http://news.ft.com/servlet/ContentServer?pagename=FT.com/StoryFT/FullStory&c=StoryFT&cid=1045511507743 By Thomas Catán in London Published: March 10 2003 A crime ring was able to infiltrate Citigroup four years ago and pull off a dramatic $37m heist, highlighting the vulnerability of even large and relatively well- defended banks to organised crime. The incident contradicts statements made to the Financial Times by Citigroup last month in which it said it had not been infiltrated by criminals in the past nor had it suffered any significant losses as a result. According to sources familiar with the matter, the criminals were able to gain access to the funds-transfer operations of Citigroup, the world's largest financial services company, and make two multi-million dollar transfers in the summer of 1999. The first, for $22m, was returned by the beneficiary bank after it became suspicious about the unusual account activity. However, a second transfer of nearly $15m to a Turkish bank was withdrawn by the criminals a few weeks later. Asked later about the specific incident, Citigroup said it was "co-operating with authorities and taking necessary actions to recover any losses". While it could not comment on individual cases, Citigroup said: "We safeguard our customers' assets with vigilance and our methods are effective." The incident illustrates how even a large banking group such as Citigroup, viewed by security experts as having some of the more sophisticated controls in the industry, can fall prey to organised criminals working inside their institutions. In most cases, such infiltrators will try to work undetected for long periods of time, moving small amounts of money on a regular basis to avoid attracting attention. In Citigroup's instance, however, the criminals abandoned their usual policy of "little and often", making massive wire transfers with no attempt to conceal the theft. Although such fraudulent funds transfers are some of the most eye-catching examples of what can happen when criminals infiltrate banks, police and bank investigators said they remained comparatively rare. More commonly, infiltrators will use access to sensitive customer information to perpetrate frauds on unwitting customers, taking out loans in their name or draining their accounts. ISMG, a London-based corporate security firm, last year investigated several such fraud attempts for a prominent City client, whose identity they cannot disclose. Two separate attempts to move a total of £86,000 ($137,600) were foiled only after a vigilant personal banker became suspicious of the forged requests. The UK bank targetted in this instance admitted it had suffered more than 90 such incidents, said John Wick, managing director of ISMG. In this case, the private probe traced the fraud attempts back to west African organised crime and the private banking client did not ultimately lose any funds. The average bank client, however, does not enjoy similar protections, said investigators. "The average person doesn't have an individual personal manager running their account," said Mr Wick. "Without that sort of vigilance, it is highly likely that organised crime will be successful." Following publication of a story on the growing problem of criminal infiltration of high street banks last week, a number of people contacted the FT to say that they had lost money from their accounts in mysterious circumstances. Eamonn Wallace, a computer security expert based in Ireland, said his account at Ulster Bank, a subsidiary of the Royal Bank of Scotland, was emptied of about £5,000 between October and November 2001. He said the bank told him only he could have withdrawn the funds and has begun proceedings against him to recover the resulting overdraft. Ulster Bank and RBS declined to comment on Mr Wallace's individual case, saying only that they "are fully satisfied that our systems are secure". However, Mr Wallace, who has extensive experience in the field, said he had identified a range of ways that criminals could uncover clients' PINs. As part of a trial involving alleged "phantom withdrawals" suffered by a South African businessman, two Cambridge University computer researchers recently testified they had found a way hackers working inside banks could discover PIN numbers. The researchers, Ross Anderson and Mike Bond, have been prohibited by a High Court judge from discussing their findings. "Banks are a leaky bucket," said Mr Wallace. "Who knows what sort of people are getting in there and what kind of damage they're doing?" - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Mar 12 2003 - 01:28:57 PST