http://www.infoworld.com/article/07/07/23/Organized-crime-infiltrates-financial-IT_1.html
By Matt Hines
July 23, 2007
In Martin Scorsese's hit movie "The Departed," actor Matt Damon plays
the part of a mole -- someone who helps his connected mob friends stay a
step ahead of the cops by becoming one of the very law enforcement
officials assigned to stop them.
A new report published by anti-fraud software maker Actimize on July 23
says a similar ruse is being carried out inside the walls of enterprise
financial businesses, with the same employees and IT workers whose
responsibility is handling and protecting sensitive information being
trained and recruited by organized criminals to steal it.
Based on the New York-based company's research, drawn from interviews
with 40 large financial services companies in the United States and the
United Kingdom, about 50 percent of those surveyed indicated they
believe they have employed workers who have either been trained or
recruited by outsiders to carry out fraud.
Eighty-five percent of the respondents have been affected by employee
fraud in general, and 65 percent see the threat becoming even more
serious in the future, the survey found.
More than 50 percent of participating companies admitted their belief
believe that only half, or less, of all employee fraud occurring within
their organizations is currently being caught.
And while the test group represents a relatively small cross-section of
business, it's worth noting that half of the financial services
companies interviewed by Actimize claim assets of over $30 billion.
Actimize executives said that there was little doubt among those
surveyed that organized criminals are increasingly working inside firms
with large volumes of sensitive information to get first-person access
to valuable data that can be used by others to carry out fraud.
"People are getting caught and it's clear that they are representatives
of organized crime in some way, we had a lot of people telling us
unsolicited that they feel that this is actively happening," said Amir
Orad, executive vice president of marketing and business development of
Actimize. "It's not a fairytale; it's an established method being used
by these groups to carry out significant fraud."
Among the factors contributing to the criminal trend are increased
access to technology by rank-and-file employees, as well as poor hiring
and screening processes within end user firms, according to the report.
Data availability and a lack of dedicated resources for fraud detection
technologies were other issues identified by respondents as fueling
internal attacks.
More than 75 percent of those companies surveyed said that they expect
insider fraud schemes to grow even more sophisticated, with 73 percent
charting the financial services industry's preparation for such attacks
as only "poor" or "somewhat acceptable."
About half of the companies involved in the research said that they have
experienced a data theft within the last 12 months, with the cost of the
largest such incident within each firm coming in at an average of
roughly $875,000 per incident. The largest such incident cited in the
Actimize research totaled $6 million in losses.
A lack of automation among the anti-fraud technologies being utilized by
the companies is a hallmark of their defeat, Orad said.
"All of these companies have been using data mining for years
externally, but less than ten percent told us that they were using it
internally to fight fraud, which doesn't make sense," Orad said. "Less
than 50 percent said they had any form of automation in place to fight
fraud, which tells us, the majority have been using reactive processes
or manual reporting to investigate suspected problems, which isn't going
to prevent incidents from happening and only addresses the issue after
the fact."
Among the types of scams that Actimize was told about by the respondents
were instances of self-dealing, skimming, data-theft, embezzlement and
collusion.
In the case of one of the most common methods for carrying the schemes
out, so-called "identity shielding," through which perpetrators gain
access to data using another worker's credentials, only 28 percent of
those participating in the survey said they had some manner of stopping
or detecting the attacks.
While data-handling regulations such as the Sarbanes-Oxley Act and the
Payment Card Industry (PCI) compliance requirement have been proposed by
some experts as helping to solve the insider fraud issue, those surveyed
by Actimize said that isn't necessarily the case.
An overwhelming 70 percent of respondents said that government
regulation or standards regarding employee access to customer accounts
and data would actually "hinder" their company's ability to detect or
prevent employee fraud.
As with many other types of IT projects, the shortfall in more
comprehensive insider fraud protection can be tied largely to a lack of
sufficient budgeting for tools such as those his company markets, Orad
said.
"We see some visionaries who are making the commitment to buy technology
that will help automate the process, and it's a growing group, but it is
still a comparatively small minority of all businesses," Orad said. "All
of these companies know that they want to keep their names out of the
headlines related to fraud, and most recognize that it is a problem they
aren't adequately prepared to deal with, but as with a lot of IT issues,
the biggest obstacle appears to be a lack of budget."
_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com
Received on Jul 23 2007
Intro
