Bank security falls victim to moles

[InfoSec News <isn () c4i org>]

http://news.ft.com/servlet/ContentServer?pagename=FT.com/StoryFT/FullStory&c=StoryFT&cid=1045511507743

By Thomas Catán in London 
Published: March 10 2003 

A crime ring was able to infiltrate Citigroup four years ago and pull
off a dramatic $37m heist, highlighting the vulnerability of even
large and relatively well- defended banks to organised crime.
 
The incident contradicts statements made to the Financial Times by
Citigroup last month in which it said it had not been infiltrated by
criminals in the past nor had it suffered any significant losses as a
result.

According to sources familiar with the matter, the criminals were able
to gain access to the funds-transfer operations of Citigroup, the
world's largest financial services company, and make two multi-million
dollar transfers in the summer of 1999. The first, for $22m, was
returned by the beneficiary bank after it became suspicious about the
unusual account activity. However, a second transfer of nearly $15m to
a Turkish bank was withdrawn by the criminals a few weeks later.

Asked later about the specific incident, Citigroup said it was
"co-operating with authorities and taking necessary actions to recover
any losses". While it could not comment on individual cases, Citigroup
said: "We safeguard our customers' assets with vigilance and our
methods are effective."

The incident illustrates how even a large banking group such as
Citigroup, viewed by security experts as having some of the more
sophisticated controls in the industry, can fall prey to organised
criminals working inside their institutions.

In most cases, such infiltrators will try to work undetected for long
periods of time, moving small amounts of money on a regular basis to
avoid attracting attention. In Citigroup's instance, however, the
criminals abandoned their usual policy of "little and often", making
massive wire transfers with no attempt to conceal the theft.

Although such fraudulent funds transfers are some of the most
eye-catching examples of what can happen when criminals infiltrate
banks, police and bank investigators said they remained comparatively
rare.

More commonly, infiltrators will use access to sensitive customer
information to perpetrate frauds on unwitting customers, taking out
loans in their name or draining their accounts.

ISMG, a London-based corporate security firm, last year investigated
several such fraud attempts for a prominent City client, whose
identity they cannot disclose. Two separate attempts to move a total
of £86,000 ($137,600) were foiled only after a vigilant personal
banker became suspicious of the forged requests.

The UK bank targetted in this instance admitted it had suffered more
than 90 such incidents, said John Wick, managing director of ISMG.

In this case, the private probe traced the fraud attempts back to west
African organised crime and the private banking client did not
ultimately lose any funds. The average bank client, however, does not
enjoy similar protections, said investigators.

"The average person doesn't have an individual personal manager
running their account," said Mr Wick. "Without that sort of vigilance,
it is highly likely that organised crime will be successful."

Following publication of a story on the growing problem of criminal
infiltration of high street banks last week, a number of people
contacted the FT to say that they had lost money from their accounts
in mysterious circumstances.

Eamonn Wallace, a computer security expert based in Ireland, said his
account at Ulster Bank, a subsidiary of the Royal Bank of Scotland,
was emptied of about £5,000 between October and November 2001. He said
the bank told him only he could have withdrawn the funds and has begun
proceedings against him to recover the resulting overdraft.

Ulster Bank and RBS declined to comment on Mr Wallace's individual
case, saying only that they "are fully satisfied that our systems are
secure".

However, Mr Wallace, who has extensive experience in the field, said
he had identified a range of ways that criminals could uncover
clients' PINs.

As part of a trial involving alleged "phantom withdrawals" suffered by
a South African businessman, two Cambridge University computer
researchers recently testified they had found a way hackers working
inside banks could discover PIN numbers. The researchers, Ross
Anderson and Mike Bond, have been prohibited by a High Court judge
from discussing their findings.

"Banks are a leaky bucket," said Mr Wallace. "Who knows what sort of
people are getting in there and what kind of damage they're doing?"



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.