I was reading an article about the Ramnit worm a few weeks back and a few things struck me about it. First of all, this worm is “old” technology – at least in the cyber war sense – that is evolving. It reminds me of a blog I wrote a while ago on polymorphism and the Zeus Trojan. At that time, I thought a common misconception was that once you find malware and take action against it you’re safe. It wasn’t so then and it isn’t so now.

Interestingly in this case, Trusteer, a provider of cybercrime prevention solutions, was the first to discover Ramnit’s merger with Zeus in August 2011. That tidbit combined with another point in the article about how Ramnit is being used to attack Facebook credentials is bad news. The article provided this quote to point out the danger: “Dave Jevans of the Anti-Phishing Working Group says stealing credentials from social-networking sites is big business. “We have seen...

Committing bank fraud is easy when you have help on the inside. That’s what the prosecutors in the UK think happened in a $2m fraud scheme involving high net worth accounts. Between July and September 2008, a gang lead by Neil Wynne targeted Barclays Bank branches throughout the middle of England. Prosecutors believe that the gang had help from a bank employee as they had an uncanny knack for picking the best accounts to target. They also had no problem overcoming the bank’s security procedures. They just can’t prove that an employee was involved – at least not yet.

Here’s the scheme… With a fake passport in hand, one member of the gang pretended to be the owner of an existing, well-funded, Barclay’s Bank account. A second member of the gang posed as the accountholder’s partner.

Once the new account was opened, the gang proceeded to ...

Earlier this week, Bank Info Security released an article on the Computershare civil suit against a former employee for stealing company information and shareholder data. The piece discusses the potential impact such a suit might have on the financial services industry, and I was able to contribute my two cents about the matter.

My opinion is, that in the case of data breaches and insider fraud, legal action against employees is historically rare. Most of the time these incidents are handled as internal matters; the exceptions have only been the worst or largest breaches and fraud schemes.

But, we do see a shift in how firms are approaching internal fraud. A handful of high profile internal data breaches and fraud cases (e.g., SocGen, UBS, Madoff ...

With the new year here, I figured it was a good time to step back and take stock of our progress – as an industry – in the ongoing battle against fraud. A frank assessment: we could be doing a lot better.

Sure, there are always improvements that can be made to the organizations, processes and technologies that must come together to solve a complex issue like fraud management. But I think the more important barriers our industry faces are more fundamental and structural in nature. Specifically, I see the following:

The Boiling Frog
Our industry’s slow reaction to the growing, morphing fraud problem makes me think of the boiling frog phenomenon. If you haven’t heard of it ...

The FFIEC recently supplemented its 2005 Guidance in response to what it calls an “increasingly hostile online environment”. Regardless of the size of institution, if it provides banking products online, it is a target. On almost a weekly basis, we hear of a new online fraud case that caught one or more banks unprepared. The Guidance is timely, but it stops short of providing a “step-by-step” approach. Here’s what I believe financial institutions can do in light of the Guidance:

1) Revisit the risk assessment
Not surprisingly, risk assessments are hated by most bankers and viewed as a useless exercise. I have personally spent countless hours locked in a conference room attempting to document all the types of fraud that might happen. Unfortunately, risk assessments are a necessary part of fraud prevention. Moreover the supplement to the 2005 Guidance stresses the importance of keeping the risk assessment current. Here is a suggestion ... 

“We all have a part to play, and playing as a team we will be so much more effective than as individuals trying to do our solitary best.” That is a quote from a blog post I wrote back in June on how data breaches are more pervasive and premeditated than many understand. Because of this, fraud prevention specialists need to take extra precautions by having multiple security check points in addition to a robust back-end detection system. This is exactly the concept behind layered security.

At this point, many of us recognize that there are no silver bullets in the ongoing fight against fraud. Fraudsters use a variety of tools and they collaborate. Fraud prevention specialists such as ourselves need to do likewise...

In most college towns, this is the time of year when swarms of U-Hauls and overstuffed cars bear down onto college campuses. Students will settle into their dorms and likely kick off their social lives before their classes even begin. The funds that they have for day-to-day expenses will begin to run low, and students will look for ways to supplement their income. This is prime opportunity for fraudsters to seek out and prey upon students.

Given that, we can deduce why college campuses are a ‘hang out’ for fraudsters - because students are easy targets. The sheer volume of students makes it easy to recruit vulnerable, needy, and/or naive students. I find it interesting that the scams have not changed much since I was in college. Scams relating to fraudulent grant letters, credit cards applications, work from home, check cashing and the ever so popular ATM card scams are still thriving. It is still common for fraudsters to not only pay students to pass bad checks through their accounts for nominal compensation, but also to ...

For those keeping score in the legal battles between financial institutions and their commercial account holders, a recent decision by Judge Patrick J. Duggan in the Experi-Metal Inc. (EMI) vs. Comerica case evened the score at one a piece for the interested parties…or did it? Two weeks ago the recommendation by the magistrate in the Patco vs. Ocean Bank case favored the bank. The District Court has yet to decide if that recommendation will be accepted, but observers have expressed the opinion it will be. With the Michigan bench opinion out, maybe not. Now we get an opposing view that the bank may be liable for the losses. This could have serious repercussions for the industry, because anyone paying attention knows that commercial accounts are regulated under UCC statutes, not Reg. E. Commercial customers and their banks are subject to the UCC4a guidelines, specifically by § 4A-202.(c), which reads, “Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.” I can see in part where ...

When most people think of data breaches, they think of the big headline grabbers like Hannaford, Heartland, and TJ Maxx (now disappearing into the distant past, but dredged up every time a big one like Heartland occurs). There are many more, but you get the point. The naïve view of breaches is that they are accidental most of the time, but that notion should have been dispelled by the overwhelming evidence that breaches are often times the result of a premeditated attack. We have seen that these data breaches do result in fraud, sometimes quickly and sometimes as much as two or more years later.

Why can the fraudsters wait so long? Because there is a ready supply of personal data to be had in the fraud underground, a veritable secondary economy with producers, brokers, and buyers.

This ready supply is fueled not just by the “biggies”, but also by a host of largely unreported breaches of various sizes. More often than we care to imagine, these breaches are ... 

Was it too little too late when the FBI publicized a wire fraud scheme involving Chinese shell companies? Knowledge is power, right? Once the specifics of a fraud scheme are made public, aren’t we better prepared to prevent fraud? In the short term, the answer is yes. As banks deploy effective countermeasures, that particular fraud scheme’s success rate will decline over time. However, your bank needs to be equally concerned about the fraud schemes that the FBI is not talking about.

Let’s say your bank read the FBI’s press release ...