[ISN] Bank security falls victim to moles

From: InfoSec News (isnat_private)
Date: Tue Mar 11 2003 - 22:57:19 PST

  • Next message: InfoSec News: "Re: [ISN] Deloder worm targets weak passwords"

    By Thomas Catán in London 
    Published: March 10 2003 
    A crime ring was able to infiltrate Citigroup four years ago and pull
    off a dramatic $37m heist, highlighting the vulnerability of even
    large and relatively well- defended banks to organised crime.
    The incident contradicts statements made to the Financial Times by
    Citigroup last month in which it said it had not been infiltrated by
    criminals in the past nor had it suffered any significant losses as a
    According to sources familiar with the matter, the criminals were able
    to gain access to the funds-transfer operations of Citigroup, the
    world's largest financial services company, and make two multi-million
    dollar transfers in the summer of 1999. The first, for $22m, was
    returned by the beneficiary bank after it became suspicious about the
    unusual account activity. However, a second transfer of nearly $15m to
    a Turkish bank was withdrawn by the criminals a few weeks later.
    Asked later about the specific incident, Citigroup said it was
    "co-operating with authorities and taking necessary actions to recover
    any losses". While it could not comment on individual cases, Citigroup
    said: "We safeguard our customers' assets with vigilance and our
    methods are effective."
    The incident illustrates how even a large banking group such as
    Citigroup, viewed by security experts as having some of the more
    sophisticated controls in the industry, can fall prey to organised
    criminals working inside their institutions.
    In most cases, such infiltrators will try to work undetected for long
    periods of time, moving small amounts of money on a regular basis to
    avoid attracting attention. In Citigroup's instance, however, the
    criminals abandoned their usual policy of "little and often", making
    massive wire transfers with no attempt to conceal the theft.
    Although such fraudulent funds transfers are some of the most
    eye-catching examples of what can happen when criminals infiltrate
    banks, police and bank investigators said they remained comparatively
    More commonly, infiltrators will use access to sensitive customer
    information to perpetrate frauds on unwitting customers, taking out
    loans in their name or draining their accounts.
    ISMG, a London-based corporate security firm, last year investigated
    several such fraud attempts for a prominent City client, whose
    identity they cannot disclose. Two separate attempts to move a total
    of £86,000 ($137,600) were foiled only after a vigilant personal
    banker became suspicious of the forged requests.
    The UK bank targetted in this instance admitted it had suffered more
    than 90 such incidents, said John Wick, managing director of ISMG.
    In this case, the private probe traced the fraud attempts back to west
    African organised crime and the private banking client did not
    ultimately lose any funds. The average bank client, however, does not
    enjoy similar protections, said investigators.
    "The average person doesn't have an individual personal manager
    running their account," said Mr Wick. "Without that sort of vigilance,
    it is highly likely that organised crime will be successful."
    Following publication of a story on the growing problem of criminal
    infiltration of high street banks last week, a number of people
    contacted the FT to say that they had lost money from their accounts
    in mysterious circumstances.
    Eamonn Wallace, a computer security expert based in Ireland, said his
    account at Ulster Bank, a subsidiary of the Royal Bank of Scotland,
    was emptied of about £5,000 between October and November 2001. He said
    the bank told him only he could have withdrawn the funds and has begun
    proceedings against him to recover the resulting overdraft.
    Ulster Bank and RBS declined to comment on Mr Wallace's individual
    case, saying only that they "are fully satisfied that our systems are
    However, Mr Wallace, who has extensive experience in the field, said
    he had identified a range of ways that criminals could uncover
    clients' PINs.
    As part of a trial involving alleged "phantom withdrawals" suffered by
    a South African businessman, two Cambridge University computer
    researchers recently testified they had found a way hackers working
    inside banks could discover PIN numbers. The researchers, Ross
    Anderson and Mike Bond, have been prohibited by a High Court judge
    from discussing their findings.
    "Banks are a leaky bucket," said Mr Wallace. "Who knows what sort of
    people are getting in there and what kind of damage they're doing?"
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 12 2003 - 01:28:57 PST