BSA, AML and bank security seminars, manuals, videos and pamphlets National Association
for BankSecurity

Security Through Education



What a Week! -- by T_Duxbury on Thursday, August 1 2013

What a week it was! The Boston Marathon massacre…the ricin letter scare at Mississippi mail facilities…a huge explosion in a fertilizer plant in Texas. Fatalities. Gruesome injuries. What a horrific week!

We members of the banking community can learn something from all this. Deadly danger and violence seem to be no more than a second away, and their location remains, for the most part, unpredictable. The fertilizer explosion was a calamitous accident. We do not know whether it was at all foreseeable. It is still being investigated. The ricin threat – use of a very serious poison – was intentional, and aimed at political figures – highly visible targets. The third incident, another egregious national tragedy, also had as its target a highly visible target. The Boston Marathon is a storied event held in a storied city on a storied day. The race goes back many decades, has tens of thousands of participants and hundreds of thousands of spectators, and may be as significant a sporting event as the Olympic Marathon. What is more, Boston is considered the birthplace of liberty in the United States. The shot heard ‘round the world was fired in or around Boston, not in Philadelphia or Washington. And the day, Patriot’s Day, is a very significant day of observance and celebration to Bostonians and fellow residents of Massachusetts. Remember, the football team was originally called the Boston Patriots.

Thus, what was done on April 15, 2013, by two exceptionally misguided individuals, one 26 and the other, a younger brother, 19, had profound symbolic significance, in addition to being, as we said, an egregious tragedy. This must not be lost on any banker anywhere. Banks are highly visible and, for many, are highly symbolic representations of capitalism. From a global perspective, banks are also highly controversial entities for many, to understate the issue. For some, they’re hated representations of the concept of, and actual word, “capitalism.” Sadly, the image of the so-called “Ugly American” from the sixties never went away. It’s just that the passion has grown or shifted to more parts of the world. Again, this concept must not be lost on bankers. It has the potential for bringing tragedy to our doorstep. A graphic reminder of just what could happen can be found in two developments over the past year or so. Last September a cybercriminal group claiming to be acting in response to a film that allegedly made a mockery of Islam and the prophet Muhammad began directing distributed denial of service (DDoS) attacks against large banks. The interruptions in online banking services were nominal for the large institutions, but they were persistent, and have been into April of this year, the most recent being an attack that shut down the website and mobile applications of the Charles Schwab Brokerage for two hours. The alleged perpetrators of all of these attacks claim they could cause more interruption than they already have, and what is interesting to note is that some cyber security consultants, including the esteemed Avivah Litan of Symantec, agree. This is disconcerting, especially in a context of frightening national headlines we have had recently. Adding to this concern have been the Occupy Movements involving banks over the past two years. The original Occupy Movement was aimed at Wall Street, perceived by some as the cause of the nation’s economic ills over the past five years. Then the animosity spread to include large banks, with demonstrations that included interruptions of meetings, damage from graffiti, interruption of foot traffic in the front of banks, and physical contact to remove obstructive demonstrators by law enforcement authorities.

The Occupy Movement seems to have run its course, whereas the DDoS attacks, while hardly crippling, persist. They should be taken seriously in so far as they might act as barometers of discontent and harbingers of things of a more serious nature like the unpredictable, inexplicable events that happened recently in Boston.

We have been confronted with many reasons in recent years to remind one another to be vigilant, to, as Secretary of Homeland Security Secretary Janet Napolitano has repeatedly entreated, say something if you see something. If you see odd behavior like someone dropping a package and calmly walking away – or running away, or a suspicious-looking container on the floor in an airport, bus station, or train station – it is time to react quickly and with conviction.

Skimming: The Little Crime with Big Payoffs -- by T_Duxbury on Thursday, August 1 2013

Financial institutions appear to be taking an increasing, albeit slowly formed, interest in ATM scams in which card readers and pinhole cameras are the weapons of choice. The negative aspect of this statement is justifiably evidenced by the existence of a very apparent dearth of inspections of bank ATMs for the clandestine little devices on the part of financial institutions. Criminals who install these devices on bank ATMs sit back and collect the personal information of bank customers for a weekend or so (sometimes even a week or two!), then attack their bank accounts and move on to other fertile territory. They are making a great deal of money plying this criminal trade around the country, and banks are losing a great deal reimbursing customers.

Lest we think that this innovative crime, skimming, only hurts banks when it is pulled at their own ATMs, let’s look at what actually occurs at other machines. Skimmers are being used by waiters, waitresses, and bartenders at restaurants (even fast food establishments) and drinking establishments to great effect. They hold the small devices of theft in their pockets and aprons. The information they acquire is then either used by these people to obtain money or sold to others who manufacture payment cards and steal funds with them.

Skimmers are also used surreptitiously at cash registers of retailers, especially gas stations, or even more commonly in the gas pumps outside. Customer information is also used from these sources to ultimately counterfeit and use payment cards illicitly. In all of these cases beyond the realm of bank ATMs, the plastic payment cards from which information is gleaned may very well be from your bank, and, if so, your bank is more intimately linked to this criminal MO than it may fully realize. If we in the banking community, as well as those in the law enforcement and judicial communities, do not take a more active interest and role in putting an end to these crimes (frequent inspections of ATM machinery by bankers and retailers; bankers and banking associations lobbying for increased penalties, etc.) then people who skim for a living will continue to have a field day, especially where ATMs and gas pumps are the facilitators, as exemplified by the following representative case of gas pump skimming (we’ve profiled enough cases of bank ATM skimming in recent years to fill a book).

The county court called it a major identity theft scheme, and the jury went on to convict the two accomplices in this skimming crime of “identity theft involving eight or more victims,” the threshold for a felony (here’s one problem with “the system”). A remarkable 450 people were accounted for in the area who had confidential information stolen by the felonious pair who used skimmers in numerous gas pumps to accomplish their crimes. The suspects were also convicted of a single count of identity theft involving possession of a re-encoder and a single count of financial transaction fraud. On the surface, this crime appears to be yet another example whereby criminals are convicted of only a very small percentage of crimes actually committed, done for the sake of judicial expedience.

When the pair was later questioned during a traffic stop for speeding, a police dog detected the possible presence of illegal drugs. A search of the female party’s purse revealed a handwritten list of nearly 100 gas stations in the Minneapolis-St. Paul area. Also found in the vehicle were 12 credit cards re-encoded with a stolen account number, devices for making bogus credit cards, a flash drive containing hundreds of names and credit card numbers, and five keys for opening gas pumps. Every time a customer inserted a credit card into the pump’s reader, the skimmer read and recorded the information for creating the fake credit cards.

Success One Step at a Time -- by T_Duxbury on Thursday, August 1 2013

The United States government estimates that from twenty to twenty-five billion dollars in cash is smuggled south across the Mexican border to pay cartels for the drugs they send north into the United States. The Drug Enforcement Administration (DEA) estimates that the interdiction efforts to stem the flow of the cash being smuggled south across the 2000-mile Mexican-U.S. border, much of which is brought all the way to Colombia, only manage to stop about 2 percent of the money. This is discouraging, to say the least. What is certainly also discouraging is the realization that this ocean of cash is paying for a perfusion of dangerous, illegal drugs in our cities and hamlets.

What is encouraging, however, although in a limited sense, is that the government speculates that a big part of the reason for the huge amount of smuggled cash sent south each year is a result of the pressure banks have brought to bear with large-cash-transaction reporting on money launderers who attempt to disguise the existence and sources of the great quantities of funds drug cartels deal in. Also encouraging are stories of law enforcement successes with arrests of drug money launderers – those who would make our financial institutions unwitting accomplices and facilitators of the crime of international money laundering, which undermines the stability of our financial infrastructure, in fact, our entire culture. The law enforcement community in New York has provided us with a recent case in point.

According to indictments unsealed on March 14 in federal court in Brooklyn, 19 people were charged with conspiring to launder what was termed “tens of millions of dollars in narcotics proceeds being moved* from the United States to Colombia.” Twelve of the defendants were arrested in Colombia. They allegedly assisted drug trafficking organizations in Colombia by laundering drug proceeds in the United States. The remainder were arrested in Queens, Long Island, New Jersey, and Connecticut. They allegedly received the proceeds from drug distributors in the United States and delivered the money to other members of the organization.

*So lucrative is the international illegal drug trade, and so many paper bills are there that are moved south that illegal drug organizations are willing to go to remarkable trouble and expense to hide cash, even stashing it in spare tires and cutting vehicles apart to stash money, then soldering them back up and giving them new paint jobs.

‘Underweb’: the Electronic Vanity Fair -- by T_Duxbury on Wednesday, July 31 2013

Recently, cyber criminals published Social Security numbers and other sensitive data on certain high-profile Americans, among them FBI Director Robert Mueller, First Lady Michelle Obama, and that famous, if not notorious, member of the highly-notable Hilton family, Paris Hilton. When someone as elevated and revered by so many as Paris Hilton proves vulnerable this way, we must ask, Is no one safe from cyber criminals?

What is the source of the confidential information appropriated by cyber thieves? You guessed it. Once again we are reminded, some of us painfully, just how easy it is to obtain confidential personal information from Internet underworld store fronts, or, as it is becoming popularly referred to, the “Underweb.” And you can’t beat the prices: according to a Bloomberg report, as little as 50 cents for random records that are called “fulls” – they include first, middle, and last names, plus the subject’s address, phone number, SSN and DOB. That’s really all you need to wreak financial havoc.

However, if not acquired randomly, but according to date of birth, the cost of the records shoot all the way up to $1.00. If searched by ZIP code, the price is $1.50. If you want more, the price continues to rise, but availability remains abundant. Driver’s license records go for $4.00, $12.00 gets you background reports, and the coup de grace, credit reports, can be had for $15.00 each. Limited information easily acquired by cyber criminals can ultimately be used to easily acquire full credit reports!

These claims were put to the test recently by a cyber security consultant. After submitting an SSN, date of birth, and an address, within 15 minutes the “criminal site” returned a full credit report produced by Trans Union! As long as there are such weak security efforts in our culture as these, and sensitive information can be so easily obtained, good faith efforts by bankers to protect the information of bank customers (CIP programs) and discourage its illicit use will be like the proverbial shoveling of sand against the tide.

From China, with Love -- by T_Duxbury on Wednesday, July 31 2013

Occasionally, we all must actually see in order to believe. This tendency seems to be evident in the criminal area of credit and debit card fraud, especially where small gangs procure numerous blank cards and illegally turn them into working credit and debit cards., then use them to eventually obtain cash. Many seem to be incredulous that this can actually be done.

Three common ways credit/debit card fraud artists ply their trade once they have transferred stolen customer information (from a criminal art like skimming) onto blank cards are a) purchasing items from large stores like Walmart, Home Depot, and Target, then selling the items on eBay or at flea markets; b) making purchases and returning them for refunds at those retailers where they can get away with this; and c) selling the cards on the black market. In one recent case of a highly prosperous small gang of three, the thieves imported thousands of blank credit cards from China that bore the logos of large financial institutions and activated the counterfeit cards using stolen credit card numbers. From here, they used the cards in a variety of ways, including those discussed above.

These were skilled con men who operated this credit card fraud ring, but not as skilled at eluding the law as they needed to be to sustain their operation. First federal agents acting on a tip raided a storage facility rented by the gang, resulting in the confiscation of more than 80,000 phony cash cards with magnetic strips and several credit card skimmers used to obtain customer information. Earlier, they had been able to intercept packages from China containing 12,000 blank cards with magnetic strips acting on the same tip.

Many credit card fraud gangs act on a smaller scale and are involved with many fewer falsified cards, but show great personal industry nonetheless. One such gang operated in the Modesto, California, area. Police became aware of the criminal operation because one fraudulent card was used in numerous businesses. Officers went to all of the businesses in the Modesto and Sonora areas where the fraudulent card was used and obtained video surveillance of the suspects and a list of the property they purchased with the fraudulent card. Through further investigation, the officers were able to identify the two suspects and determined they were residents of Modesto. They had been practicing criminal behavior, felony after felony, in their own back yard.

When officers searched the residence of the pair, they found more than $10,000 in illegally-purchased property, some still in original packaging, more than $100,000 in credit card receipts, a credit card embosser, 500 blank credit cards with magnetic strips, a card skimmer, a card graphic printer, a program to import credit card information on cards, numerous credit cards in others’ names, and a list of names, dates of birth, and Social Security numbers – all the things one would need to run a business like this.

Many Banks Experienced DDoS Attacks in 2012 -- by T_Duxbury on Wednesday, July 31 2013

You’ll probably recall our brief coverage of the distributed denial of service attacks (DDoS) against mainly large American banks that made headlines this past fall and winter. Few of us realized just how common these types of attacks against bank computer systems were. According to a survey (1/23/13) by the Ponemon Institute (conducts research on privacy, data protection, and emerging data security technologies), nearly 70 percent of all depository financial institutions in the United States experienced at least one DDoS attack (e.g., intentional electronic overload, such as flooding with emails, so that the system becomes virtually [but temporarily] unusable) during the past 12 months. The survey also showed the following results:

• Seven percent of surveyed banks reported they experienced more than 10 DDoS attacks.
• Only 37 percent of respondents termed their employing financial institutions’ ability to prevent DDoS attacks as effective; 30 percent said it was somewhat effective; 23 percent said not effective; 10 percent said they were unsure of the effectiveness.
• Fewer than half of the respondents said their banks’ efforts to detect DDoS attacks were effective.
• What were the biggest obstacles to effectiveness in these areas of security? – insufficient personnel; insufficient in-house expertise; inadequate or insufficient technologies; budget constraints, in that order.
• Almost 80 percent of respondents said they expect the DDoS attack level in 2013 to match or exceed 2012’s level.

Stats Show Dramatic Shift -- by T_Duxbury on Wednesday, July 31 2013

Reflecting an adjustment in tasking away from bank robbery investigation and the recording and publication of statistics to fighting terrorism and terrorist financing, the FBI has chosen not to publish bank robbery statistics for any quarter of 2012 as of mid-February 2013. But it has released some statistics to the news media in dribs and drabs, among which are several that should be of interest to us. They show a conspicuous shift.

Doug Johnson, vice president of risk management at the American Bankers Association, intimates at the nature of the shift: “Clearly, as more and more transactions become electronic, more bank crimes become electronic. “ This statement was in response to the suggestion among some security experts that there has been, and is ongoing, a major shift in bank crimes from the violent category to the pushbutton category. Does this sound like too simplistic and facile an explanation for the decline in bank robberies in recent years?

It is a welcome fact that the nationwide crime rate is dropping, but it is at least an equally welcome fact that the nationwide bank robbery rate has been dropping at a much greater rate, according to FBI data. Many experts attribute the marked drop in bank robberies over the past 15 or 20 years (from 8,000 and 9,000 levels to the 5,000 level) to three primary factors, among other factors:

• Improved (quality) and increased (amount of) security; technology is a big factor here, especially with use of bandit barriers, mantraps, and tracking devices, and increased use of dye packs;
• Tougher sentencing, especially for serial robbers (deters some potential serial robbers and gets some others off the streets for longer periods);
• More sophisticated criminals seem to be recognizing bank robbery as a high-risk, low-reward proposition and are causing a slow migration to online and ATM “robbery,” tending to parallel the increases in online and ATM transactions; witness the significant increase in crimes like online account intrusion and commandeering (from places as far away as Russia, Romania, Latvia, and Ukraine, no less!) and ubiquitous ATM skimming. According to FBI data, since 2001, complaints of Internet crime have risen fivefold, whereas in the last 15 years the per-crime take of U.S. bank robbers has dropped by about 40 percent.

Let’s hope the FBI doesn’t retire from the statistics game. Crime statistics tend to show us our strengths and weaknesses, e.g., bank robbery security: getting stronger and stronger; online and ATM security: needs work.

Powered by Coranto