Thursday, May 28, 2009
New Types of Credit Fraud
Investigators are finding that credit fraud is happening in some new ways. In Sacramento, CA one man was found to have "created" unused Social Security numbers. For people who had poor credit, he would sell them one of these numbers and associates at a furniture dealer would create credit histories for them so they could now obtain new loans.
In related news, people who are victims of identity theft are finding that their chances of a loss are increasing. In 2007 only 15 percent of the victims saw unauthorized charges on their debit or credit cards. In 2008, 39 percent saw fraudulent charges.
The Identity Theft Resource Center monitors the effects of identity theft and recently published a report on this.
The most common use of an identity theft victims name is to open new credit accounts. This happens in approximately two-thirds of the cases. Consumers trying to repair the damage of identity theft pay on average $739 for photocopies, police reports, travel and similar expenses, to $951 when they have an existing account with fraudulent transactions. Hours taken to handle all of this ranges from 58 when dealing with cases involving current accounts of theirs, and 165 hours when new credit was opened in the victims name.
The majority of victims discover their identity has been stolen when they receive a billing statement and see the charges, or a discrepancy on a credit report was discovered. About one-third find out they are a victim when a collection agency calls them or they are denied credit.
More information and the report is available on the Identity Theft Resource Center website.
Investigators are finding that credit fraud is happening in some new ways. In Sacramento, CA one man was found to have "created" unused Social Security numbers. For people who had poor credit, he would sell them one of these numbers and associates at a furniture dealer would create credit histories for them so they could now obtain new loans.
In related news, people who are victims of identity theft are finding that their chances of a loss are increasing. In 2007 only 15 percent of the victims saw unauthorized charges on their debit or credit cards. In 2008, 39 percent saw fraudulent charges.
The Identity Theft Resource Center monitors the effects of identity theft and recently published a report on this.
The most common use of an identity theft victims name is to open new credit accounts. This happens in approximately two-thirds of the cases. Consumers trying to repair the damage of identity theft pay on average $739 for photocopies, police reports, travel and similar expenses, to $951 when they have an existing account with fraudulent transactions. Hours taken to handle all of this ranges from 58 when dealing with cases involving current accounts of theirs, and 165 hours when new credit was opened in the victims name.
The majority of victims discover their identity has been stolen when they receive a billing statement and see the charges, or a discrepancy on a credit report was discovered. About one-third find out they are a victim when a collection agency calls them or they are denied credit.
More information and the report is available on the Identity Theft Resource Center website.
Wednesday, May 13, 2009
Social Engineering Provides High-level Access
While this happened in the UK, the question we need to ask ourselves is, "could this happen in my bank?"
A security consultant at Siemens Enterprise Communications, Colin Greenless, used his social skills to not only enter a financial services firm that is listed on the Financial Times and Stock Exchange, but set up office. Being traded on an exchange, you know this wasn't a small company.
A man walking into a bank may be questioned. But a man carrying a clipboard may be able to just walk on through. He obviously has a purpose for being there. Greenless used his social skills to establish a temporary office in a meeting room on the third floor for several days. He had access to many more areas and floors of the building. He had access to store rooms, filing cabinets, confidential data left on desks, and he entered the company's data room, IT and telecoms network.
Greenless posed as an IT staffer. He noted that of 20 employees he called, 17 gave him their usernames and passwords which provided access to the closed network. How do you get in a locked door? You follow another employee while you have a coffee cup in each hand. Your "fellow employees" hold the doors open for you. By the time he was done, Greenless was even on a first name basis with one of the guards. At one point, Greenless even brought in another consultant who was able to do more analysis on the company's network.
You have to ask, what access does a person get to your facilities, and how? What verification procedures are in place to ensure that a person really belongs there? This should be a wake up call to some and a training scenario for others.
While this happened in the UK, the question we need to ask ourselves is, "could this happen in my bank?"
A security consultant at Siemens Enterprise Communications, Colin Greenless, used his social skills to not only enter a financial services firm that is listed on the Financial Times and Stock Exchange, but set up office. Being traded on an exchange, you know this wasn't a small company.
A man walking into a bank may be questioned. But a man carrying a clipboard may be able to just walk on through. He obviously has a purpose for being there. Greenless used his social skills to establish a temporary office in a meeting room on the third floor for several days. He had access to many more areas and floors of the building. He had access to store rooms, filing cabinets, confidential data left on desks, and he entered the company's data room, IT and telecoms network.
Greenless posed as an IT staffer. He noted that of 20 employees he called, 17 gave him their usernames and passwords which provided access to the closed network. How do you get in a locked door? You follow another employee while you have a coffee cup in each hand. Your "fellow employees" hold the doors open for you. By the time he was done, Greenless was even on a first name basis with one of the guards. At one point, Greenless even brought in another consultant who was able to do more analysis on the company's network.
You have to ask, what access does a person get to your facilities, and how? What verification procedures are in place to ensure that a person really belongs there? This should be a wake up call to some and a training scenario for others.
Tuesday, May 12, 2009
Clear the Building before Security Leaves
In Missouri City, Texas, a robbery attempt was made at a Compass Bank branch on Tuesday, April 14. The robber concealed himself in the Men's room until 6:15, well after closing time. Only two female employees were left in the branch.
While the teller drawers hadn't yet been secured, the thief demanded they open the safe. They said they could not as another person was needed for that access. The thief then used a Taser device on one of the women eight times in an attempt to get the safe open. The teller was essentially tortured with eight Taser discharges.
It is important that banks have effective opening and closing procedures. If a security guard was present when the bank closed, the building should have had a thorough walk-through to ensure there were no persons hidden like this. Security should remain as long as employees are present, whenever possible. If clearing the building was the responsibility of the two remaining women, perhaps the walk-through should be conducted earlier when defenses would be better. This man could have easily remained hidden until the morning as well. That is why clearing the building first thing each morning is equally important. Employees need to be reminded and tested on any "all clear" and duress codes used by the branch.
In Missouri City, Texas, a robbery attempt was made at a Compass Bank branch on Tuesday, April 14. The robber concealed himself in the Men's room until 6:15, well after closing time. Only two female employees were left in the branch.
While the teller drawers hadn't yet been secured, the thief demanded they open the safe. They said they could not as another person was needed for that access. The thief then used a Taser device on one of the women eight times in an attempt to get the safe open. The teller was essentially tortured with eight Taser discharges.
It is important that banks have effective opening and closing procedures. If a security guard was present when the bank closed, the building should have had a thorough walk-through to ensure there were no persons hidden like this. Security should remain as long as employees are present, whenever possible. If clearing the building was the responsibility of the two remaining women, perhaps the walk-through should be conducted earlier when defenses would be better. This man could have easily remained hidden until the morning as well. That is why clearing the building first thing each morning is equally important. Employees need to be reminded and tested on any "all clear" and duress codes used by the branch.
Dual Controls
Xu Chaofan was sentenced to to 25 years in prison. Xu Guojun was sentenced to 22 years. They were convicted of racketeering, money laundering and visa fraud. Their wives were charged with passport fraud and with helping their husbands launder money. Their wives were sentenced to eight-year prison terms.
It started as far back as 1991. Xu Chaofan became vice president of a branch of the Bank of China. These bank managers were allowed to approve loans and asset transfers with a single signature. There was no requirement for dual control. In all, the bank lost $482 million as the men went to Las Vegas and Macau where they bet millions at the baccarat tables and spent as much as $4,000 a night on meals.
In 2001 auditors detected an accounting problem. As the theft began to unravel the men went to Plan B. They had false identification papers, married Americans and began naturalization proceedings to stay in the U.S. The two men have been in the North Las Vegas detention facility for five years already as the international case required extensive diplomatic coordination and translations in Mandarin and Cantonese, as well as the cooperation of investigators in Hong Kong, China and the U.S. Lanny A. Breuer, chief of the Justice Department's criminal division, said "We will not allow foreign nationals to abuse their countries' financial systems and then sneak into the United States to live richly off their ill-gotten gains."
Much of this prosecution was made possible because a third perpetrator who was also a bank manager, Yu Zhendong, agreed to plead guilty and assist in the investigation. He was living in Los Angeles but has since been returned to China. He is serving a prison sentence there.
This case exemplifies why dual controls are necessary and that when a problem is hidden and allowed to continue, it only grows in size.
Xu Chaofan was sentenced to to 25 years in prison. Xu Guojun was sentenced to 22 years. They were convicted of racketeering, money laundering and visa fraud. Their wives were charged with passport fraud and with helping their husbands launder money. Their wives were sentenced to eight-year prison terms.
It started as far back as 1991. Xu Chaofan became vice president of a branch of the Bank of China. These bank managers were allowed to approve loans and asset transfers with a single signature. There was no requirement for dual control. In all, the bank lost $482 million as the men went to Las Vegas and Macau where they bet millions at the baccarat tables and spent as much as $4,000 a night on meals.
In 2001 auditors detected an accounting problem. As the theft began to unravel the men went to Plan B. They had false identification papers, married Americans and began naturalization proceedings to stay in the U.S. The two men have been in the North Las Vegas detention facility for five years already as the international case required extensive diplomatic coordination and translations in Mandarin and Cantonese, as well as the cooperation of investigators in Hong Kong, China and the U.S. Lanny A. Breuer, chief of the Justice Department's criminal division, said "We will not allow foreign nationals to abuse their countries' financial systems and then sneak into the United States to live richly off their ill-gotten gains."
Much of this prosecution was made possible because a third perpetrator who was also a bank manager, Yu Zhendong, agreed to plead guilty and assist in the investigation. He was living in Los Angeles but has since been returned to China. He is serving a prison sentence there.
This case exemplifies why dual controls are necessary and that when a problem is hidden and allowed to continue, it only grows in size.
