- Email: [email protected]
Banking on security and control?
bank fraud
Banking on security and control? Steven Hinde, Bupa
UK companies face overhaul of controls Another month, another corporate governance initiative. Douglas Flint, the finance director of HSBC Bank, is to chair a review of the UK’s Financial Reporting Council best practice guidance for good financial reporting: on how companies structure their internal controls, which are the cornerstone of their risk management practices. The review team will assess the impact of the Sarbanes Oxley Act in the United States and the plans of the UK Financial Services Authority to require auditors to review a company’s annual statement on internal controls. See the July issue of Computer Fraud & Security for details. Sir Bryan Nicholson, chairman of the investments and the company’s assets” and Financial Reporting Council, commenting review the effectiveness of the controls at on the current corporate governance code: least once a year. “The Turnbull guidance continues to provide a good framework for boards to ensure they have a sound system of inter- Failures of internal controls nal control. There have been developments and systems in the UK and internationally since it is now an appropriate time to review the Preliminary merger talks are taking place guidance and make sure that it remains in Japan between MTFG, the third relevant.” Although reviewed in the wake biggest bank and UFJ, the fourth largest of the US business scandals at Enron and lender that would create the world’s WorldCom, Turnbull was not significantly biggest bank with assets of Y190,000 billion. UFJ was disciplined in June by changed. The Code, which is significantly less Japan’s banking regulator, the Financial onerous than Sarbanes Oxley, requires a Services Agency, for the lax state of its board should maintain a “sound system of internal controls and has been involved in internal control to safeguard shareholders’ a fire sale of its assets to stave off a finan-
Figure 1: Reading device in place for “deep throat” ATM scam 4
cial crisis. The Financial Services Agency issued an administrative order obliging the bank to bolster its internal controls and re-draw its business plan. According to a seven-page Service Update posted on the Citibank website on 26 May, some UK current account customers of the world’s existing largest bank have been suffering from a number of service problems, including; direct debit payments defaulting to £999,999.99; accounts being debited twice; incorrect cheque and reference numbers; mail being sent to old or wrong addresses; the re-setting of retailer and relationship manager names to “Dummy” and “Default”; and Personal Identification Numbers (PINs) for Internet and telephone banking and Automated Teller Machines (ATMs) that did not work. The problems were caused by a large systems upgrade in late March causing a large increase in customer calls to the bank’s UK call centre, which was transferred last October from Barcelona, Spain to Chennai, India. The small branch network in the UK means UK customers are more reliant on call centres and Internet banking. According to a bank spokesman in July, the remaining systems problems were being fixed as quickly as possible and that the reduction in the number of complaints indicated that the worse was over. The problems at Citibank raise questions over the quality of its testing and change control. But who among us can hand on heart say that our own procedures and control systems would have produced a better result? Most, if not all, major new systems or major upgrades suffer from “inadequate testing”. Implementation timescale problems; lack of commitment from user management to system testing; the complexity of large integrated systems; and testing for expected conditions all help to contribute to the inevitable teething problems faced when systems go live. The nature of this system brought with it additional risks. As stated above, the bank’s customers are more
bank fraud
Figure 2: Removed reading device for “deep throat” scam dependent on Internet and telephone banking than would be customers of the major UK banks. Thus problems experienced have more immediacy than they would for a traditional bank branch customer who only sees a monthly bank statement. Add to this the need to telephone an overseas call centre to sort out problems and you have a multiplier effect for each problem. One final lesson is, as with all “disaster recovery” situations be they as minor as a late running train or a major incident, the need to keep customers informed as to the problem(s), outcomes and timescale to normality. Citibank did post a seven page Service Update at the end of May, which may or may not have been timely in informing customers. What it did not do was to update this to reflect progress made, or if it did, it did not update the date posted field. Either way, in early July the Service Update was still showing the 26 May date.
Some reports in the media suggested that customers should restrict their usage of ATMs to once a week! Other banks have introduced a warning to their customers on cash machines not to use ATMs if they see anything suspicious. One of the more sophisticated ATM frauds, known as “deep throat”, involves a reading device (skimmer) being placed over the card slot. See Figure 2 for a demonstration. When the card is placed in the slot, the skimmer will transmit the card number, account number and sort code to a receiver elsewhere. A camera hidden in a box of genuine leaflets placed next to the machine photographs your fingers as you tap in your PIN and then transmits to the receiver of the criminals. See Figure 3 for reference. The criminals then clone a new card with these details and use it to withdraw money from ATMs or use the account details to buy goods and services.
ATM warning
Phishing attacks continue
First Direct, the UK Internet bank wrote to about 11000 current account holders who often use cash machines/ATMs warning them that ATM frauds are rising and that regular use of ATMs increases the risk of theft and fraud.
One of Switzerland's largest regional banking organizations has been targeted by criminals aiming to defraud customers. Basler Kantonalbank (BKB), headquartered in Basel, has warned customers to be wary of emails claiming to
come from the bank which may result in sensitive banking details being stolen or "phished". In a warning on its website, the bank warns users not to click on links contained in the emails, which direct customers to a bogus version of BKB website. There, customers are asked to type in their authorization details – giving 0g critical information to fraudsters. Once account numbers, PIN and login password details or credit card numbers have been obtained the fraudsters can easily steal money from the user's bank account or credit card. British police arrested a 21-year-old man at the end of April for "phishing" in what is said to be the first case of if its kind in the UK. The man, from Lytham St Anne's, Lancashire, was questioned in connection with an incident designed to steal account details from users of the Smile online internet bank. Smile informed the National Hi-Tech Crime Unit of the fraudulent e-mail, directing users to a bogus website, in March. Other "phishing" attempts have included bogus emails claiming to come from a number of banks including Wells Fargo, Nationwide, NatWest, Barclays, Westpac and Halifax. According to a recent study of 1,700 people by LogicaCMG, a million Internet shoppers have been victims of fraudsters trying to steal their personal or financial details. While many respondents managed to stop money leaving their accounts, 24% never used that particular website again. Forty-three per cent said the experience felt as if they had been robbed in the street. UK online sales last year totalled £17 billion. Last month saw a new level of sophisti-
Figure 3: Hidden camera in leaflets 5
bank fraud cation in Internet frauds, moving on from the phishing attacks discussed above. Hackers are now using pop-up adverts with an implanted trojan virus called “pwsteal.refest” to steal bank details. Clicking on the close button to close the advert triggers the virus, which then attempts to install itself on the PC. The virus stays dormant until the user logs onto his/her Internet bank account, then it steals personal details, including passwords, through key stroke
recording and transmits the details to the criminal. Some 50 banks world-wide have been targeted in this attack including Lloyds TSB and Barclays banks in the UK. A spokesperson for the UK National Hi-Tech Crime Unit said: “Since last September we have seen a massive increase in the number of attempts to try to dupe people out of their bank information.”
Figure 4: Example of phishing scam against a bank
Figure 5: Example of phishing scam targeting Valium users 6
Precautions We all need to think about our own protection and not assume that someone else, or an organization, has taken all steps to protect you. If the ATM does not look right, use another. If someone is standing too close, or looking over your shoulder, shield the keypad. Or use the cash back facility that many retail outlets offer. And we can’t assume that someone else has specified; implemented; enforced and monitored internal controls and security.
Banking on security and control? Steven Hinde, Bupa
UK companies face overhaul of controls Another month, another corporate governance initiative. Douglas Flint, the finance director of HSBC Bank, is to chair a review of the UK’s Financial Reporting Council best practice guidance for good financial reporting: on how companies structure their internal controls, which are the cornerstone of their risk management practices. The review team will assess the impact of the Sarbanes Oxley Act in the United States and the plans of the UK Financial Services Authority to require auditors to review a company’s annual statement on internal controls. See the July issue of Computer Fraud & Security for details. Sir Bryan Nicholson, chairman of the investments and the company’s assets” and Financial Reporting Council, commenting review the effectiveness of the controls at on the current corporate governance code: least once a year. “The Turnbull guidance continues to provide a good framework for boards to ensure they have a sound system of inter- Failures of internal controls nal control. There have been developments and systems in the UK and internationally since it is now an appropriate time to review the Preliminary merger talks are taking place guidance and make sure that it remains in Japan between MTFG, the third relevant.” Although reviewed in the wake biggest bank and UFJ, the fourth largest of the US business scandals at Enron and lender that would create the world’s WorldCom, Turnbull was not significantly biggest bank with assets of Y190,000 billion. UFJ was disciplined in June by changed. The Code, which is significantly less Japan’s banking regulator, the Financial onerous than Sarbanes Oxley, requires a Services Agency, for the lax state of its board should maintain a “sound system of internal controls and has been involved in internal control to safeguard shareholders’ a fire sale of its assets to stave off a finan-
Figure 1: Reading device in place for “deep throat” ATM scam 4
cial crisis. The Financial Services Agency issued an administrative order obliging the bank to bolster its internal controls and re-draw its business plan. According to a seven-page Service Update posted on the Citibank website on 26 May, some UK current account customers of the world’s existing largest bank have been suffering from a number of service problems, including; direct debit payments defaulting to £999,999.99; accounts being debited twice; incorrect cheque and reference numbers; mail being sent to old or wrong addresses; the re-setting of retailer and relationship manager names to “Dummy” and “Default”; and Personal Identification Numbers (PINs) for Internet and telephone banking and Automated Teller Machines (ATMs) that did not work. The problems were caused by a large systems upgrade in late March causing a large increase in customer calls to the bank’s UK call centre, which was transferred last October from Barcelona, Spain to Chennai, India. The small branch network in the UK means UK customers are more reliant on call centres and Internet banking. According to a bank spokesman in July, the remaining systems problems were being fixed as quickly as possible and that the reduction in the number of complaints indicated that the worse was over. The problems at Citibank raise questions over the quality of its testing and change control. But who among us can hand on heart say that our own procedures and control systems would have produced a better result? Most, if not all, major new systems or major upgrades suffer from “inadequate testing”. Implementation timescale problems; lack of commitment from user management to system testing; the complexity of large integrated systems; and testing for expected conditions all help to contribute to the inevitable teething problems faced when systems go live. The nature of this system brought with it additional risks. As stated above, the bank’s customers are more
bank fraud
Figure 2: Removed reading device for “deep throat” scam dependent on Internet and telephone banking than would be customers of the major UK banks. Thus problems experienced have more immediacy than they would for a traditional bank branch customer who only sees a monthly bank statement. Add to this the need to telephone an overseas call centre to sort out problems and you have a multiplier effect for each problem. One final lesson is, as with all “disaster recovery” situations be they as minor as a late running train or a major incident, the need to keep customers informed as to the problem(s), outcomes and timescale to normality. Citibank did post a seven page Service Update at the end of May, which may or may not have been timely in informing customers. What it did not do was to update this to reflect progress made, or if it did, it did not update the date posted field. Either way, in early July the Service Update was still showing the 26 May date.
Some reports in the media suggested that customers should restrict their usage of ATMs to once a week! Other banks have introduced a warning to their customers on cash machines not to use ATMs if they see anything suspicious. One of the more sophisticated ATM frauds, known as “deep throat”, involves a reading device (skimmer) being placed over the card slot. See Figure 2 for a demonstration. When the card is placed in the slot, the skimmer will transmit the card number, account number and sort code to a receiver elsewhere. A camera hidden in a box of genuine leaflets placed next to the machine photographs your fingers as you tap in your PIN and then transmits to the receiver of the criminals. See Figure 3 for reference. The criminals then clone a new card with these details and use it to withdraw money from ATMs or use the account details to buy goods and services.
ATM warning
Phishing attacks continue
First Direct, the UK Internet bank wrote to about 11000 current account holders who often use cash machines/ATMs warning them that ATM frauds are rising and that regular use of ATMs increases the risk of theft and fraud.
One of Switzerland's largest regional banking organizations has been targeted by criminals aiming to defraud customers. Basler Kantonalbank (BKB), headquartered in Basel, has warned customers to be wary of emails claiming to
come from the bank which may result in sensitive banking details being stolen or "phished". In a warning on its website, the bank warns users not to click on links contained in the emails, which direct customers to a bogus version of BKB website. There, customers are asked to type in their authorization details – giving 0g critical information to fraudsters. Once account numbers, PIN and login password details or credit card numbers have been obtained the fraudsters can easily steal money from the user's bank account or credit card. British police arrested a 21-year-old man at the end of April for "phishing" in what is said to be the first case of if its kind in the UK. The man, from Lytham St Anne's, Lancashire, was questioned in connection with an incident designed to steal account details from users of the Smile online internet bank. Smile informed the National Hi-Tech Crime Unit of the fraudulent e-mail, directing users to a bogus website, in March. Other "phishing" attempts have included bogus emails claiming to come from a number of banks including Wells Fargo, Nationwide, NatWest, Barclays, Westpac and Halifax. According to a recent study of 1,700 people by LogicaCMG, a million Internet shoppers have been victims of fraudsters trying to steal their personal or financial details. While many respondents managed to stop money leaving their accounts, 24% never used that particular website again. Forty-three per cent said the experience felt as if they had been robbed in the street. UK online sales last year totalled £17 billion. Last month saw a new level of sophisti-
Figure 3: Hidden camera in leaflets 5
bank fraud cation in Internet frauds, moving on from the phishing attacks discussed above. Hackers are now using pop-up adverts with an implanted trojan virus called “pwsteal.refest” to steal bank details. Clicking on the close button to close the advert triggers the virus, which then attempts to install itself on the PC. The virus stays dormant until the user logs onto his/her Internet bank account, then it steals personal details, including passwords, through key stroke
recording and transmits the details to the criminal. Some 50 banks world-wide have been targeted in this attack including Lloyds TSB and Barclays banks in the UK. A spokesperson for the UK National Hi-Tech Crime Unit said: “Since last September we have seen a massive increase in the number of attempts to try to dupe people out of their bank information.”
Figure 4: Example of phishing scam against a bank
Figure 5: Example of phishing scam targeting Valium users 6
Precautions We all need to think about our own protection and not assume that someone else, or an organization, has taken all steps to protect you. If the ATM does not look right, use another. If someone is standing too close, or looking over your shoulder, shield the keypad. Or use the cash back facility that many retail outlets offer. And we can’t assume that someone else has specified; implemented; enforced and monitored internal controls and security.