Excerpt from the SAR Activity Review
Computer Intrusion - National Trends and Analyses
This section of the SAR Activity Review outlines examples and patterns of suspicious
activity reported in the national database. The value of this information is
that financial institutions have reported these suspicious activities and other
financial institutions should be alert to similar suspicious activities occurring in
their institutions. Some of the information has been published previously, but is
included here for ease of reference.
1. Highlighted Trend
The Highlighted Trend for this issue of the SAR Activity Review . Computer
Intrusion . was suggested as a topic for discussion by the financial industry
since it was added as a new characterization of suspicious activity on the revised
SAR form dated June 2000. Law enforcement identified the need for this category
as a result of reports from financial institutions regarding possible attempts
to intrude into their computer systems.
Computer Intrusion is defined as gaining access to a computer system of a financial
institution to:
- remove, steal, procure or otherwise affect funds of the institution or the
institution's customers;
- remove, steal, procure or otherwise affect critical information of the
institution including customer account information; or
- damage, disable or otherwise affect critical systems of the institution.
For purposes of this reporting requirement, computer intrusion does not mean
attempted intrusions of websites or other non-critical information systems of the
institution that provide no access to institution or customer financial data or other
critical information.
During the first year that computer intrusion was added to the SAR form (June 1,
2000 . May 31, 2001), 147 SARs were filed by financial institutions in 34 states
and Puerto Rico identifying computer intrusion as a violation. All of the SARs
were filed by depository institutions with those in New York, California and
Illinois accounting for nearly 30 percent. In addition to the computer intrusion
violation, almost 10 percent of the SAR narratives described instances of identity
fraud as a vehicle for establishing new accounts via the Internet. The reporting
financial institutions referred 55 of those suspicious activities to law enforcement;
32 of them were referred to the FBI.
Of the 147 SARs that identified computer intrusion as a violation in Part III,
block 35, of the SAR, 64 SAR narratives described computer-related activity that
did not meet the criteria for computer intrusion. For example, many SAR narratives
described instances of individuals hacking into computer systems and
changing the content on web pages, but not accessing sensitive bank or customer
information systems. These activities should not be reported as computer intrusion
for purposes of SAR reporting. See Section 5 under Special SAR Form
Completion Guidance Related to Computer Intrusion for guidance.
Of the 147 SARs filed, 83 narratives described activities that were considered
computer intrusion as SAR reportable activity. Of those 83 SARs, more than 60%
described activity in which the computer intrusion involved a bank employee. In
these instances, the bank employee utilized his/her position and breakdowns in
internal controls to embezzle or defraud the bank.
Two SAR narratives described attempted intrusions through a worm or virus,
while other SAR narratives described unsuccessful attempts to intrude into the
system and then send bulk email/spam in order to overwhelm and disable the
system. Two SAR narratives described failed attempts to intrude into the bank.s
critical information systems. In those instances, .intrusion detection systems.
were running on those banks. servers, foiling intrusion attempts.
One SAR narrative described an instance where an unknown entity registered a
new domain name and created a website that was similar to one being utilized by
a credit union. This phony website deceived credit union members, resulting in
the victims entering their home banking security information, thus allowing the
perpetrator unauthorized access to their accounts via the Internet.
Another SAR narrative described a similar situation, where the suspect overrode
web protocols and created a near-duplicate but sham bank website. Customers of
the legitimate bank were unaware that information entered on the sham web page
never made it to the bank. The legitimate bank that caught and reported the scam
on a SAR did not know if any financial information was captured by the sham
bank's website and used to conduct illicit activity.
While not an instance of computer intrusion, one particular scheme is worth
noting. A Russian individual attempted to hack into at least four banks during the
period of late April/early May 2001. He contacted the banks to notify them that
he was successful in his attempt to intrude into their systems and identified
several vulnerabilities that allowed access to all logs, files, and passwords. At
that point, he attempted to extort bank officials by claiming that he would assist
them with correcting their computer system vulnerabilities.
Four SARs described a bill paying service whose customer information appeared
to be compromised by someone within the organization. The intruder obtained
valid ID and PIN numbers of customers and then initiated unauthorized automated
clearinghouse debits from various accounts.
During the review of these SARs, it was discovered that some financial institutions
were not certain when a SAR should be filed. When a suspicious activity
occurs, an institution should file a SAR within 30 days if the suspect is identified
or within 60 days if the individual(s) cannot be identified. Some of the narratives
stated that the filing institution was waiting until a particular monetary threshold
was met prior to filing the SAR. Although banks are required to file a SAR when
the suspicious activity amounts to $5,000 or more, banks are permitted to file at a
lower dollar threshold.
Of the 147 SARs filed on computer intrusion, 17 (almost 12%) did not complete
Part V (the narrative). In a few instances, the narrative indicated that documents
were attached to the form. As the SAR form instructions indicate, "this section of
the report is critical." Supporting documentation such as spreadsheets, photocopies
of canceled checks or other documents, surveillance photos, etc., must be
retained at the financial institution. Indicate in Part V what documentation is
being retained.
Excerpted from SAR Activity Review Issue 3 , page 15
Privacy Policy Disclaimer Recommend This Site ! Contact Us
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
|
Print Friendly!
Email This Article!
Discuss NOW!