection industry.
Here's an example from MSNBC's article:
"In some cases, the bank employees printed out entire customer computer screens and turned them over to Lembo," says Hackensack, N.J. chief of police Charles Zisa. "That information was then sold to his clients, which included more than 40 law firms and collection agencies."
Investigators say Orazio Lembo operated his company, DRL & Associates, out of his home, paying his accomplices tens of thousands of dollars over a four-year period, then allegedly re-selling that information for a profit of several million dollars to debt collectors and law firms."
As for my own question on the attorneys and collectors who bought the information:
It appears investigators may go after those who PAID for the information, as well.
"You see, usually those unemployed in EU get unemployment fee (or equivalent) until they get a new job and can get along just fine without having to do stupid things just to get some money."
Unless you're in Germany, in which case the state will cut your welfare benefits if you turn down a job offer, even if it comes from a brothel.
At the heart of all this is a simple business equation: if we look at the cost of data collection and the benefit accrued from that collection, organisations, criminal or otherwise, will continue to collect data until the marginal cost of collection increases to the point where it equals the marginal benefit of collection. The problem, however, is that almost all the trends seem to be in the wrong direction:
- computing power is getting cheaper rapidly
- data storage is getting cheaper rapidly
- use of SSNs as identifiers (read unique keys) has been increasing for years
- outsourcing is leading to reduced labor costs
- outsourcing is leading to data going to countries in which, for whatever reasons, physical appearance, cultural, developmental etc. our enemies have an easier time blending in
- government not only fails to punish unnecessary data collection, but often encourages and even mandates it
- etc. etc. etc.
The only way to stop this is to rebalance the equation and the way to do that is, as far as possible, attach liability to the collectors of data and to persons who observe sloppy or illegal processes but do nothing about it. As things are, with ever more data being collected, how long will it be before Osama and friends go data mining? What happens when they decide to re-enact the actions of the Washington sniper, only with a fat, reliable (thanks, government ID!) database to help them select their victims? When that happens, will you be more secure or less secure with all your data out there? What do you think of Choicepoint et al now?
It is becoming increasingly clear: If the data is collected, it will be abused. All it takes is one strategically placed insider. There is only one solution.
Data security should be there for that.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.