Schneier on Security
A blog covering security and security technology.
« Theme Parks and Privacy |
| Tax Breaks for Good Security »
October 12, 2005
$5M Bank Con
Great crime story:
An ingenious fraudster is believed to be sunning himself on a beach after persuading leading banks to pay him more than €5 million (£3.5 million) in the belief that he was a secret service agent engaged in the fight against terrorist money-laundering.
The man, described by detectives as the greatest conman they had encountered, convinced one bank manager to leave him €358,000 in the lavatories of a Parisian bar. "This man is going to become a hero if he isn’t caught quickly," an officer said. "The case is exceptional, perfectly unbelievable and surreal."
Moral: Security is a people problem, not a technology problem
Posted on October 12, 2005 at 7:15 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
...but technology can help the people be more secure by providing them with information verification tools and workflow tools.
Only if they know, or understand, the that technology to any degree. Too many have no comprehension of what that technology entails, and believe "some one else" is making sure everything is safe and tidy.
It's not important to the story, but the title is wrong - at current reates a 5M Euro con is a $6M con.
Ah, no patch yet for the id10T vulnerability.
Technology is irrelivant if the bank manager is stupid enough to give away that amount of cash in a toilet after a phone conversation with someone who CLAIMED to be a chief exec. Even if the bank had no procedure for this kind of thing, you would expect good old common sense to play a part somewhere, i.e. contacting the Chief Exec after the call,through official channels, so you could authenticate the phone call was real.
In related news, the Bush administration has begun lobbying the French government to install currency-detection scanners outside all Parisian lavatories.
I think this story doesn't wash. It's very easy to chalk things like this up to "idiocy", but I feel like this whole "secret agent" thing is a cover story for the bank employee.
Sounds just like all the podunk towns in the US getting night vision goggles and stun guns with anti-terrorism grant money -- everyone wants to play movie spy.
This theft is morally and ethically wrong. Why didn't I think of it? On the surface it seems to be a new idea in theft, but it's still basically impersonation. Whether I pose as a cop, anti-terrorist agent, or MR NUKUMA from NIGERIA, I'm still impersonating. The banks were just simply wrong.
It's also worth noting that he used "anti-terrorism" as his cover story. This is noteworthy because it granted his requests a certain need for urgency and secrecy that he would not have had posing as "standard" law enforcement.
By training people to unquestioningly comply with all terrorism-related requests from nameless, faceless bureaucrats, we are also training them to be suckers for this sort of scheme (and this is arguably the whole point).
Heck, I don't even trust names and addresses of referrals in proposals. I go out and do at least some minimal research to try and verify that the organization, name, and phone number I am about to trust are legitimate.
For that much money, I would do that -- and then call the initial contactee back based on information I felt I could trust!
These organizations also need to have better policy controls on this sort of action. Bank managers should expect NOT to be the first contact in a funding sting.
Unfortunatly this sort of thing is a lot more common than you would think.
In the UK a man was recently found guilty and imprisoned, what he had done was to pretend to be a M15/M16/SIS operative, and con people out of their savings. In more than one case he effectivly imprisoned a person by convincing them they where a terorist target.
We all scoff when we here about these cases, but being a con man is obviously still a profitable way of living...
I just wonder how many Con-Men are going to take advantage of the "Climate of Fear" that our politicians are pushing, to con more people.
"Security is a people problem, not a technology problem"
Agreed. Computers don't make mistakes, people do...
From another perspective criminals love opportunity, and technology creates the kind of change/transformation that increases opportunities for fraud unless properly reviewed and controlled.
One would think the banks would have some kind of control in place to check or even double-check requests to hand over large sums of cash to someone.
The story reminds me of Kevin Kline in the movie French Kiss. Sadly, I don't think his character was based on just one or two incidents, but a whole phenomenon of smooth-talking romance language scam artists.
Great point,ac. Is the compliance of the one mark really any more ridiculous than the idea of so many Americans rushing out to buy rolls of plastic and duct tape as a defnese against chemichal and biological weapons? We are all so whipped into a patriotic fervor that we will blindly follow just about any directive if the person sounds like a government official. (And how difficult can that be, considering who we elect?)
"This theft is morally and ethically wrong."
Please let me know which thefts are morally and ethically RIGHT. Those are the ones that interest me!
Ah, no patch yet for the id10T vulnerability.
I tried to read that the same way one would read i18n and l10n (internationalization and localization) ...
I got as far as id-ten-t and thought you meant Identity vulnerability then relised my mistake.
That branch manager should be the one put behind bars, as well as whatever jackass hired her.
"One would think the banks would have some kind of control in place to check or even double-check requests to hand over large sums of cash to someone."
If I remember correctly, if the FBI hands a library a summons for the lending habbits of their customers they (the librarians) are expressly forbidden from even contacting a lawyer to verify the warrant.
These kinds of rules create the mindset of unquestioning obediance necessary for this kind of fraud.
my favourite part about the whole story is that the police have arrested his wife AND mother-in-law, whilst he seems to have got away with the cash. Now that is what I call a RESULT!!!
Who's writing the screenplay?
Yeah, when someone commits a crime arrest his wife and mother-in-law.. Good thinking!
In french news, they say it's not a one man job.. They talk about a gang of 3 women and 2 man (Giblert and his brother)
Something pretty annoying is these conmen knew the existence of the real transactions..
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.