Do Banks Really Not Know The Biggest Threat Comes From Insiders?

from the you-have-to-be-kidding dept

Wed, Nov 22nd 2006 12:05pm — Mike Masnick

We've been hearing this story for ages, but it's beginning to ring hollow (or, perhaps, is just an attempt by security consultants to get their name in the news). Reuters is quoting just such a security consultant claiming that banks are too focused on external threats and haven't paid enough attention to insiders who could just walk out the door with customer info and money. The article itself reads a little strange -- as if the author was looking for some sort of "banking problem" story, but couldn't come up with anything new. Instead, it just quotes a bunch of people all saying the same things that have been said before about bank security. Unfortunately, that leaves open the question: are banks just waking up to this threat now? Or is a case where a reporter needed a story about banking security and reran the same story from the last five years? It's true that there have been so many reports of data leaks via lost laptops recently to suggest that perhaps companies aren't careful enough with what information walks out the door with employees -- but it's hardly a new problem, and hopefully one that they're not just waking up to.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

11 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

CRAWIL, 22 Nov 2006 @ 1:11pm

Say what?
A story that's not sure if there's a story about a story that's about a non-story. That's compelling journalism!
[ link to this | view in chronology ]
Ryan, 22 Nov 2006 @ 1:21pm

it's better
it's better than the typical re-packaged press release that so many newspapers run with now.
[ link to this | view in chronology ]
- Anonymous Coward, 22 Nov 2006 @ 1:39pm
  
  Re: it's better
  really? how so? re-packaged press releases are what they are. What makes one better than another?
  
  Please enlighten me as I'm certain that if you're right I have missed something in this article that I probably care about.
  [ link to this | view in chronology ]
Sanguine Dream, 22 Nov 2006 @ 1:21pm

The only real way...
to 100% eliminate data theft is to take humans out of the equation (and since machines can be reprgrammed even that isn't foolproof). Every bank has an IT section and at best even the people in that department are working around sensitive info. Someone getting pissed off or a genuine accident could lead to a leak.
[ link to this | view in chronology ]
ThoughtCancer, 22 Nov 2006 @ 1:38pm

Speaking as an Auditor of Bank Information Systems
This guy is right on the money (no pun intended). I perform security audits of banking and hospital information systems, and it really is pulling teeth to get Management to understand that their biggest threats are internal.
[ link to this | view in chronology ]
Nobody Special, 22 Nov 2006 @ 8:26pm

bullshit
This story is pure bullshit. Banks understood the internal threat back in the 70s. And so did the government agencies auditing the banks.

But what I want to know is: how are the banks supposed to operate? For that matter, how is anyone supposed to operate? The simple fact is that the "experts" that are often quoted would lock up everything so tight nobody can do their job.
[ link to this | view in chronology ]
- annoyed, 23 Nov 2006 @ 11:01am
  
  Not just since the 1970s
  Banks have had hundreds of years to learn how to protect against insider threats. A lot of security ideas like separation of duties come from the traditions of the banking world. If banks didn't understand that employees can steal money, there would be no banks.
  [ link to this | view in chronology ]
Donald Duck, 24 Nov 2006 @ 11:39pm

Keyboard Logging
The story said that a cleaning crew place keyboard logging programs on their computers. Nifty how ‘Homer’ figured that one out huh. His real name was probably Joe ‘The Bagger’ Constanstein. They nearly lifted $400 million mazumas in a few days that is not freaking part-time earnings! All they had to do just hit a few buttons with their fat clorox stained fingers and wire the money to a bank in Israel *priceless*.

So the banks obviously wasn't watching who they ‘hired’ to 'clean them out' during the night time while they was installing new safes. If that was my bank and $400 million mazumas the computers administer would be a good suspect and definitely would be on the unemployment line.

Why didn’t they install computer programs that can detect keyboard logging? So the reporter is bringing up employee back ground checks even if it‘s just a dude cleaning the banks shit holes.

The thief could have just use a USB thumb drive, scan disk or a keyboard logging memory spot for information storage. ‘Memory Spots’ could be embedded inside a business cards self-adhesive dots with a fake shell-companies name on it.

Smaller then a grain of rice the little built-in antenna with chip could be programmed to capture keyboard logs or more via wireless LAN signals from inside the bank. The private information from the banks biggest clientele being diligently recorded by the surreptitiously placed memory spots in the ink on the business card.

I janitor could walk in a few day's later with a music cell phone taps a button and at 15 megabits per-second faster then Bluetooth wireless technology the stolen illicit data that was needed was uploaded in mere moments from the card placed a few day‘s prior and he just simply throws away the evidence and retires some where in Hawaii.

Besides that from what I've read banks probably well use memory spots to help protect their clienteles money in the future. So possibly things banks look into with employees they don't share to the public.
[ link to this | view in chronology ]
bank employee, 27 Nov 2006 @ 11:01am

view from within
believe me there is a TON of scrutiny on this subject and the most obvious solution is to not let employees have any access to customer data. Makes life miserable for us doing testing and resolving production problems but that is the cost of security.
[ link to this | view in chronology ]
Jerm, 27 Nov 2006 @ 12:16pm

How True.
I work at a bank, and I will be the first to share how easy it would be to steal quite a load of cash. Not only am I trusted with close to a million in cash daily, I am also able to make cashiers checks at will. The main thing banks can do to protect themselves is an extensive background check before hiring new employees. I recently researched the possible uses of biometrics at my bank, and I am convinced that this science offers a viable solution to many internal problems. Internal bank security will alwasy be a problem, preperation is the banks main defence.
[ link to this | view in chronology ]
James, 11 Aug 2007 @ 5:38pm

Banks!
Hi, all banks is here ! - http://grahambeswicke918.tripod.com/bank.html
[ link to this | view in chronology ]