Entries Tagged "banking"

Page 13 of 19

Ordinary People Being Labeled as Terrorists

By law, every business has to check their customers against a list of “specially designated nationals,” and not do business with anyone on that list.

Of course, the list is riddled with bad names and many innocents get caught up in the net. And many businesses decide that it’s easier to turn away potential customers with whose name is on the list, creating—well—a shunned class:

Tom Kubbany is neither a terrorist nor a drug trafficker, has average credit and has owned homes in the past, so the Northern California mental-health worker was baffled when his mortgage broker said lenders were not interested in him. Reviewing his loan file, he discovered something shocking. At the top of his credit report was an OFAC alert provided by credit bureau TransUnion that showed that his middle name, Hassan, is an alias for Ali Saddam Hussein, purportedly a “son of Saddam Hussein.”

The record is not clear on whether Ali Saddam Hussein was a Hussein offspring, but the OFAC list stated he was born in 1980 or 1983. Kubbany was born in Detroit in 1949.

Under OFAC guidance, the date discrepancy signals a false match. Still, Kubbany said, the broker decided not to proceed. “She just talked with a bunch of lenders over the phone and they said, ‘No,’ ” he said. “So we said, ‘The heck with it. We’ll just go somewhere else.’ ”

Kubbany and his wife are applying for another loan, though he worries that the stigma lingers. “There’s a dark cloud over us,” he said. “We will never know if we had qualified for the mortgage last summer, then we might have been in a house now.”

Saad Ali Muhammad is an African American who was born in Chicago and converted to Islam in 1980. When he tried to buy a used car from a Chevrolet dealership three years ago, a salesman ran his credit report and at the top saw a reference to “OFAC search,” followed by the names of terrorists including Osama bin Laden. The only apparent connection was the name Muhammad. The credit report, also by TransUnion, did not explain what OFAC was or what the credit report user should do with the information. Muhammad wrote to TransUnion and filed a complaint with a state human rights agency, but the alert remains on his report, Sinnar said.

Colleen Tunney-Ryan, a TransUnion spokeswoman, said in an e-mail that clients using the firm’s credit reports are solely responsible for any action required by federal law as a result of a potential match and that they must agree they will not take any adverse action against a consumer based solely on the report.

The lawyers’ committee documented other cases, including that of a couple in Phoenix who were about to close on their first home, only to be told the sale could not proceed because the husband’s first and last names—common Hispanic names—matched an entry on the OFAC list. The entry did not include a date or place of birth, which could have helped distinguish the individuals.

In another case, a Roseville, Calif., couple wanted to buy a treadmill from a home fitness store on a financing plan. A bank representative told the salesperson that because the husband’s first name was Hussein, the couple would have to wait 72 hours while they were investigated. Though the couple eventually received the treadmill, they were so embarrassed by the incident they did not want their names in the report, Sinnar said.

This is the same problem as the no-fly list, only in a larger context. And it’s no way to combat terrorism. Thankfully, many businesses don’t know to check this list and people whose names are similar to suspected terrorists’ can still lead mostly normal lives. But the trend here is not good.

Posted on April 10, 2007 at 6:23 AMView Comments

Story of a Credit Card Fraudster

A twopart story from The Guardian: an excerpt from Other People’s Money: The Rise And Fall Of Britain’s Most Audacious Credit Card Fraudster.

The first time I did the WTS, it was on a man from London who was staying in a £400 hotel room in Glasgow. I used my hotel phone trick to get his card and personal information—fortunately, he was a trusting individual. I then called his card company and explained that I was the gentleman concerned, in Glasgow on business, and had suffered the theft of my wallet and passport. I was understandably distraught, lying on my bed in Battlefield and speaking quietly so my parents couldn’t hear, and wondered what the company suggested I do. The sympathetic woman at the other end proposed I take a cash advance set against my account, which they could have ready for collection within a couple of hours at a wire transfer operator.

Posted on April 4, 2007 at 6:25 AMView Comments

Social Engineering Diamond Theft

Nice story:

In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp’s diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.

[…]

Mr Claes said of the thief: “He used no violence. He used one weapon—and that is his charm—to gain confidence. He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were.

“You can have all the safety and security you want, but if someone uses their charm to mislead people it won’t help.”

People are the weakest security link, almost always.

Posted on March 19, 2007 at 3:42 PMView Comments

Money Laundering Inside the U.S.

With all the attention on foreign money laundering, we’re ignoring the problem in our own country.

How widespread is the problem? No one really knows for sure because the states “have no idea who is behind the companies they have incorporated,” says Senator Carl Levin (D—Mich.), who is trying to force the states to insist on greater transparency. “The United States should never be the situs of choice for international crime, but that is exactly what the lax regulatory regimes in some of our states are inviting.” The Financial Crimes Enforcement Network, the U.S. Treasury bureau investigating money laundering, says roughly $14 billion worth of suspicious transactions involving private U.S. shells and overseas bank accounts came in from banks from 2004 to 2005, the latest Treasury data available. That’s up from $4 billion for the long stretch between April 1996 and January 2004. Now, estimates the FBI, anonymously held U.S. shell companies have laundered $36 billion to date just from the former Soviet Union.

State governments provide plenty of cover for bad guys. Every year they incorporate 1.9 million or so private companies, but no state verifies or records the identities of owners, much less screens ownership information against criminal watch lists, according to a study by the Government Accountability Office. “You have to supply more information to get a driver’s license than you do to form one of these nonpublicly traded corporations,” says Senator Levin.

Posted on February 28, 2007 at 7:59 AMView Comments

SWIFT Violates Legal Privacy Protections

This is a good summary of the SWIFT privacy case:

This week, the Article 29 group—a panel of European Commissioners for Freedom, Security, and Justice—ruled that the interbank money transfer service SWIFT (Society for Worldwide Interbank Financial Telecommunication) has failed to respect the provisions of the EU Data Protection directive by transferring personal financial data to the US in a manner the press release describes as “hidden, systematic, massive, and long-term.”

Posted on February 13, 2007 at 7:49 AMView Comments

Huge Online Bank Heist

Wow:

Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona—up to £580,000—in what security company McAfee is describing as the “biggest ever” online bank heist.

Over the last 15 months, Nordea customers have been targeted by emails containing a tailormade Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved.

This is my favorite line:

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea security procedures.

Um…hello? Are you an idiot, or what?

Posted on January 23, 2007 at 12:54 PMView Comments

When Computer-Based Profiling Goes Bad

Scary story of someone who was told by his bank that he’s no longer welcome as a customer, because the bank’s computer noticed a deposit that wasn’t “normal.”

After two written complaints and a phone call to customer services, a member of the “Team” finally contacted me. She enquired about a single international deposit into my account, which I then explained to be my study grant for the coming year. Upon this explanation I was told that the bank would not close my account, and I was given a vague explanation of them not expecting students to get large deposits. I found this strange, since it had not been a problem in previous years, and even stranger since my deposit had cleared into my account two days after the letter was sent. In terms of recent “suspicious” transactions, this left only two recent international deposits: one from my parents overseas and one from my savings, neither of which could be classified as large. I’m not an expert on complex behavioural analysis networks and fraud detection within banking systems, but would expect that study grants and family support are not unexpected for students? Moreover, rather than this being an isolated incident, it would seem that HSBC’s “account review” affected a number of people within our student community, some of whom might choose not to question the decision and may be left without bank accounts. This should raise questions about the effectiveness of their fraud detection system, or possibly a flawed behaviour model for a specific demographic.

Expect more of this kind of thing as computers continue to decide who is normal and who is not.

Posted on December 18, 2006 at 6:37 AMView Comments

Insider Identity Theft

Banks are spending millions preventing outsiders from stealing their customers’ identities, but there is a growing insider threat:

Widespread outsourcing of data management and other services has exposed some weaknesses and made it harder to prevent identity theft by insiders.

“There are lots of weak links,” said Oveissi Field. “Back-up tapes are being sent to offsite storage sites or being mailed and getting into the wrong hands or are lost through carelessness.”

In what many regard as the biggest wake-up call in recent memory for financial institutions, thieves disguised as cleaning staff last year nearly stole the equivalent of more than $400 million from the London branch of Sumitomo Mitsui.

Posted on December 8, 2006 at 8:39 AMView Comments

Erasable Ink Scam

Someone goes door-to-door, soliciting contributions to a charity. He prefers a check—it’s safer for you, after all. But he offers his pen for you to sign your check, and the pen is filled with erasable ink. Later, he changes both the payee and the amount, and cashes the check.

This surely isn’t a new scam, but it’s happening in the UK right now. I’ve already written about attackers using different solvents to wash ink off checks, but this one is even more basic—the attacker gives the victim a bad pen to start with.

I thought checks were printed with ink that also erased, voiding the check. Why does this sort of attack still work?

Posted on November 28, 2006 at 12:30 PMView Comments

Fighting Fraudulent Transactions

Last March I wrote that two-factor authentication isn’t going to reduce financial fraud or identity theft, that all it will do is force the criminals to change their tactics:

Unfortunately, the nature of attacks has changed over those two decades. Back then, the threats were all passive: eavesdropping and offline password guessing. Today, the threats are more active: phishing and Trojan horses.

Here are two new active attacks we’re starting to see:

  • Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank’s real website. Done right, the user will never realize that he isn’t at the bank’s website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user’s banking transactions while making his own transactions at the same time.
  • Trojan attack. Attacker gets Trojan installed on user’s computer. When user logs into his bank’s website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.

See how two-factor authentication doesn’t solve anything? In the first case, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in the second case, the attacker is relying on the user to log in.

The solution is not to better authenticate the person, but to authenticate the transaction. (Think credit cards. No one checks your signature. They really don’t care if you’re you. They maintain security by authenticating the transactions.)

Of course, no one listens to me. U.S. regulators required banks to implement two-factor authentication by the end of this year. But customers are rebelling, and banks are scrambling to figure out something—anything—else. And, amazingly enough and purely by accident it seems, they’ve stumbled on security solutions that actually work:

Instead, to comply with new banking regulations and stem phishing losses, banks and the vendors who serve them are hurriedly putting together multipronged strategies that they say amount to “strong” authentication. The emerging approach generally consists of somehow recognizing a customer’s computer, asking additional challenge questions for risky behavior and putting in place back-end fraud detection.

[…]

Despite the FFIEC guidance about authentication, the emerging technologies that actually seem to hold the most promise for protecting the funds in consumer banking accounts aren’t authentication systems at all. They’re back-end systems that monitor for suspicious behavior.

Some of these tools are rule-based: If a customer from Nebraska signs on from, say, Romania, the bank can determine that the log-on always be considered suspect. Others are based on a risk score: That log-on from Romania would add points to a risk score, and when the score reaches a certain threshold, the bank takes action.

Flagged transactions can get bumped to second-factor authentication—usually, a call on the telephone, something the user has. This has long been done manually in the credit card world. Just think about the last phone call you got from your credit card company’s fraud department when you (or someone else) tried to make a large purchase with your credit card in Europe. Some banks, including Washington Mutual, are in the process of automating out-of-band phone calls for risky online transactions.

Exactly. That’s how you do it.

EDITED TO ADD (12/6): Another example.

Posted on November 27, 2006 at 6:07 AMView Comments

1 11 12 13 14 15 19

Sidebar photo of Bruce Schneier by Joe MacInnis.