In my column of March 12 I warned you about the dangers banks are facing from cybercriminals stealing money and sensitive data from banks.
Shortly after I wrote that column in which I exposed how increasingly vulnerable banks are to cyber bank robberies, news broke about the Bangladesh central bank becoming a victim of an $81 million bank robbery. This cybercrime started, as do so many, with some social engineering.
Specifically: With "spear phishing," which lured bank employees into unwittingly downloading malware used by the hackers to infiltrate the bank’s computers and obtain passwords and cryptographic keys used for electronic fund transfers.
Armed with this information the cyberciminals sent dozens of account transfer requests from the Bangladesh central bank to the Federal Reserve Bank of New York, where the Bangladesh central bank has accounts containing billions of dollars. Four account transfer requests processed by the New York bank electronically sent about $81 million to accounts in the Philippines. There the funds were transferred multiple times, including transfers to Philippine casinos, in an effort to launder the money.
A fifth transfer request to a supposed Sri Lankan non-profit organization aroused suspicion with Deutsche Bank, a routing bank in the transaction, due to the misspelling of “foundation” as “fandation.” That prompted a closer investigation of the transfer request. At the same time, the Federal Reserve also became suspicious at the large number of transfer requests being made to private entities instead of banks and halted the remaining approximately thirty requests that, if they had been processed, would have resulted in losses of a billion dollars.
This kind of bank robbery is the stuff of movies like Ocean’s Eleven. However, an even greater threat to the security of our bank accounts is posed not by sophisticated cybercriminals half a world away, but by rogue bank insiders working with outside criminals taking advantage of more basic flaws in bank security.
Last December, two bankers at a Brooklyn branch of JPMorgan Chase were indicted on charges of participating in a scam by which they allegedly searched bank records for accounts with high balances that were not used except for receiving direct deposits of Social Security checks. Once they identified fifteen accounts that fit these criteria, they issued phony ATM cards to two co-conspirators who then used the accounts to make 355 ATM withdrawals totaling approximately $300,000.
The holders of such accounts may often not pay much attention to the activity in their account. And to make things even more outrageous, eight of the fifteen accounts still receiving monthly Social Security checks belonged to dead people.
Wealthy and elderly customers are often the targets of this manner of bank account theft using phony ATM cards. In addition, the criminals sometimes also sell to other criminals the personal information they gain about their victims, which is then used for purposes of further identity theft.
Often the criminals will keep individual withdrawals under $10,000 in order to avoid the additional required scrutiny that comes from cash withdrawals of amounts meeting that threshold.
Last June, New York Attorney Eric Schneiderman sent a letter to major banks including JP Morgan Chase, Bank of America and Wells Fargo voicing his concern about these types of crimes. In his letter, he indicated that his office had been investigating this type of crime for years in an operation they called, “Operation Pen & Teller” a play on words on the names of magicians Penn & Teller.
According to Schneiderman, his office found “common security weaknesses in the banking industry that allowed these schemes to go largely undetected. These vulnerabilities allowed tellers at local branches to easily obtain the personal identification information of account holders across multiple states while making it difficult for bank supervisors to identify this fraud.”
Making the problem worse, Schneiderman determined that many times, when banks investigated such crimes, they permitted the criminal bank employees to merely resign and ended their investigations. According to Schneiderman, “These corrupt tellers then simply gained employment at another financial institution and resumed committing fraud.”
Schneiderman had a number of suggestions to banks on how to improve security, including:
1. Many large national banks permit tellers to have unlimited access to all customer data, including sensitive personal information, at branches anywhere in the country. Schneiderman suggested access to such information should be limited unless there was a legitimate business purpose and that access to information about customers in other parts of the country should be particularly limited.
2. Schneiderman also found that branch supervisors typically did not have an audit trail for account information accessed by particular employees. He suggested regular monitoring to identify employees who access account information without a corresponding financial transaction or who access account information for customers from another geographic region.
3. Customer call centers have also been a source of criminals gathering information that they use to advance their crimes. Better security systems such as being able to recognize when calls are made inquiring about multiple unrelated accounts from a single telephone number would help reduce fraud.
As for we as customers, Thomas Jefferson said that “eternal vigilance is the price of liberty.” Today, he could have been talking about financial security for indeed it is incumbent upon us all to monitor all of our financial accounts regularly. Despite how careful you may be in regard to protecting your personal information and accounts, you are only as secure as the places with the weakest security that have your information and money
Steve Weisman is a lawyer, a professor at Bentley University and one of the country's leading experts in scams and identity theft. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.
