Last week, New Jersey-based branch employees of Commerce Bank, Wachovia Bank, Bank of America and PNC Bank were implicated in a scheme to sell stolen customer data. According to Hackensack police, the alleged ringleader bribed bank employees and a manager at the Department of Labor in order to obtain individuals' personal information. This information was then provided for resale to law firms and collection agencies.
The incident reveals a disturbing vulnerability in the banking system, say security analysts. While the affected institutions already have taken steps to address the problem and contain the damage caused by the breach, its impact reaches far beyond the Delaware River. Now, the leadership at virtually every bank in the country has to wonder whether its employees or outsourcing partners are involved in such a scheme.
What steps should a bank take in order to prevent the misuse of its customers' information? Here are some recommendations:
Restrict access and movement of data.
Ensure that as few people as possible have access to sensitive data. "If the tellers don't need to see your address, they shouldn't see your address," says Mark Rasch, senior vice president and chief security counsel at Solutionary (Omaha, Neb.), a security services company. "Limit access to information to those people who need it for business purposes."
Nevertheless, this is not always possible. "If the employees in question used a higher ranking bank official's user ID to access the accounts, then there are IT security measures that could be implemented to stop and track that fraudulent activity," notes David Confalonieri, director of marketing for access management software provider Secured Services (New York). "However, if the bank employees that sold the information were provisioned for access to that data, there is virtually no way to stop them."
Generate profiles of acceptable use.
The New Jersey breaches involved bank managers, assistant managers, financial specialists and other employees whose job descriptions require periodic, if not daily, access to sensitive information.
Nevertheless, a person in a role that requires looking up 100 to 200 records per day should be prevented from looking up 1,000 to 2,000 records per day, observes Rasch. Similarly, geographic limitations can prevent bank employees at one branch from doing a data dump of customers from another branch. "Look at patterns of normal activity, and that will let you identify patterns of abnormal activity," adds Rasch.
Encrypt data in transit.
Whenever sensitive data leaves a secured server, it should be encrypted to the point where even if it were intercepted in transit, it would be virtually worthless. Given the recent spate of missing-data incidents, this point bears repeating. "If the information does not need to be portable, don't make it portable," says Rasch. "If the information doesn't need to be in plain text, don't make it in plain text."
Review and strengthen policy of background checks.
Banks already have policies and procedures in place to prevent known criminals from becoming employees. "They actually fingerprint them and run them through the FBI database," says John Hall, spokesman for the American Bankers' Association (Washington, D.C.). "That's for personnel in high-risk areas that have access to cash or wire transfer, investments, securities and sensitive information -- and that would include access to customer records."
The fingerprint program has proven quite effective. "Ten percent of fingerprint cards uncover some kind of criminal record," says Hall. "Those people are seeking out banks for employment."
But even someone who passes a bank's screening procedure could be susceptible to bribery or coercion. "Corrupt or corruptible people can have perfectly clean backgrounds," notes Solutionary's Rasch.
Indeed, the most fraudulent people likely have the cleanest records. "If you have bad credit, you may be the only one in the company that refuses to steal," observes Rasch.
Furthermore, banks can't check everyone in the organization. "You can't do FBI background checks and psychological profiles on every bank teller that you hire," says Dave Mason, an author and technology consultant.
Finally, it's important to make sure that the people conducting the background checks are not misusing the information that comes back about potential or current employees. "You have to have the right controls in place, and you have to be able to audit the work of your employees," says Richard Seldon, president, Sterling Testing Systems (New York), a provider of preemployment screening and background checks. "You have to have reports that can document the work that people are doing."
Guarding against the theft of data requires a different mind-set than locking a vault. "If I go in and steal some diamonds, it's pretty easy to tell that the diamonds have been stolen," observes Mason. "But when you steal data, it's very difficult to tell because the data's still there."
Thus, an audit has to focus on the flow of information rather than currency counts. "You're not looking for missing data -- you're looking for procedural anomalies," says Mason.
Monitoring employees' computer activities can comprise an important component of an auditing strategy. "Everything that's being done -- all day long -- should be recorded," says Robert Siciliano, security consultant and founder of IDTheftSecurity (Boston). "They should not be able to type in a keystroke without that being monitored."
But comprehensive monitoring comes at a cost. "Capturing the stuff is nothing. Logging it is nothing. Analyzing and reviewing it is extremely expensive," notes Mason.
Establish whistleblower programs.
Some large banks offer "whistle-blower" awards to their employees for uncovering fraud, according to Mason. "Primarily that relates to incoming fraud on the part of customers or transactions from the outside world, but it also covers internal fraud as well," he says. "They get a percentage of the value of the potential fraud."