A 28-year-old Florida man has pleaded guilty to hacking into corporate computer networks and carrying out what US officials have described as the largest credit card theft in US history.
Albert Gonzalez, of Miami, pleaded guilty in the US District Court in Boston on Tuesday to two counts of conspiracy to gain unauthorised access to payment card networks, the Justice Department said in a statement.
Gonzalez and two unidentified Russian co-conspirators were accused of stealing more than 130 million credit and debit card numbers from firms supporting major retail and financial organisations.
More than 250 financial institutions were affected including Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven Inc., a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain.
Gonzalez was accused of leasing servers to other hackers who used the platforms to store malicious software known as `malware' and launch attacks against corporate victims.
Gonzalez is facing between 17 and 25 years in prison. Sentencing was scheduled for March 19.
"The Department of Justice will not allow computer hackers to rob consumers of their privacy and erode the public's confidence in the security of the marketplace," assistant US attorney general Lanny Breuer said.
"Criminals like Albert Gonzalez who operate in the shadows will be caught, exposed and held to account," Breuer said.
Gonzalez pleaded guilty in September to charges in two other cases related to hacking of major US retailers including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes and Noble, Sports Authority and the Dave and Buster's restaurant chain.
Source: The Sydney Morning Herald,
Wednesday, December 30, 2009
Monday, December 28, 2009
Show Us the E-Mail
WE end this extraordinary financial year with news that the Treasury is in discussions with American International Group about selling the taxpayers’ 80 percent ownership stake in that company. The government recently permitted several banks to break free of its potential oversight by repaying loans made during the rescue. But with respect to A.I.G., the Treasury should not move so fast. There is one job left to do.
A.I.G. was at the center of the web of bad business judgments, opaque financial derivatives, failed economics and questionable political relationships that set off the economic cataclysm of the past two years. When A.I.G.’s financial products division collapsed — ultimately requiring a federal bailout of $180 billion — those who had been prospering from A.I.G.’s schemes scurried for taxpayer cover. Yet, more than a year after the rescue began, crucial questions remain unanswered. Who knew what, and when? Who benefited, and by exactly how much? Would A.I.G.’s counter parties have failed without taxpayer support?
The three of us, as experienced investigators and prosecutors of financial fraud, cannot answer these questions now. But we know where the answers are. They are in the trove of e-mail messages still backed up on A.I.G. servers, as well as in the key internal accounting documents and financial models generated by A.I.G. during the past decade. Before releasing its regulatory clutches, the government should insist that the company immediately make these materials public. By putting the evidence online, the government could establish a new form of “open source” investigation.
Once the documents are available for everyone to inspect, a thousand journalistic flowers can bloom, as reporters, victims and angry citizens have a chance to piece together the story. In past cases of financial fraud — from the complex swaps that Bankers Trust sold to Procter & Gamble in the early 1990s to the I.P.O. kickback schemes of the late 1990s to the fall of Enron — e-mail messages and internal documents became the central exhibits in our collective understanding of what happened, and why.
So far, prosecutors and regulators have been unable to build such evidence into anything resembling a persuasive case against any financial institution. Most recently, a jury acquitted Bear Stearns employees of fraud related to the collapse of the sub prime mortgage market, in part because available e-mail messages suggested the employees had done nothing wrong.
Perhaps A.I.G.’s employees would also be judged not guilty. But we would like to see the record to find out. As fraud investigators, we would like to examine the trading patterns of A.I.G.’s financial products division, and its communications with Goldman Sachs and other bank counter parties who benefited from the bailout. We would like to understand whether the leaders of A.I.G. understood that they were approaching a financial Armageddon, and whether they alerted their counter parties, regulators and shareholders to the impending calamity.
We would like to see how A.I.G. was able to pay huge bonuses to its officers based on the short-term income they received from counter parties for selling guarantees that, lacking adequate loss reserves, the companies would never be able to honor. We would also like to know what regulators knew, and what they did with the information they had obtained.
Congress wants answers, too. This month, during hearings on Ben Bernanke’s nomination to a second term as chairman of the Federal Reserve, several senators fumed about being denied access to his A.I.G.-related documents.
No doubt, some of the e-mail messages contain privileged conversations among lawyers. Others probably include private information that is irrelevant to A.I.G.’s role in the crisis. But the vast majority of these documents could be made public without legal concern. So why haven’t the Treasury and the Federal Reserve already made sure the public could see this information? Do they want to protect A.I.G., or do they worry about shining too much sunlight on their own performance leading up to and during the crisis?
A.I.G.’s board of directors, a distinguished group of senior business executives, holds the power to decide whether to publish the e-mail messages and other documents. But those directors serve at the behest of A.I.G.’s shareholders. And while small shareholders of public corporations generally do not have the right to force publication of internal documents, in this case one shareholder — the taxpayer — holds an 80 percent stake. Anyone with such substantial ownership has effective control over corporate decisions, even if the corporation is a large public one.
Our stake is held by something called the A.I.G. Credit Facility Trust, whose three trustees are Jill M. Considine, a former chairman of the Depository Trust Company and a former director of the Federal Reserve Bank of New York; Chester B. Feldberg, a former New York Fed official who was chairman of Barclays Americas from 2000 to 2008; and Douglas L. Foshee, chief executive of the El Paso Corporation and chairman of the Houston branch of the Federal Reserve Bank of Dallas.
Ultimately, these three trustees wield all the power at A.I.G., and have the right to vote out the 11 directors if the directors are unwilling to publish the e-mail messages. In other words, if these three people ask A.I.G.’s board to post the messages and other documents, the board will have no choice but to comply. Ms. Considine, Mr. Feldberg and Mr. Foshee have the opportunity to be among the most effective and influential investor advocates in history. Before A.I.G. escapes, they should demand the evidence.
The longer it remains hidden, the less likely we will be to answer many questions about the A.I.G. collapse and the larger economic crisis — including the most important one: how do we prevent a repeat? Time is the enemy of effective investigation; records disappear, memories fade. The documents should be released — without excuses, or delay.
Source:- The New York Times, By
China businesswoman gets death sentence for fraud
BEIJING — A Chinese businesswoman was sentenced to death Friday for cheating investors out of $56 million — the latest case in the country's struggle against widespread corruption.
The 28-year-old Wu Ying started out a decade ago with a single beauty salon but eventually built up a holding group, Bense Holdings, that was known around the country, the state-run Xinhua News Agency reported.
The report said Wu collected the $56 million from investors over two years and was arrested in 2007.
Video posted online of her sentencing had the petite, ponytailed Wu showing little emotion as she was led into the courtroom.
In China, the death penalty is used even for nonviolent crimes such as corruption or tax evasion. The country's highest court, which reviews all death sentences, this year called for it to be used less often and for only the most serious criminal cases.
The Intermediate People's Court in Jinhua city, eastern Zhejiang province, said Wu used the money for personal use and operating costs and to pay off loans.
The Xinhua report said Wu confessed but then retracted her confession in April.
Rights group Amnesty International has said China put at least 1,718 people to death in 2008.
Source: The Associated Press Report
Friday, December 25, 2009
Career Trends Survey Results: 2010 Promises New Roles, New Skills
Career Trends Survey Results: 2010 Promises New Roles, New Skills
1st Annual Survey Taps Risk Management, Cybersecurity, Fraud/Forensics as Growth Areas Across Industries
What will be the hot information security jobs in 2010?
How will professionals grow their skills - and will their employers foot the bill?
What are the minimum academic and professional requirements for information security
professionals and leaders today?
These are among the key questions answered in the first annual Information Security Today Career Trends survey. The goal of the research: to create the benchmark for information security careers - where the jobs are and what's required to fill them.
The challenge: to create this benchmark at a time when the economy is recovering, the threat landscape is shifting and organizations are re-setting their information security priorities.
But then this survey also takes advantage of a unique opportunity: Led by President Obama, the U.S. has embraced cybersecurity as a national priority, and as such the nation's businesses, academic institutions and government agencies are focused as never before on information security and assurance. There is no better time to benchmark information security careers. And, frankly, there might not be a better time to start - or re-start - one.
Key Findings
There are three key findings from this inaugural study:
Risk Management, Cybersecurity, Fraud/Forensics are Top PrioritiesNo matter how you ask the question - "What skills are required?" "What training will you seek?" "What are the top 3 concerns for CISOs?" - the answer consistently comes back to risk management, cybersecurity and fraud/forensics investigations. These topics emerge among the top choices of skills, studies and job opportunities in 2010.
Information Security Professionals Want New Skills - and Organizations Will Foot the BillConventional wisdom is that when economic times get tough, training budgets take the biggest hit. But survey results tell a different story: that 42% of respondents will seek academic training in 2010; 62% will seek new certifications; and a whopping 79% of their organizations continue to fund that training at least partially.
Schools, Professional Groups Stand to Benefit in 2010. Committed to growing their professional competencies, information security professionals will invest their time and resources in certifications bodies, professional organization and academic institutions in 2010. Asked what kind of training they intend to pursue, 62% choose certifications bodies, while 54% say professional groups and 43% select schools. No surprise: People work crazy hours these days, and so 53% of respondents say they prefer a mix of online and face-to-face training.
Some other interesting takeaways from each of our major survey categories:
Education - 23% of respondents say a graduate degree is now the minimum requirement for entering the information security profession;
Background Checks - At a time when we're continually told that we're at greatest risk of insider crimes, only 26% of respondents say they have undergone a background check in the past five years.
Leadership - Asked where senior security leaders are recruited, only 34% of respondents say "promoted from within." 46% say their leaders are recruited externally.
About This Survey
This study was conducted electronically by Information Security Media Group (ISMG) in September 2009.
In all, there were 255 respondents,
47% of them from financial institutions,
12% from government,
9% from consulting and
9% from technology.
When you look at the breakdown of respondents by role and responsibility, you see:
34% compliance or technology professionals;
14% in senior management;
37% have been in their current role 1-3 years;
The main objective of the survey was to benchmark 2010 trends in information security careers across industries.
The survey was constructed specifically to assess:
Background - The academic, security and business background of today's information security professionals;
Duties and Critical Skills - The roles these professionals are filling today - and will be asked to fill tomorrow;
Training Strategies - What they need - advanced degrees, industry certifications, business experience - and where they turn to get ahead;
Source:- Bank Info Security, By Tom Field (Editorial Director)
1st Annual Survey Taps Risk Management, Cybersecurity, Fraud/Forensics as Growth Areas Across Industries
What will be the hot information security jobs in 2010?
How will professionals grow their skills - and will their employers foot the bill?
What are the minimum academic and professional requirements for information security
professionals and leaders today?
These are among the key questions answered in the first annual Information Security Today Career Trends survey. The goal of the research: to create the benchmark for information security careers - where the jobs are and what's required to fill them.
The challenge: to create this benchmark at a time when the economy is recovering, the threat landscape is shifting and organizations are re-setting their information security priorities.
But then this survey also takes advantage of a unique opportunity: Led by President Obama, the U.S. has embraced cybersecurity as a national priority, and as such the nation's businesses, academic institutions and government agencies are focused as never before on information security and assurance. There is no better time to benchmark information security careers. And, frankly, there might not be a better time to start - or re-start - one.
Key Findings
There are three key findings from this inaugural study:
Risk Management, Cybersecurity, Fraud/Forensics are Top PrioritiesNo matter how you ask the question - "What skills are required?" "What training will you seek?" "What are the top 3 concerns for CISOs?" - the answer consistently comes back to risk management, cybersecurity and fraud/forensics investigations. These topics emerge among the top choices of skills, studies and job opportunities in 2010.
Information Security Professionals Want New Skills - and Organizations Will Foot the BillConventional wisdom is that when economic times get tough, training budgets take the biggest hit. But survey results tell a different story: that 42% of respondents will seek academic training in 2010; 62% will seek new certifications; and a whopping 79% of their organizations continue to fund that training at least partially.
Schools, Professional Groups Stand to Benefit in 2010. Committed to growing their professional competencies, information security professionals will invest their time and resources in certifications bodies, professional organization and academic institutions in 2010. Asked what kind of training they intend to pursue, 62% choose certifications bodies, while 54% say professional groups and 43% select schools. No surprise: People work crazy hours these days, and so 53% of respondents say they prefer a mix of online and face-to-face training.
Some other interesting takeaways from each of our major survey categories:
Education - 23% of respondents say a graduate degree is now the minimum requirement for entering the information security profession;
Background Checks - At a time when we're continually told that we're at greatest risk of insider crimes, only 26% of respondents say they have undergone a background check in the past five years.
Leadership - Asked where senior security leaders are recruited, only 34% of respondents say "promoted from within." 46% say their leaders are recruited externally.
About This Survey
This study was conducted electronically by Information Security Media Group (ISMG) in September 2009.
In all, there were 255 respondents,
47% of them from financial institutions,
12% from government,
9% from consulting and
9% from technology.
When you look at the breakdown of respondents by role and responsibility, you see:
34% compliance or technology professionals;
14% in senior management;
37% have been in their current role 1-3 years;
The main objective of the survey was to benchmark 2010 trends in information security careers across industries.
The survey was constructed specifically to assess:
Background - The academic, security and business background of today's information security professionals;
Duties and Critical Skills - The roles these professionals are filling today - and will be asked to fill tomorrow;
Training Strategies - What they need - advanced degrees, industry certifications, business experience - and where they turn to get ahead;
Source:- Bank Info Security, By Tom Field (Editorial Director)
Wednesday, December 23, 2009
Top 8 Security Threats of 2010
Top 8 Security Threats of 2010
Financial Institutions Face Risks from Organized Crime, SQL Injection and Other Major Attacks
It's a never-ending battle -- the list of naughty and downright evil security threats that challenge financial institutions and security professionals. From organized crime to SQL injection, here are the experts' choices of eight major security threats to watch in 2010.
1. Organized Crime Targeting Financial Institutions
Over the past several years, law enforcement investigations into cyber crime have uncovered global networks of organized crime groups, including overseas criminal organizations (many based in Eastern Europe) that hire and direct hackers.
Rob Lee, senior forensics investigator at Mandiant, a risk assessment firm, says the battle between "us and them" increasingly pits the financial services industry against organized crime organizations. "The days of the Maginot line of information security are long gone," Lee says, referring to the defensive World War I battle line created by Allied troops to keep German troops from invading France. The battle lines reach far wider than just an institution's firewalls, he adds.
Anton Chuvakin, an information security expert and author, predicts that 2010 will see a frightening rise in incidents attributable to organized crime. "Rampant, professional cybercrime, from the Russian Business Network (RBN) to its descendants, from individual criminal 'entrepreneurs' to emerging criminal enterprises -- all signs point to dramatic rise of cybercrime," he says. "This is simply the logical consequence of today's situation with the use of information systems: Insecure computers plus lots of money plus no punishment equals 'go do it!'"
In other words, there has not been a better time to go into a cybercrime business, Chuvakin says. "The strategy is pretty much the 'blue ocean' one, with a lot of unexplored opportunity and a low barrier to entry."
2. Assault on Authentication
The banking regulatory bodies have long called for mandatory two-factor authentication for all online banking sites. Now industry security experts warn that attacks against those traditional customer authentication methods are being challenged and defeated. Avivah Litan, a Gartner analyst, says the threats include man-in-the-browser attacks that defeat one-time-password authentication from a dedicated token (such as the popular RSA SecureID), and call-forwarding that tops phone-based authentication, as well as transaction verification using SMS or voice calls. "This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions, such as those from business and private banking accounts," Litan says.
Uri Rivner, Head of New Technologies, RSA's Identity Protection and Verification division, is also seeing an increase in high-grade man-in-the-browser trojan attacks. "In 2009, the emergence of highly customizable, stealthy, MITB-capable trojan kits reached a new height with the introduction of Zeus 2.0," Rivner says. MITB trojans send money in real time, he explains, rather than just stealing credentials for sale in the underground. Rivner sees additional "Fraud-as-a-Service" models will make these kits available to more and more fraudsters. Solutions include anti-trojan detection and countermeasure services, desktop hardening, out-of-band authentication and transaction monitoring, he says.
Commercial banking has already seen early signs of man-in-the-browser attacks targeting two-factor authentication used to protect U.S. commercial online banking customers. "In 2010, we project this trend to greatly intensify, requiring commercial banks to deploy additional lines of defense such as adaptive authentication, out-of-band authentication, desktop hardening and anti-trojan countermeasure services," Rivner says.
3. More Malware
It seemed that almost every week in 2009 there was another announcement by a security researcher of a newly discovered malware variant. RSA's Rivner says malware spread like wildfire. "The rate of the malware infection of personal computers was 10 times higher during 2009 compared to 2008," he notes. Leading the infection methods are drive-by-download (taking over legitimate websites; routing visitors to an infection server) and social network infections (spamming a victim's entire social network "friend list" with links to infection servers).
Increasingly, sophisticated, distributed malware is being seen in forensic investigations of cyber crimes, says Dave Shackleford, an information security expert and SANS instructor. Criminals are also adding a flavor of social engineering to get the malware into a user's machine. "Large scale botnets are growing, and the quality of the code is improving, as these kinds of malware are increasingly funded by criminal organizations," he warns.
4. Return to Telephone-Based Fraud
One thing criminals attacking financial institutions and customers are is persistent, as seen by the number of attacks hitting US banks and credit unions in 2009. When one avenue of entry is closed, the criminals look to other ways to what they're after, says RSA's Rivner. As institutions beef up their online security, many fraudsters turned to more traditional telephony fraud.
"Armed with data stolen via trojans and phishing attacks - including 'vishing' (voice phishing), 'smishing' (SMS phishing or text phishing) and variants of spear phishing, fraudsters around the world call customer service departments at banks, credit unions and credit card companies in order to perform fraud called account takeover," Rivner says. These fraudsters often outsource the actual phone call to multi-lingual third party services provider operating 24/7 out of Russia, he adds. "Caller ID spoofing is also prevalent," he observes.
5. Increased Insider Threat
The trusted insider is the most dangerous foe for any institution -- and the most feared, as seen by the amounts of money and data taken by insiders The prevalence of insider crime can be blamed on several factors, but the insider threat at financial institutions is increasing, notes Shackleford. "I see there will be an increase in internally-driven fraud, caused in part by the bad economy and also the ease of access to data," he predicts.
Tom Wills, Security and Fraud senior analyst at Javelin Strategy and Research, agrees and adds the insider threat -- with the insider defined as anyone with access to the extended enterprise, not only employees and contractors, but partners and suppliers too -- may have financial problems that push them toward the crime. "Additionally, you have to consider individuals with significant IT knowledge who may not be fully employed and may have incentive to perform activities that they would not have previously," he notes.
Nathan Johns, a Crowe Horwath consultant, says disgruntled employees may also turn to crime. "These are people who are not receiving raises, bonuses, or potentially being laid off, who have the opportunity to do activities that they would not have done in better times," he observes.
Johns also warns that unauthorized access by former employees can lead to problems. "There has been an increase in people being released by organizations, but often times the removal of their access rights is lagging their departure from the organization," he says.
The employees who become insider threats may do so without even knowing they're involved, warns RSA's Rivner. "Already thousands of Fortune 500, government and bank employees are infected with financial trojans that targeted them as consumers. As a side-effect, there are also thousands of infected corporate laptops or PCs used at home for remote access via a VPN," he warns.
Rivner expects 2010 will see fraudsters developing ways to monetize these infected resources, which can lead them straight into the affected organizations' networks. "Bank employees will be a primary focus for these cybercriminals," Rivner predicts.
6. Mobile Banking Attacks
The move to mobile banking by financial institutions that want to offer customers instantaneous access to their accounts is catching fire around the country, with hundreds of institutions now offering customers the ability to look up their account data and balances on cell phones. But security experts see trouble ahead when institutions begin allowing more than just account balance checks to happen. The chance for fraud via the mobile phone is already here says Ed Skoudis, lead forensic investigator for InGuardians, a security forensic firm. "Exploits against the ever-growing base of smart phones [are on the rise], leading to the possible building of a botnet based on iPhone or Android phones," Skoudis observes.
RSA's Rivner concurs with the propensity for fraud in the mobile banking sector saying, "Mobile banking fraud is coming. More customers are enrolling in mobile banking, and more services are offered via mobile channels. Banks in Asia and Europe are already experiencing mobile trojans and SMS redirection attacks." He expects the U.S. to experience the first wave of attacks towards middle of 2010. "Banks will start funding the extension of their online banking protection to the mobile channel," he predicts.
Part of the problem is that customers don't always pay attention to what they're receiving on their mobile devices, says Johns of Crowe Horwath. "People rely more and more on their BlackBerrys and smart phones, and don't pay attention to the information that they are getting on them, and they push back to security being installed on the devices," he adds.
Javelin's Wills sees mobile fraud happening if banks start to enable full service banking on mobile devices. "This means money movement instead of just checking balances and finding ATM locations," he says.
The mobile target will continue to grow, says Shackleford, and as smart phones become more sophisticated, the number of attacks will grow too. "In many cases, these devices contain a huge amount of sensitive data, as well, and could even be a vital component of newer two-factor authentication used by banks," he says.
7. Web 2.0 and Social Media Attacks
At the same time institutions are flocking to Facebook and tweeting on Twitter, the cyber criminals are lining up their arsenals for attack via Web 2.0 and social media sites. InGuardians' Skoudis says attacks via social networking sites are the new way for criminals to get into bank accounts. "These sites are being used by the bad guys for reconnaissance to learn more about their targets," says Skoudis adding, "At the same time, they're delivering malicious content to unsuspecting users."
Institutions should also be on lookout for additional client-side spear phishing attacks will expand into new means of targeting users through use of social networks says Lee of Mandiant.
8. SQL Attacks -- More To Come
The biggest data breach on record -- Heartland Payment Systems -- was done using a "Sequel Injection," or SQL injection, attack. SQL attacks are a popular way to infect and take over websites, as seen by the recent findings by security researchers at Verizon Business. SQL injection attacks were one of the most common methods of breaching systems in the Verizon report's cases. They were used in 19 percent of the cases and accounted for 79 percent of the breached records.
There's more to watch for, says Javelin's Wills, including attacks on web applications -- especially drive-by downloads of keylogging trojans and man-in-the-middle attacks. The browser will become the favored attack vector, and zero day attacks on client-side software are also on horizon.
"Fewer operating system holes are being found, but more and more in Adobe, instant messaging, MS Office and other applications," says InGuardians' Skoudis. "The scenario would be: A victim views content from a bad guy, and the attacker then takes over the victim's browser," he explains. This technique is used to create botnets as well as skim credit card and account information from the client machine.
He also sees infrastructure attacks, launched via an infected browser happening. "Here, the bad guy uses a compromised browser to access an enterprise infrastructure controlled by that browser including the enterprise's firewalls, anti-malware solution and possibly HVAC and related systems," Skoudis says.
Within institutions, Shackleford sees VoIP and other converged networking issues coming up "From simple denial-of-service problems to new malware that affects voice systems, this will be a growing area that affects financial institutions," he predicts.
Source :- BankInfo Security, By Linda McGlasson, Managing Editor
Financial Institutions Face Risks from Organized Crime, SQL Injection and Other Major Attacks
It's a never-ending battle -- the list of naughty and downright evil security threats that challenge financial institutions and security professionals. From organized crime to SQL injection, here are the experts' choices of eight major security threats to watch in 2010.
1. Organized Crime Targeting Financial Institutions
Over the past several years, law enforcement investigations into cyber crime have uncovered global networks of organized crime groups, including overseas criminal organizations (many based in Eastern Europe) that hire and direct hackers.
Rob Lee, senior forensics investigator at Mandiant, a risk assessment firm, says the battle between "us and them" increasingly pits the financial services industry against organized crime organizations. "The days of the Maginot line of information security are long gone," Lee says, referring to the defensive World War I battle line created by Allied troops to keep German troops from invading France. The battle lines reach far wider than just an institution's firewalls, he adds.
Anton Chuvakin, an information security expert and author, predicts that 2010 will see a frightening rise in incidents attributable to organized crime. "Rampant, professional cybercrime, from the Russian Business Network (RBN) to its descendants, from individual criminal 'entrepreneurs' to emerging criminal enterprises -- all signs point to dramatic rise of cybercrime," he says. "This is simply the logical consequence of today's situation with the use of information systems: Insecure computers plus lots of money plus no punishment equals 'go do it!'"
In other words, there has not been a better time to go into a cybercrime business, Chuvakin says. "The strategy is pretty much the 'blue ocean' one, with a lot of unexplored opportunity and a low barrier to entry."
2. Assault on Authentication
The banking regulatory bodies have long called for mandatory two-factor authentication for all online banking sites. Now industry security experts warn that attacks against those traditional customer authentication methods are being challenged and defeated. Avivah Litan, a Gartner analyst, says the threats include man-in-the-browser attacks that defeat one-time-password authentication from a dedicated token (such as the popular RSA SecureID), and call-forwarding that tops phone-based authentication, as well as transaction verification using SMS or voice calls. "This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions, such as those from business and private banking accounts," Litan says.
Uri Rivner, Head of New Technologies, RSA's Identity Protection and Verification division, is also seeing an increase in high-grade man-in-the-browser trojan attacks. "In 2009, the emergence of highly customizable, stealthy, MITB-capable trojan kits reached a new height with the introduction of Zeus 2.0," Rivner says. MITB trojans send money in real time, he explains, rather than just stealing credentials for sale in the underground. Rivner sees additional "Fraud-as-a-Service" models will make these kits available to more and more fraudsters. Solutions include anti-trojan detection and countermeasure services, desktop hardening, out-of-band authentication and transaction monitoring, he says.
Commercial banking has already seen early signs of man-in-the-browser attacks targeting two-factor authentication used to protect U.S. commercial online banking customers. "In 2010, we project this trend to greatly intensify, requiring commercial banks to deploy additional lines of defense such as adaptive authentication, out-of-band authentication, desktop hardening and anti-trojan countermeasure services," Rivner says.
3. More Malware
It seemed that almost every week in 2009 there was another announcement by a security researcher of a newly discovered malware variant. RSA's Rivner says malware spread like wildfire. "The rate of the malware infection of personal computers was 10 times higher during 2009 compared to 2008," he notes. Leading the infection methods are drive-by-download (taking over legitimate websites; routing visitors to an infection server) and social network infections (spamming a victim's entire social network "friend list" with links to infection servers).
Increasingly, sophisticated, distributed malware is being seen in forensic investigations of cyber crimes, says Dave Shackleford, an information security expert and SANS instructor. Criminals are also adding a flavor of social engineering to get the malware into a user's machine. "Large scale botnets are growing, and the quality of the code is improving, as these kinds of malware are increasingly funded by criminal organizations," he warns.
4. Return to Telephone-Based Fraud
One thing criminals attacking financial institutions and customers are is persistent, as seen by the number of attacks hitting US banks and credit unions in 2009. When one avenue of entry is closed, the criminals look to other ways to what they're after, says RSA's Rivner. As institutions beef up their online security, many fraudsters turned to more traditional telephony fraud.
"Armed with data stolen via trojans and phishing attacks - including 'vishing' (voice phishing), 'smishing' (SMS phishing or text phishing) and variants of spear phishing, fraudsters around the world call customer service departments at banks, credit unions and credit card companies in order to perform fraud called account takeover," Rivner says. These fraudsters often outsource the actual phone call to multi-lingual third party services provider operating 24/7 out of Russia, he adds. "Caller ID spoofing is also prevalent," he observes.
5. Increased Insider Threat
The trusted insider is the most dangerous foe for any institution -- and the most feared, as seen by the amounts of money and data taken by insiders The prevalence of insider crime can be blamed on several factors, but the insider threat at financial institutions is increasing, notes Shackleford. "I see there will be an increase in internally-driven fraud, caused in part by the bad economy and also the ease of access to data," he predicts.
Tom Wills, Security and Fraud senior analyst at Javelin Strategy and Research, agrees and adds the insider threat -- with the insider defined as anyone with access to the extended enterprise, not only employees and contractors, but partners and suppliers too -- may have financial problems that push them toward the crime. "Additionally, you have to consider individuals with significant IT knowledge who may not be fully employed and may have incentive to perform activities that they would not have previously," he notes.
Nathan Johns, a Crowe Horwath consultant, says disgruntled employees may also turn to crime. "These are people who are not receiving raises, bonuses, or potentially being laid off, who have the opportunity to do activities that they would not have done in better times," he observes.
Johns also warns that unauthorized access by former employees can lead to problems. "There has been an increase in people being released by organizations, but often times the removal of their access rights is lagging their departure from the organization," he says.
The employees who become insider threats may do so without even knowing they're involved, warns RSA's Rivner. "Already thousands of Fortune 500, government and bank employees are infected with financial trojans that targeted them as consumers. As a side-effect, there are also thousands of infected corporate laptops or PCs used at home for remote access via a VPN," he warns.
Rivner expects 2010 will see fraudsters developing ways to monetize these infected resources, which can lead them straight into the affected organizations' networks. "Bank employees will be a primary focus for these cybercriminals," Rivner predicts.
6. Mobile Banking Attacks
The move to mobile banking by financial institutions that want to offer customers instantaneous access to their accounts is catching fire around the country, with hundreds of institutions now offering customers the ability to look up their account data and balances on cell phones. But security experts see trouble ahead when institutions begin allowing more than just account balance checks to happen. The chance for fraud via the mobile phone is already here says Ed Skoudis, lead forensic investigator for InGuardians, a security forensic firm. "Exploits against the ever-growing base of smart phones [are on the rise], leading to the possible building of a botnet based on iPhone or Android phones," Skoudis observes.
RSA's Rivner concurs with the propensity for fraud in the mobile banking sector saying, "Mobile banking fraud is coming. More customers are enrolling in mobile banking, and more services are offered via mobile channels. Banks in Asia and Europe are already experiencing mobile trojans and SMS redirection attacks." He expects the U.S. to experience the first wave of attacks towards middle of 2010. "Banks will start funding the extension of their online banking protection to the mobile channel," he predicts.
Part of the problem is that customers don't always pay attention to what they're receiving on their mobile devices, says Johns of Crowe Horwath. "People rely more and more on their BlackBerrys and smart phones, and don't pay attention to the information that they are getting on them, and they push back to security being installed on the devices," he adds.
Javelin's Wills sees mobile fraud happening if banks start to enable full service banking on mobile devices. "This means money movement instead of just checking balances and finding ATM locations," he says.
The mobile target will continue to grow, says Shackleford, and as smart phones become more sophisticated, the number of attacks will grow too. "In many cases, these devices contain a huge amount of sensitive data, as well, and could even be a vital component of newer two-factor authentication used by banks," he says.
7. Web 2.0 and Social Media Attacks
At the same time institutions are flocking to Facebook and tweeting on Twitter, the cyber criminals are lining up their arsenals for attack via Web 2.0 and social media sites. InGuardians' Skoudis says attacks via social networking sites are the new way for criminals to get into bank accounts. "These sites are being used by the bad guys for reconnaissance to learn more about their targets," says Skoudis adding, "At the same time, they're delivering malicious content to unsuspecting users."
Institutions should also be on lookout for additional client-side spear phishing attacks will expand into new means of targeting users through use of social networks says Lee of Mandiant.
8. SQL Attacks -- More To Come
The biggest data breach on record -- Heartland Payment Systems -- was done using a "Sequel Injection," or SQL injection, attack. SQL attacks are a popular way to infect and take over websites, as seen by the recent findings by security researchers at Verizon Business. SQL injection attacks were one of the most common methods of breaching systems in the Verizon report's cases. They were used in 19 percent of the cases and accounted for 79 percent of the breached records.
There's more to watch for, says Javelin's Wills, including attacks on web applications -- especially drive-by downloads of keylogging trojans and man-in-the-middle attacks. The browser will become the favored attack vector, and zero day attacks on client-side software are also on horizon.
"Fewer operating system holes are being found, but more and more in Adobe, instant messaging, MS Office and other applications," says InGuardians' Skoudis. "The scenario would be: A victim views content from a bad guy, and the attacker then takes over the victim's browser," he explains. This technique is used to create botnets as well as skim credit card and account information from the client machine.
He also sees infrastructure attacks, launched via an infected browser happening. "Here, the bad guy uses a compromised browser to access an enterprise infrastructure controlled by that browser including the enterprise's firewalls, anti-malware solution and possibly HVAC and related systems," Skoudis says.
Within institutions, Shackleford sees VoIP and other converged networking issues coming up "From simple denial-of-service problems to new malware that affects voice systems, this will be a growing area that affects financial institutions," he predicts.
Source :- BankInfo Security, By Linda McGlasson, Managing Editor
Tuesday, December 15, 2009
10 Faces of Fraud for 2010
"The more things change, the more things stay the same." This old saying holds true when it comes to the different types of fraud hitting financial institutions.
In 2009, institutions were hit from every angle with fraud schemes -- some were old, and some were new variations. Here is a roundup of the 10 predominant types of fraud that institutions and their customers can expect to see in 2010, according to industry experts.
1. ACH and Wire Transfer FraudThe attacks against small and medium businesses in the ACH channel in 2009 were a wake-up call to institutions for the New Year. Businesses and institutions alike suffer when fraudsters penetrate and pilfer accounts via hacking into electronic transactions.
"It started in earnest in 2009 and will only get worse in 2010 until banks put effective controls and fraud detection in place," says Gartner analyst Avivah Litan. "It is hard to tune fraud detection systems to detect this fraud in a timely manner -- especially wire fraud, since the data in a wire transfer instruction is not structured," she says. But good fraud detection systems can catch most of this activity.
2. Attacks on Institution NetworksThe level of protection provided transaction processing networks is often overlooked by institutions when it comes to servers outside of the "protected networks," says Mike Urban, Fraud Director at Fair Isaac, the provider of FICO credit scoring.
"I've seen this particularly with vendor-managed servers where their security standards may not be at the level practiced by the institution where they are deployed, including password management and patch management," Urban says. Identifying and managing all devices on corporate networks and protected transactional networks are critical to reducing the attack surface and eliminating weak links, he stresses.
3. ATM SkimmingThere have been multiple stories this year in the U.S. about ATM skimming crimes. Experts say this particular form of fraud will continue to grow, as criminals are targeting U.S. financial institutions with technologies shared from Eastern Europe. "We should also expect that other ATM frauds such as card or cash trapping and lower quality skimming devices will continue to be a problem," notes Fair Isaac's Urban. Criminals will also keep pressure on older point of sale (POS) terminals that are not PCI compliant, he adds.
4. Credit Account 'Bust-Outs'The bad economy has given rise to many types of fraud in the past couple of years, but credit "bust-outs" have been around for some time. This fraud type made the list earlier this year, but Debra Geister, Director, Fraud Prevention & Compliance Solutions at Lexis-Nexis, says the trend is still very much active in any bank she's talking with now. "By definition, credit bust-out schemes are a combination of a credit and fraud problem, although many organizations are not always sure where the losses sit -- or who might be the party responsible," Geister says.
Fair Isaac's Urban sees this as "first-party fraud," where criminals create accounts and build credibility as a customer with a financial institution, and then "bust out" the accounts once they are fully leveraged. And it may spill over to financially pressured consumers, "who may get caught up in this type fraud with high unemployment and benefits starting to run out," Urban says.
5. Variations on Phishing SchemesThere have been many phishing attacks against financial institutions in 2009, so much that the Anti Phishing Working Group cites a 600 percent increase in overall phishing attacks over 2008. But there are more insidious types of attacks hitting institutions and their customers now, say experts.
Fair Isaac's Urban says businesses will be targeted with spear phishing and hacking efforts to compromise online banking credentials. Why they're targeting businesses, he says, is because "Criminals can then target those accounts and initiate money transfers via wires or ACH to steal large sums of money at once or over time." Business checks will also be targeted in counterfeit check scams, he adds.
There is a increased level of sophistication being seen in the phishing attacks, says Ori Eisen, former worldwide fraud director for American Express, now head of 41st Parameter, a fraud solution company. Eisen sees increased sophistication in phishing and use of SMShing attacks, similar to the text phishing attacks that have been circulating around the country, hitting banks and credit unions.
"Fraudsters are using more realistic emails and other points of contact to try to entice credentials from victims," Eisen notes, including the SMS approach. SMS was considered to be a solution to unauthorized account access, Eisen says, "Since it was assumed sending a one-time use password to a cell phone would cause a challenge for fraudsters trying to gain access to accounts." Instead, it has begun to offer them a new way to scrape credentials. "This happens because customers don't expect to be targeted in this way and have accepted the practice as safe when they see a message that appears to be from their bank," Eisen says.
6. Check Fraud on RiseIt seems that everyone is using debit and check cards these days, and although paper check volumes are continuing to fall, Urban says the dollar losses to check fraud continue to rise. "Online banking account compromises contribute to check fraud when criminals can see cleared check images and identify sequence numbers," he says. One reason for the continued proliferation of this fraud is that there is easier access to check paper stock and cheaper printers and scanners to create fakes.
Eisen says one area institutions should look to lock down is the check image viewing online ability for customers. "It's a one-stop shop for data harvesting. Online checks offer visibility to an unauthorized view the account number, personal information including the social security number (on checks in 19 states)."
7. Insider CrimesThis year has witnessed several widely publicized insider fraud crimes uncovered at institutions, and next year doesn't look any better. Tom Wills, Security and Fraud senior analyst at Javelin Research, sees the definition of "insider" has expanded as a wider variety of parties interact with institutions via their computer network. "RSA calls this the 'hyperextended enterprise,'" Wills notes. An insider can be thought of as anyone with authorized access to the bank's network resources, Wills stresses, "Not only employees and contractors of the institution, but those of suppliers and partners as well."
Internal fraud will continue at institutions and their partners, adds Fair Isaac's Urban, "where key information is compromised and used for personal use or sold to criminals who will perpetrate fraud on the institution or its customers." Many of these schemes will fall apart in a similar manner to the investment schemes over the last year, when financially pressured consumers are more diligent monitoring their accounts or come in looking to withdraw the money from those accounts.
8. Mobile PhonesWith nearly every bank and credit union throwing their hat into the mobile banking ring, the threat of mobile phone fraud is cause for concern. This crime is still in its infancy, but experts expect the risk will increase as malware applications are designed and spread onto mobile devices. Urban sees the most likely way fraudsters will target the mobile phones are through Trojans. "These Trojans will compromise information on the phones which may include online banking account information as well as other data stored on the phone. These compromises will be similar to the attacks on computers," Urban says. The major difference will be the sheer number of mobile devices and operating systems in the market today, as compared to a dominant computer operating system, such as Microsoft Windows. Another reason to fear mobile phone fraud is that anti-virus and anti-malware applications are not as mature on mobile devices as they are on computers.
9. Online ApplicationsThe ease of customer applications over the web comes with another set of headaches: Application fraud, which experts see as a growing area for criminals. Lexis-Nexis' Geister says that alternative channel application crimes, including the Internet, Kiosk and point of sale channels, "are continuing to drive nearly 50 percent of application frauds since criminals are finding ways to skirt around the even the most sophisticated controls."
The ease of online account opening makes the creation of "cash repositories" easy and convenient for criminals, adds Eisen. Many times they will use multiple accounts to keep balances from becoming suspicious, he adds. Criminals are also using online applications to create "valid" identities for future activity.
10. Prepaid CardsThe gift card market has always been a target for criminals say, and prepaid cards will continue to be purchased fraudulently with compromised credit cards, says Fair Isaac's Urban. "The absence of an indicator in the transaction message means a prepaid card purchase cannot be identified during authorization," he notes. The purchase of prepaid cards with stolen credit cards is an optimal way for criminals to get their hands on what they really want - cash.
Another more recent scam is where criminals will steal prepaid cards from the j-hooks at retail stores, chemically wash off the printed card number, emboss the card with information from a compromised card, and then erase the mag stripe. "They then will use the card and have the cashier key the transaction after the terminal swipe fails," Urban says.
Source:- CU InfoSecurity, By Linda McGlasson, Managing Editor
In 2009, institutions were hit from every angle with fraud schemes -- some were old, and some were new variations. Here is a roundup of the 10 predominant types of fraud that institutions and their customers can expect to see in 2010, according to industry experts.
1. ACH and Wire Transfer FraudThe attacks against small and medium businesses in the ACH channel in 2009 were a wake-up call to institutions for the New Year. Businesses and institutions alike suffer when fraudsters penetrate and pilfer accounts via hacking into electronic transactions.
"It started in earnest in 2009 and will only get worse in 2010 until banks put effective controls and fraud detection in place," says Gartner analyst Avivah Litan. "It is hard to tune fraud detection systems to detect this fraud in a timely manner -- especially wire fraud, since the data in a wire transfer instruction is not structured," she says. But good fraud detection systems can catch most of this activity.
2. Attacks on Institution NetworksThe level of protection provided transaction processing networks is often overlooked by institutions when it comes to servers outside of the "protected networks," says Mike Urban, Fraud Director at Fair Isaac, the provider of FICO credit scoring.
"I've seen this particularly with vendor-managed servers where their security standards may not be at the level practiced by the institution where they are deployed, including password management and patch management," Urban says. Identifying and managing all devices on corporate networks and protected transactional networks are critical to reducing the attack surface and eliminating weak links, he stresses.
3. ATM SkimmingThere have been multiple stories this year in the U.S. about ATM skimming crimes. Experts say this particular form of fraud will continue to grow, as criminals are targeting U.S. financial institutions with technologies shared from Eastern Europe. "We should also expect that other ATM frauds such as card or cash trapping and lower quality skimming devices will continue to be a problem," notes Fair Isaac's Urban. Criminals will also keep pressure on older point of sale (POS) terminals that are not PCI compliant, he adds.
4. Credit Account 'Bust-Outs'The bad economy has given rise to many types of fraud in the past couple of years, but credit "bust-outs" have been around for some time. This fraud type made the list earlier this year, but Debra Geister, Director, Fraud Prevention & Compliance Solutions at Lexis-Nexis, says the trend is still very much active in any bank she's talking with now. "By definition, credit bust-out schemes are a combination of a credit and fraud problem, although many organizations are not always sure where the losses sit -- or who might be the party responsible," Geister says.
Fair Isaac's Urban sees this as "first-party fraud," where criminals create accounts and build credibility as a customer with a financial institution, and then "bust out" the accounts once they are fully leveraged. And it may spill over to financially pressured consumers, "who may get caught up in this type fraud with high unemployment and benefits starting to run out," Urban says.
5. Variations on Phishing SchemesThere have been many phishing attacks against financial institutions in 2009, so much that the Anti Phishing Working Group cites a 600 percent increase in overall phishing attacks over 2008. But there are more insidious types of attacks hitting institutions and their customers now, say experts.
Fair Isaac's Urban says businesses will be targeted with spear phishing and hacking efforts to compromise online banking credentials. Why they're targeting businesses, he says, is because "Criminals can then target those accounts and initiate money transfers via wires or ACH to steal large sums of money at once or over time." Business checks will also be targeted in counterfeit check scams, he adds.
There is a increased level of sophistication being seen in the phishing attacks, says Ori Eisen, former worldwide fraud director for American Express, now head of 41st Parameter, a fraud solution company. Eisen sees increased sophistication in phishing and use of SMShing attacks, similar to the text phishing attacks that have been circulating around the country, hitting banks and credit unions.
"Fraudsters are using more realistic emails and other points of contact to try to entice credentials from victims," Eisen notes, including the SMS approach. SMS was considered to be a solution to unauthorized account access, Eisen says, "Since it was assumed sending a one-time use password to a cell phone would cause a challenge for fraudsters trying to gain access to accounts." Instead, it has begun to offer them a new way to scrape credentials. "This happens because customers don't expect to be targeted in this way and have accepted the practice as safe when they see a message that appears to be from their bank," Eisen says.
6. Check Fraud on RiseIt seems that everyone is using debit and check cards these days, and although paper check volumes are continuing to fall, Urban says the dollar losses to check fraud continue to rise. "Online banking account compromises contribute to check fraud when criminals can see cleared check images and identify sequence numbers," he says. One reason for the continued proliferation of this fraud is that there is easier access to check paper stock and cheaper printers and scanners to create fakes.
Eisen says one area institutions should look to lock down is the check image viewing online ability for customers. "It's a one-stop shop for data harvesting. Online checks offer visibility to an unauthorized view the account number, personal information including the social security number (on checks in 19 states)."
7. Insider CrimesThis year has witnessed several widely publicized insider fraud crimes uncovered at institutions, and next year doesn't look any better. Tom Wills, Security and Fraud senior analyst at Javelin Research, sees the definition of "insider" has expanded as a wider variety of parties interact with institutions via their computer network. "RSA calls this the 'hyperextended enterprise,'" Wills notes. An insider can be thought of as anyone with authorized access to the bank's network resources, Wills stresses, "Not only employees and contractors of the institution, but those of suppliers and partners as well."
Internal fraud will continue at institutions and their partners, adds Fair Isaac's Urban, "where key information is compromised and used for personal use or sold to criminals who will perpetrate fraud on the institution or its customers." Many of these schemes will fall apart in a similar manner to the investment schemes over the last year, when financially pressured consumers are more diligent monitoring their accounts or come in looking to withdraw the money from those accounts.
8. Mobile PhonesWith nearly every bank and credit union throwing their hat into the mobile banking ring, the threat of mobile phone fraud is cause for concern. This crime is still in its infancy, but experts expect the risk will increase as malware applications are designed and spread onto mobile devices. Urban sees the most likely way fraudsters will target the mobile phones are through Trojans. "These Trojans will compromise information on the phones which may include online banking account information as well as other data stored on the phone. These compromises will be similar to the attacks on computers," Urban says. The major difference will be the sheer number of mobile devices and operating systems in the market today, as compared to a dominant computer operating system, such as Microsoft Windows. Another reason to fear mobile phone fraud is that anti-virus and anti-malware applications are not as mature on mobile devices as they are on computers.
9. Online ApplicationsThe ease of customer applications over the web comes with another set of headaches: Application fraud, which experts see as a growing area for criminals. Lexis-Nexis' Geister says that alternative channel application crimes, including the Internet, Kiosk and point of sale channels, "are continuing to drive nearly 50 percent of application frauds since criminals are finding ways to skirt around the even the most sophisticated controls."
The ease of online account opening makes the creation of "cash repositories" easy and convenient for criminals, adds Eisen. Many times they will use multiple accounts to keep balances from becoming suspicious, he adds. Criminals are also using online applications to create "valid" identities for future activity.
10. Prepaid CardsThe gift card market has always been a target for criminals say, and prepaid cards will continue to be purchased fraudulently with compromised credit cards, says Fair Isaac's Urban. "The absence of an indicator in the transaction message means a prepaid card purchase cannot be identified during authorization," he notes. The purchase of prepaid cards with stolen credit cards is an optimal way for criminals to get their hands on what they really want - cash.
Another more recent scam is where criminals will steal prepaid cards from the j-hooks at retail stores, chemically wash off the printed card number, emboss the card with information from a compromised card, and then erase the mag stripe. "They then will use the card and have the cashier key the transaction after the terminal swipe fails," Urban says.
Source:- CU InfoSecurity, By Linda McGlasson, Managing Editor
Saturday, November 28, 2009
Are hotel key cards safe? Well.....
Many hotels and resorts use electronic key cards. These cards with a magnetic strip are programmed in such a manner that once the duration of the stay is over, the person does not get access to the room.
The key cards make it impossible to pick up a card and break into a room. Electronic door locking systems were introduced across the globe as they help enhance hotel security, but what information does it contain?
Are electronic key cards safe? Well, it could be a threat depending on the details it has stored on it.
"All hotels mention the customer's name, address, room number and duration of stay in the key card. The key card of the hotel has vital information. Some of the hotels and resorts do store personal details -- including credit card number and its expiry date," says Shah Amber, consultant (information security management services), Mahindra Special Services Group.
Agrees, Pramoud Rao, managing director, Zicom Electronic Security Systems, there are many ways the credit cards can be misused in a hotel. There are chances that key cards could be lead to a data theft.
Some of the five-star hotels declined to reveal details of the key card citing security reasons.
"The key card has the code to access a particular room. It does not store any other details, not even the name of the guests," Kanan Udeshi, manager communications, The Oberoi Group, said.
The key card has the name of the guest and the period of stay. Credit card details are recorded separately by the front desk to validate payment. There is also a provision in the system to make the credit card function as an e-key, according to an industry official.
If the electronic key card contains information like the credit card details it can be easily manipulated.
"There has been no data theft reported so far in India, but there are chances as the information remains on the card till it is handed over to another guest. If the credit card number is stored in the key card, when a guest uses other services in the hotel, he can swipe the card, which in turn is aligned to the front desk for billing," says Shah.
"We cannot reveal any details about the key card. We do not disclose any information that could be a threat to our guests," Nikhila Palat, Taj Hotel spokesperson, Mumbai, said.
The key card is not allowed to be taken by the guest and it remains with the hotel when the guest leaves the hotel.
"The details from the card can be accessed by swiping the card in a normal scanning device. There have been cases abroad where the key card details were used to make mock credit cards. Most of the time the customers are not aware of the fact that the key card holds their credit card number," Shah points out.
If some of the employees connive with miscreants they can access all the information by just swiping the card in any scanning device, Shah adds.
However, the All India Credit Card Users Association has not received any complaints. "There has been no case of fraud reported from a key card data theft. The possibility of hotels giving credit card numbers on key cards seems remote," says Vinod Kumar Chand, general secretary, AICCUA.
Meanwhile, Trend Micro, a leading antivirus and Internet content security software and services entity, says on its website that this a hoax and calls it an 'urban legend'.
The firm says that there is a 'rumour circulating via email which alarms the public that hotel key cards contain personal information about the guest that can be put to ill use by malicious hotel personnel who have easy access to it. This hoax erroneously claims that the guest's home address and credit card number are recorded on key cards dispatched by hotels, thus exposing their customers to unauthorised purchases and cash withdrawals made using the sensitive information'.
The company says that although the origin of the email is based on a real investigation effort of a Southern Californian police district, US authorities have ruled out any security risks this controversy may pose. Moreover, hotel owners have clarified that only minimal information about their guests -- like their names, room numbers and arrival/depature data -- are encrypted in the cards they use.
Data theft
Shah Amber explains how data theft can be prevented.
"Internal threat is a big risk factor for companies. Companies must see to it that any data that can be misused should be completely secure. There are all kinds of technologies to secure IT systems," Shah says.
"Companies have hiked IT security budget and have made no compromise on this. Many have changed application security procedures as well. They have learnt how to recoup from the crisis," he adds.
"As for individuals, they must be very careful about data theft with proper anti-virus systems installed in their computers. It should be updated. They must make sure their Wi-Fi is not misused. They must not disclose e-mail id to any unknown site. They must also make sure children do not surf sites and accidentally pass on information," says Shah.
"There are many fake sites which can lure you and many end up giving their passwords as well. So there is a big threat so one must be very careful. To avoid hacking they can secure ports."
Internet has become an open medium so it is exploited by terrorists. But it is not possible to shut down all those sites. One must be very cautious while surfing and sharing information.
Source: Rediff.com, By Manu AB
Thursday, November 26, 2009
PEEP SHOW - Fake it & you may lose your dream job
ECONOMIC RECOVERY HAS BROUGHT EMPLOYERS BACK TO THE HIRING ZONE, BUT IT’S NOT EMPLOYEES’ MARKET YET Cos Step Up Background Checks Of Prospective Employees’ Educational & Personal Information
Our Bureaus NEW DELHI | KOLKATA
As the economy rebounds and hiring begins to pick up pace, companies are going to unprecedented lengths with sweeping background checks of prospective employees. The scope of pre-employment screening, which has been traditionally limited mainly to senior executives and involved basic searches to verify the accuracy of the resume, the educational background and biographical data, is now getting vastly expanded. All job applicants, not just those at senior levels, are being scrutinised with a fine toothcomb. And almost no area is off limits.While false claims about education and employment are among the main triggers for rejection, some job applicants have been tripped up by their personal lives. One such was denied a job after an agency specialising in background verification discovered that the individual was having an extra-marital affair. The agency asked the prospective employer, a multinational company, to put the application on hold by filing a ‘pink’ report and the employer obliged. “In our lingo, green means a goahead, pink is doubtful and red signifies rejection,” said SK Sharma, group director-HR at Premier Shield, a security solutions company that carries out background checks on behalf of corporates. A red flag can be activated by a number of other factors: criminal history, substance abuse, a poor credit track record or even dodgy equity trading. While former colleagues, classmates and those living in the applicant’s neighborhood are tapped for information, some agencies go even further.
Premier Shield admits to setting up sting operations to test for ethics and some companies infiltrate staff into the organization where the applicant is working to gather information about the prospective employee’s conduct with colleagues, especially women.
Arun Bhagat, vice-president, HR, with infrastructure group GMR said he visits colleges and universities and at least two past employers to do reference checks of candidates. It recently sacked an employee just days after he joined after it was discovered that he had falsified some documents. “For key roles in finance and at executive levels, we make discreet enquiries on the reliability of the professional, his reputation in and outside the organization and even carry out a search on the internet,” he said. Mr Bhagat insists that the checks are carried out with the consent of the prospective employee. Software and back-office service providers were among the first to make background checks mandatory for all potential hires. Many IT companies and HR consultants like Ma Foi engage firms such as First Advantage, PP Verify, PremierShield, Onicra, Authbridge for pre-employment screening, which can cost between Rs 1,000 and Rs 5,000 per employee.
Pinkerton Consulting & Investigations India, a detective agency, which undertakes screening for several multinational firms, found in a recent survey for IT and IT-enabled Services providers that about 4,000 companies, universities and institutes of dubious background were providing fake documents. Pradeep Bahirwani, vice-president (talent acquisition) at Wipro said that in the IT industry the average percentage of fake resumes is 20-30%. “Based on preventive and corrective actions less than 1% of the total active applications we receive would be fake,” he added.
Among other sectors, the financial services industry, which hires an estimated 75,000 employees every year, is now actively adopting the practice started by IT companies. Battling a marked rise in the incidence of fraud by employees — a recent study by risk consultancy Kroll showed that fraud is increasing twice as fast in the financial services sector than in others — companies are snooping on potential hires more than ever before.
“This is part of the new belt-tightening system in all high-profile recruitments in the financial sector,” said veteran headhunter, Ajit Isaac, MD & CEO of Ikya Human Capital Solution.
While nearly all leading banks carry out verification with the police for criminal history, some private banks like Axis Bank have also started checking the credit history of recruits. “Since credit history is closely associated with one’s reputation, reviewing it is becoming a norm before recruitment,” a senior Axis Bank official said. The country’s largest private sector insurer ICICI Prudential Life concedes that nearly 7% of the candidates it reviewed for hiring had a fraudulent past. The company has now partnered with reputed risk management agencies to undertake background screening.
“As one of the leading players in the insurance space, we are deeply concerned about the incidence of fraud and are working with the industry to explore ways to mitigate the risk of fraudulent activities,” said ICICI Prudential Life HR head Judhajit Das. The insurance sector is now even thinking of creating a common central database that will include the names of all employees fired for fraud. The proposal, put forward by Bajaj Allianz General Insurance, is now being discussed by all leading players.
The Life Insurance Council, the grouping of life insurers, is also keen on the idea. “However, someone has to manage such a database of delinquent employees — it may either be us or the regulator IRDA,” said chairman SB Mathur. With curious employers prying deeper into the backgrounds of potential employees, there are concerns that they could intrude into individuals’ privacy. E Balaji, CEO of HR firm Ma Foi, observes that in Europe, there are stringent privacy laws and strict regulations and guidelines about how much an employer can check the background of an employee. “In comparison, awareness about privacy laws is much lower (in India). Companies just take a broad declaration from the individual about such background checks,” he said.
Reporting by Monica Behura & Mahima Puri in New Delhi and
Writankar Mukherjee, Debjoy Sengupta & Atmadip Ray in Kolkata
Thursday, November 12, 2009
Good times for fraud
Fraud is a growing problem for corporate Australia, but there are tools that can detect suspicious activities.
Litigation is often cited as the main beneficiary of any business downturn, but there is another oblique area of financial services which proliferates during a financial crisis. Accountants are now reporting an unprecedented boom for their forensics departments, because in a downturn, fraud is rife.
Deloitte Australia claims that it has undertaken as much as five times its normal work in this area over the past 12 to 18 months and there is no sign of it slacking off. KPMG has also reported a considerable increase in its forensics business, and the need to take on new personnel to cope with the “boom”.
Unlike litigation, fraud is far less heralded – it is the corporate stain which dare not speak its name. Often accountants are brought in with both a covert and an overt role – overtly as auditors to check accounts and covertly to dig deep inside company data to check for both forced and unforced errors.
Frank O’Toole, Deloitte’s national financial crimes services leader, says the uncovering of fraud tends to occur when companies are compelled to examine their spending. “Sometimes it comes up during a normal cost-cutting exercise,” he notes.
While the media tends to hype up the proliferation of external, web-based fraud, internal fraud is by far the bigger problem for corporate Australia, costing the economy around $3.5 billion a year, according to the Australian Institute of Criminology. KPMG says around 65 per cent of frauds perpetrated on companies are internal. O’Toole says that often it is the employee who would be least expected to commit fraud who is tempted. “Normally those who would choose to do the right things are faced with certain pressures – they’re not getting a pay rise and they’re struggling with mortgage repayments and school fees – faced with the opportunity to misappropriate $20,000 or even $50,000, they succumb.”
KPMG’s head of forensic, Gary Gill, says it will continue for some time to come: “They’re saying the worst is over and things are looking good – well the bottom line is people are still doing it tougher now than 12 months ago,” Gill says.
Simple tricksWhat kinds of frauds are being discovered? Gill says much of the fraud is very simple – on the accounts payable side KPMG is seeing a lot of false invoicing – the setting up of bogus vendors and then the processing of false invoices.
Gill also sees a lot of simple online payments fraud, much of which is barely disguised. “Sometimes they just transfer money straight out of the company account into their personal accounts,” says Gill.
O’Toole mentions slightly more canny pretences – the collusion with suppliers, whereby invoices are inflated for the benefit of both parties. Expenses fraud is also escalating, says O’Toole. “They tend to be around the $10,000 or $15,000 mark but we have seen expenses fiddles of up to $1million occurring.”
Forensic departments never tire of saying that companies which fail to segregate authorization and custodial duties will always be more susceptible; they also point to the need to regularly test internal controls for weaknesses.
Last but not least, a whistleblower process – which may incorporate a number of lines of access to report suspicions anonymously, is deemed essential.
Deloitte Forensic research found that around 70 per cent of frauds are usually identified by someone else in the organization, and over 80 per cent of staff who will not report fraud cite a fear of retribution as the reason.
Insurers even say that without good lines of reporting suspicions, a company will not be considered for fidelity insurance, which covers Corporates for internal fraud. See Fire, flood or … fraud?
Technology sniffs out fraudBoth Gill and O’Toole say one of the most exciting developments has been the growth of data analytics technology to monitor suspicious electronic transactions among thousands of pieces of information.
Document management systems are also becoming critical to support complex legal cases stemming from the misdeed.
Deloitte has its own proprietary system, as does KPMG. Both are constructed to analyze the million pieces of data in everyday business systems, such as comparing vendor master files to employee records. They can uncover real frauds as well as operational mistakes.
What kinds of things can they flag? Gill says you can run a comparison between accounts of employees on the payroll system against your vendor bank account numbers. “If an employee has the same number, you know there’s a problem.”
“You can look for duplicate payments – one legitimate, one false. Also round sum payments – very few invoices are for round sums. It’s a good idea to have them checked as well as any payments processed outside of normal business hours,” Gill says.
Deloitte cites a number of “red flags” the technology is most likely to throw up, which also includes things such as short-term changes to employee or supplier accounts.
Another give-away that fraud may be occurring is the repeated structuring of transactions just under the delegated authority limit. “Of course, five payments of $9999 authorized by a staff member with the authority to approve costs up to $10,000 would certainly be subject to close investigation in any organization … if detected,” says O’Toole.
Transactions conducted directly through the electronic funds transfer system rather than the accounting system is also subject to scrutiny. “Typically, instances of EFT fraud appear to be linked to issues around access to computer log-ons and inappropriate use of passwords,” says O’Toole.
Is the cost of using this technology worth it? A company can spend millions trying to get to the bottom of its problems, but huge frauds have been discovered quickly – and at a relatively low cost.
Source:- The Sydney Morning Herald; By Adam Courtenay
Litigation is often cited as the main beneficiary of any business downturn, but there is another oblique area of financial services which proliferates during a financial crisis. Accountants are now reporting an unprecedented boom for their forensics departments, because in a downturn, fraud is rife.
Deloitte Australia claims that it has undertaken as much as five times its normal work in this area over the past 12 to 18 months and there is no sign of it slacking off. KPMG has also reported a considerable increase in its forensics business, and the need to take on new personnel to cope with the “boom”.
Unlike litigation, fraud is far less heralded – it is the corporate stain which dare not speak its name. Often accountants are brought in with both a covert and an overt role – overtly as auditors to check accounts and covertly to dig deep inside company data to check for both forced and unforced errors.
Frank O’Toole, Deloitte’s national financial crimes services leader, says the uncovering of fraud tends to occur when companies are compelled to examine their spending. “Sometimes it comes up during a normal cost-cutting exercise,” he notes.
While the media tends to hype up the proliferation of external, web-based fraud, internal fraud is by far the bigger problem for corporate Australia, costing the economy around $3.5 billion a year, according to the Australian Institute of Criminology. KPMG says around 65 per cent of frauds perpetrated on companies are internal. O’Toole says that often it is the employee who would be least expected to commit fraud who is tempted. “Normally those who would choose to do the right things are faced with certain pressures – they’re not getting a pay rise and they’re struggling with mortgage repayments and school fees – faced with the opportunity to misappropriate $20,000 or even $50,000, they succumb.”
KPMG’s head of forensic, Gary Gill, says it will continue for some time to come: “They’re saying the worst is over and things are looking good – well the bottom line is people are still doing it tougher now than 12 months ago,” Gill says.
Simple tricksWhat kinds of frauds are being discovered? Gill says much of the fraud is very simple – on the accounts payable side KPMG is seeing a lot of false invoicing – the setting up of bogus vendors and then the processing of false invoices.
Gill also sees a lot of simple online payments fraud, much of which is barely disguised. “Sometimes they just transfer money straight out of the company account into their personal accounts,” says Gill.
O’Toole mentions slightly more canny pretences – the collusion with suppliers, whereby invoices are inflated for the benefit of both parties. Expenses fraud is also escalating, says O’Toole. “They tend to be around the $10,000 or $15,000 mark but we have seen expenses fiddles of up to $1million occurring.”
Forensic departments never tire of saying that companies which fail to segregate authorization and custodial duties will always be more susceptible; they also point to the need to regularly test internal controls for weaknesses.
Last but not least, a whistleblower process – which may incorporate a number of lines of access to report suspicions anonymously, is deemed essential.
Deloitte Forensic research found that around 70 per cent of frauds are usually identified by someone else in the organization, and over 80 per cent of staff who will not report fraud cite a fear of retribution as the reason.
Insurers even say that without good lines of reporting suspicions, a company will not be considered for fidelity insurance, which covers Corporates for internal fraud. See Fire, flood or … fraud?
Technology sniffs out fraudBoth Gill and O’Toole say one of the most exciting developments has been the growth of data analytics technology to monitor suspicious electronic transactions among thousands of pieces of information.
Document management systems are also becoming critical to support complex legal cases stemming from the misdeed.
Deloitte has its own proprietary system, as does KPMG. Both are constructed to analyze the million pieces of data in everyday business systems, such as comparing vendor master files to employee records. They can uncover real frauds as well as operational mistakes.
What kinds of things can they flag? Gill says you can run a comparison between accounts of employees on the payroll system against your vendor bank account numbers. “If an employee has the same number, you know there’s a problem.”
“You can look for duplicate payments – one legitimate, one false. Also round sum payments – very few invoices are for round sums. It’s a good idea to have them checked as well as any payments processed outside of normal business hours,” Gill says.
Deloitte cites a number of “red flags” the technology is most likely to throw up, which also includes things such as short-term changes to employee or supplier accounts.
Another give-away that fraud may be occurring is the repeated structuring of transactions just under the delegated authority limit. “Of course, five payments of $9999 authorized by a staff member with the authority to approve costs up to $10,000 would certainly be subject to close investigation in any organization … if detected,” says O’Toole.
Transactions conducted directly through the electronic funds transfer system rather than the accounting system is also subject to scrutiny. “Typically, instances of EFT fraud appear to be linked to issues around access to computer log-ons and inappropriate use of passwords,” says O’Toole.
Is the cost of using this technology worth it? A company can spend millions trying to get to the bottom of its problems, but huge frauds have been discovered quickly – and at a relatively low cost.
Source:- The Sydney Morning Herald; By Adam Courtenay
Monday, November 2, 2009
Banks pushing chip-and-PIN place elderly at high risk of fraud
Customers kept in the dark as banks are reluctant to be upfront about alternative to chip-and-PIN cards
Thousands of elderly people are being left vulnerable to fraud because of the banking industry’s failure to explain to customers that there is an alternative to chip-and-PIN technology.
Under the Banking Code, all banks must offer a “chip-and-signature” account for those who may find it difficult to remember their PIN, or cannot use a chip-and-PIN terminal. However, Times Money has discovered that some banks are reluctant to tell customers of this alternative method.
Vulnerable people who are forced to use chip-and-PIN are likely to write down the number or tell it to someone else, which means that it is highly unlikely that they will be reimbursed if they become a victim of fraud. Jane Vass, of Age Concern and Help the Aged, says: “Many older people are driven towards payment methods that they are not comfortable with, putting their financial security at risk.”
John Walter, a pensioner from Devizes, Wiltshire, was recently sold a fee-based NatWest current account that came with a chip-and-PIN card. The card was stolen and thieves drained his account of £7,000 by withdrawing money at cash machines over 14 days. Mr Walter, who is 73 and described by friends as vulnerable and forgetful, admitted to NatWest that he had written his PIN in his diary. Although the diary was not stolen, NatWest still refused to reimburse his losses.
Elizabeth Merritt is a friend of Mr Walter and has taken up his case with NatWest. She says: “John has been with NatWest for 50 years and trusted the bank implicitly. He does all transactions inside his branch and had never even used his card. Despite this, NatWest still persuaded him to pay £13 a month for a chip-and-PIN account with features that he would never need. He was never told about chip-and-signature.”
NatWest told Mr Walter that somebody with access to his home must have seen the PIN and stolen his card, and that this constituted a breach of his terms and conditions. He was also told by NatWest that none of the cash machines used in the fraudulent transactions had CCTV cameras, and “this may be something the fraudster had considered before using the card”.
When Times Money approached NatWest, the bank maintained that Mr Walter had been negligent. However, it agreed to refund the £7,000 as a gesture of goodwill. Mr Walter has now been given a basic bank account and will request chip-and-signature.
Another pensioner, Rosa Farrell, of Hereford, recently had £3,500 fraudulently withdrawn from her bank account by her eldest son, who had a gambling problem. Mrs Farrell, 65, wrote down the PIN and kept it well hidden in her house, away from her card, but on a visit her son managed to find the card and the number. He was convicted for the theft.
Mrs Farrell’s bank, The Co-operative Bank, said that because she had written down the number she had been negligent and would not be reimbursed. She had to take her case to the Financial Ombudsman before she recovered her money. “I don’t know why the bank did not stop the suspicious transactions, which were totally out of character,” she says. “In the end, the ombudsman ruled that I was entitled to believe that my bank details were safe in my own home.”
The Financial Ombudsman Service, which resolves disputes between consumers and banks, deals with about 150 complaints about chip-and-PIN fraud every month — usually when someone’s bank has refused to compensate them for losses.
Fewer than 500,000 people have a chip-and-signature account, according to the UK Payments Association, despite the banks agreeing to offer vulnerable people an alternative to chip-and-PIN when it was introduced in 2004. However, there are 700,000 people with dementia in the UK, according to the Alzheimer’s Society, while the Royal National Institute for the Blind says that 1.8 million people are blind or partially sighted. Many of these people should have chip-andsignature accounts.
Sandra Quinn, of the UK Payments Association, says: “It would be very disappointing if banks were not giving chip-and-signature to customers who need it. Some people may find in the future that chip-and-PIN is not suitable. They have every right to ask for an account with chip-and-signature.”
Pensioners are also encouraged to use chip-and-PIN to receive their state pension and other benefits via the Post Office card account, which was introduced in 2003 to replace pension books. Neil Duncan-Jordan, of the National Pensioners Convention, says: “Some pensioners still queue up to receive their pension holding a piece of paper with their PIN on it. Anyone who is uncomfortable with PINs can request to have benefits sent by cheque in the post.
“Chip-and-PIN is simply not suited to many elderly people, and banks and the Government should do more to promote alternatives.”
Ross Anderson, a security expert at the University of Cambridge, says that it is in banks’ interests to push chip-and-PIN. He says: “Quite simply, if you use a PIN, disputed transactions are your fault. However, a forged signature makes a transaction null and void, which means that the banks cannot hold customers liable. Banks are exploiting the old and vulnerable because they want to take away their consumer protection. It’s a disgrace.”
The Banking Code, to which all banks must adhere, states: “We will tell you about alternatives to chip-and-PIN, which are available if you are unable to use a PIN because of a disability or medical condition.”
Several high street banks confirmed to Times Money that they offered chip-and-signature, but emphasised that it was only for specific types of customer. A spokeswoman for Barclays says: “Chip-and-signature is for customers who have a disability that makes using a PIN difficult or imposs-ible, either because of dexterity problems, visual impairment or difficulty remembering the number. All other customers are issued with a PIN.”
A spokesman for Santander, which owns Abbey, Bradford & Bingley and Alliance & Leicester, adds: “Chip-and-PIN is an important tool in fighting card fraud, and PINs should not be divulged to other people or written down. Customers can change their PIN to a more memorable number.”
New rules relieve customers of burden of proof
The Banking Code will be abolished next month and replaced with a complex set of rules, the Payment Services Regulations (PSR).
Experts fear that consumers will no longer have a user-friendly set of guidelines that clearly explain banks’ responsibilities. Instead, they will have to wade through a 152-page document for details of their rights.
The Financial Services Authority, the City watchdog, will enforce the new regulations. It says that victims of fraud will actually have more protection, with the onus on the bank to act quickly to prove that a transaction was the customer’s. Unless the bank can show a good reason why it needs to investigate the claim, it will have to refund the amount immediately.
Page 38 of the PSR states that if a person notices a suspicious transaction on an account, it is for the bank to prove that the transaction was “authenticated, accurately recorded and not subject to technical breakdown or other problem”.
Currently the onus is on customers to prove that suspicious transactions were not their own. The Banking Code states: “We will need you to give us confirmation or evidence that you have not authorised a transaction.”
Source:- Times Online, UK ; By Lauren Thompson
Thousands of elderly people are being left vulnerable to fraud because of the banking industry’s failure to explain to customers that there is an alternative to chip-and-PIN technology.
Under the Banking Code, all banks must offer a “chip-and-signature” account for those who may find it difficult to remember their PIN, or cannot use a chip-and-PIN terminal. However, Times Money has discovered that some banks are reluctant to tell customers of this alternative method.
Vulnerable people who are forced to use chip-and-PIN are likely to write down the number or tell it to someone else, which means that it is highly unlikely that they will be reimbursed if they become a victim of fraud. Jane Vass, of Age Concern and Help the Aged, says: “Many older people are driven towards payment methods that they are not comfortable with, putting their financial security at risk.”
John Walter, a pensioner from Devizes, Wiltshire, was recently sold a fee-based NatWest current account that came with a chip-and-PIN card. The card was stolen and thieves drained his account of £7,000 by withdrawing money at cash machines over 14 days. Mr Walter, who is 73 and described by friends as vulnerable and forgetful, admitted to NatWest that he had written his PIN in his diary. Although the diary was not stolen, NatWest still refused to reimburse his losses.
Elizabeth Merritt is a friend of Mr Walter and has taken up his case with NatWest. She says: “John has been with NatWest for 50 years and trusted the bank implicitly. He does all transactions inside his branch and had never even used his card. Despite this, NatWest still persuaded him to pay £13 a month for a chip-and-PIN account with features that he would never need. He was never told about chip-and-signature.”
NatWest told Mr Walter that somebody with access to his home must have seen the PIN and stolen his card, and that this constituted a breach of his terms and conditions. He was also told by NatWest that none of the cash machines used in the fraudulent transactions had CCTV cameras, and “this may be something the fraudster had considered before using the card”.
When Times Money approached NatWest, the bank maintained that Mr Walter had been negligent. However, it agreed to refund the £7,000 as a gesture of goodwill. Mr Walter has now been given a basic bank account and will request chip-and-signature.
Another pensioner, Rosa Farrell, of Hereford, recently had £3,500 fraudulently withdrawn from her bank account by her eldest son, who had a gambling problem. Mrs Farrell, 65, wrote down the PIN and kept it well hidden in her house, away from her card, but on a visit her son managed to find the card and the number. He was convicted for the theft.
Mrs Farrell’s bank, The Co-operative Bank, said that because she had written down the number she had been negligent and would not be reimbursed. She had to take her case to the Financial Ombudsman before she recovered her money. “I don’t know why the bank did not stop the suspicious transactions, which were totally out of character,” she says. “In the end, the ombudsman ruled that I was entitled to believe that my bank details were safe in my own home.”
The Financial Ombudsman Service, which resolves disputes between consumers and banks, deals with about 150 complaints about chip-and-PIN fraud every month — usually when someone’s bank has refused to compensate them for losses.
Fewer than 500,000 people have a chip-and-signature account, according to the UK Payments Association, despite the banks agreeing to offer vulnerable people an alternative to chip-and-PIN when it was introduced in 2004. However, there are 700,000 people with dementia in the UK, according to the Alzheimer’s Society, while the Royal National Institute for the Blind says that 1.8 million people are blind or partially sighted. Many of these people should have chip-andsignature accounts.
Sandra Quinn, of the UK Payments Association, says: “It would be very disappointing if banks were not giving chip-and-signature to customers who need it. Some people may find in the future that chip-and-PIN is not suitable. They have every right to ask for an account with chip-and-signature.”
Pensioners are also encouraged to use chip-and-PIN to receive their state pension and other benefits via the Post Office card account, which was introduced in 2003 to replace pension books. Neil Duncan-Jordan, of the National Pensioners Convention, says: “Some pensioners still queue up to receive their pension holding a piece of paper with their PIN on it. Anyone who is uncomfortable with PINs can request to have benefits sent by cheque in the post.
“Chip-and-PIN is simply not suited to many elderly people, and banks and the Government should do more to promote alternatives.”
Ross Anderson, a security expert at the University of Cambridge, says that it is in banks’ interests to push chip-and-PIN. He says: “Quite simply, if you use a PIN, disputed transactions are your fault. However, a forged signature makes a transaction null and void, which means that the banks cannot hold customers liable. Banks are exploiting the old and vulnerable because they want to take away their consumer protection. It’s a disgrace.”
The Banking Code, to which all banks must adhere, states: “We will tell you about alternatives to chip-and-PIN, which are available if you are unable to use a PIN because of a disability or medical condition.”
Several high street banks confirmed to Times Money that they offered chip-and-signature, but emphasised that it was only for specific types of customer. A spokeswoman for Barclays says: “Chip-and-signature is for customers who have a disability that makes using a PIN difficult or imposs-ible, either because of dexterity problems, visual impairment or difficulty remembering the number. All other customers are issued with a PIN.”
A spokesman for Santander, which owns Abbey, Bradford & Bingley and Alliance & Leicester, adds: “Chip-and-PIN is an important tool in fighting card fraud, and PINs should not be divulged to other people or written down. Customers can change their PIN to a more memorable number.”
New rules relieve customers of burden of proof
The Banking Code will be abolished next month and replaced with a complex set of rules, the Payment Services Regulations (PSR).
Experts fear that consumers will no longer have a user-friendly set of guidelines that clearly explain banks’ responsibilities. Instead, they will have to wade through a 152-page document for details of their rights.
The Financial Services Authority, the City watchdog, will enforce the new regulations. It says that victims of fraud will actually have more protection, with the onus on the bank to act quickly to prove that a transaction was the customer’s. Unless the bank can show a good reason why it needs to investigate the claim, it will have to refund the amount immediately.
Page 38 of the PSR states that if a person notices a suspicious transaction on an account, it is for the bank to prove that the transaction was “authenticated, accurately recorded and not subject to technical breakdown or other problem”.
Currently the onus is on customers to prove that suspicious transactions were not their own. The Banking Code states: “We will need you to give us confirmation or evidence that you have not authorised a transaction.”
Source:- Times Online, UK ; By Lauren Thompson
Saturday, October 24, 2009
Lawyers, CAs more prone to loan fraud
ntermediaries such as lawyers, valuers, charte red accountants, statutory auditors, real estate developers and motor vehicle and agricultural equipment dealers have largely been found by the Reserve Bank of India to be involved in frauds in retail loans.
The central bank, in its report on trend and progr ess of banking in India for 2008-09, said there has be en a steady rise in frauds reported in the retail loan segment, with increase in retail loans portfolio of banks in recent years.
Banks have been asked to provide to the Indian Ba nks’ Association the na mes of unscrupulous intermediaries who aid the perpetration of frauds, jeopardising the interests of banks.
Banks are required to forward names of tainted intermediaries, including professionals involved in frauds, to IBA after satisfying themselves of the involvement of the third parties concerned and after providing them with an opportunity of being heard.
The RBI is also in the process of introducing a monitoring mechanism for identification of outlier ban ks, where there is high concentration of frauds. The level of risk residing in a bank would be determined after taking into account recoveries made, punitive action taken against staff involved and other steps taken by the bank with regards to the fraud.
The Reserve Bank of India is also in the process of framing guideli nes to ensure that the incidences of frauds are facto red in while carrying out supervisory review and evaluation process in the banks for the purpose of assessing the fraud risk in specific and operational risk in general.
RBI has decided to cover the fraud risk from now on during its quarterly discussions with banks. The RBI is also carrying out modifications in parameters for systems and controls comp onent of Camels (capital, asset, management, earnings, liquidity and systems) rating framework, which would reflect the status of a bank as an outlier or not ba sed on incidences of frauds and the strength/we akness es of banks’ associated systems and controls.
Based on the paramete rs, banks would be categori sed as outlier banks, RBI sa id. Once they are categor ised as outliers, the relevant information with regard to those banks would be taken up for any regulatory response.
The central bank, in its report on trend and progr ess of banking in India for 2008-09, said there has be en a steady rise in frauds reported in the retail loan segment, with increase in retail loans portfolio of banks in recent years.
Banks have been asked to provide to the Indian Ba nks’ Association the na mes of unscrupulous intermediaries who aid the perpetration of frauds, jeopardising the interests of banks.
Banks are required to forward names of tainted intermediaries, including professionals involved in frauds, to IBA after satisfying themselves of the involvement of the third parties concerned and after providing them with an opportunity of being heard.
The RBI is also in the process of introducing a monitoring mechanism for identification of outlier ban ks, where there is high concentration of frauds. The level of risk residing in a bank would be determined after taking into account recoveries made, punitive action taken against staff involved and other steps taken by the bank with regards to the fraud.
The Reserve Bank of India is also in the process of framing guideli nes to ensure that the incidences of frauds are facto red in while carrying out supervisory review and evaluation process in the banks for the purpose of assessing the fraud risk in specific and operational risk in general.
RBI has decided to cover the fraud risk from now on during its quarterly discussions with banks. The RBI is also carrying out modifications in parameters for systems and controls comp onent of Camels (capital, asset, management, earnings, liquidity and systems) rating framework, which would reflect the status of a bank as an outlier or not ba sed on incidences of frauds and the strength/we akness es of banks’ associated systems and controls.
Based on the paramete rs, banks would be categori sed as outlier banks, RBI sa id. Once they are categor ised as outliers, the relevant information with regard to those banks would be taken up for any regulatory response.
Source:- www.mydigitalfc.com ; By Rajendra Magan Palande
Credit cards or misery cards?
In keeping with the spread of sophisticated life styles in the west, the credit cards phenomenon has invaded India and most people have gotten so used to it that they can not live with out it. However, unlike in the west, the dice here in India is totally loaded against the user as the Reserve Bank of India is able to do very little in securing the user, says SS Kumar.
The following are the ways in which card issuing banks try to fleece the card holder:
Late fee
This is charged randomly because of a funny rule claimed by the banks that the deadline interpreted by them is the date by which they are able to realize the funds in their account. So against a deadline of say, 27th of a month, even if you drop the cheque in to their collection box by 23rd, you could still be penalized if this bank is unable to encash this cheque before the quoted deadline. The question one might ask is, if you have dropped a cheque payment 3-4 days in advance, what control do you have on the subsequent events or delays?
One of the reputed banks was regularly playing this game with me till I caught them. I dropped two cheques with same deadline payment into the same collection box on the same day, and at the same time, for two separate banks. The second one, a bit more professionally run, acknowledges receipt of my cheque payment in time, with thanks, through sms, whereas the other one, based in Chennai wants to make a fast buck, comes back claiming a late fee, as usual. They sheepishly reversed the charges when I escalated the matter to RBI.
RBI must immediately issue a directive that when a payment deadline is mentioned as 27th of a month, the deadline should apply to the physical act of dropping your cheque into the collection box and not to the date, the bank realizes the payment, because no one controls the declaration of public holidays in the intervening period.
The quantum of late fee itself is questionable. A few years back it was just around Rs 200 or 250, today, most banks quote around Rs 650. As an extension of their greediness, they let you buy consumer durables under a specially created EMI scheme. They use this neat opportunity to not only claim late fee for a particular card, VISA or MC and separately, once more, for these so called special schemes under these cards. So you can be charged late fee more than once on the same card, because of sub sections under it.
Disputed claims
Many of the banks issuing card related monthly statements assume that the card holder does not go through the statements minutely and feel they can get away with several erroneous billings.
Here the banks have another funny rule. Even if you feel some entries in the statement have nothing to do with you, they insist that you pay the full amount first and then wait for the next two months for reversals to take place.
If the discrepancy is of the order of Rs 100 or 200, it does not pinch, but often the erroneous charge is in the order of Rs 6000 - 8000 or even more. The card holder is simply forced to watch his funds in the hands of the bank, that too earning zero interest, whereas in the reverse situation, the bank immediately gleefully charges you around 4 per cent interest per month.
Every where, outside India, say in US or Canada, the user is not required to pay the disputed amounts and can pay deducting the amounts that look questionable. RBI is blissfully unaware of this rule, and this ignorance on RBI's part encourages banks in India to rough ride on or fleece the hapless customer still further.
Biggest fraud through sale of policies on phone
The biggest frauds perpetrated by card issuing banks are through the so called sale of insurance and medical cover policies over the phone. There have been countless victims of this well rehearsed fraud that takes place with absolute regularity. It operates like this.
A lady comes on line, uninvited, starts blabbering on the unique benefits of some insurance or medical cover policy that they are marketing. You express your indignation over this sudden invasion of your precious time. To get them off your back, you tell them to send all the details through post and once you are convinced, you will get back to them. If you thought, you put a lid on the matter firmly, you are sadly mistaken. You do this because you want to get a full grab of the details including what is really in fine print.
It comes your next month's statement and surprise of surprises, she has already billed you for this medical cover even before receiving your approval. You confront her, trying to control your rage at this sacrilege, and she tells you coolly, "when we spoke on the phone, you never emphatically said no to my scheme; so we presumed you said yes and according proceeded ahead by billing you."
Now, nothing can be done, you will have to pay the entire first year's premium ! "Oh, we have a recording of our entire discussion and we can play it back for you if you like", is the last punch line. This fraud is being played on people day in day out and the pity is that the RBI is fully aware of this large scale fraud and has not done a thing about it, till date. If it comes to a real showdown in a court of law, where is the guarantee that the bank would not have doctored the recorded conversation to edit out your objections during the same telecon?
Selling policies on the phone is an accepted practice in the west but there the underlying theme is utmost honesty because the buyer can sue them in case of malpractice. Here the banks indulge in their day light robbery along the above lines because the local laws are so weak. It is high time either the RBI or the Finance Ministry or the Supreme Court woke up to the large scale fraud. There have been several hapless victims of this fraud. The government should ban this altogether and disallow the banks to charge card holders until they have a written approval from the customer.
Cross check your monthly statements
Many people assume that since the monthly card statement comes neatly printed on a ready format each month, the entries must be correct. For god's sake and your sake, please double check them. I did precisely that and found that this reputed bank was trying to fob me with an excess charge of Rs 75,000, not Rs 75 or 750, exactly, Rs 75,000!When I reported this to RBI, overnight, this bank revised downward the total outstanding against my name by this whopping amount. Remind yourself that such social parasites exist everywhere, they have no particular dress code and more often than not, they are white collared workers in such banks. When confronted by me with the facts, this bank promised to look through the matter The bottom line, I would have easily allowed myself to be fleeced if I had not been seriously reviewing their statements and become poorer by Rs 75, 000 overnight, had I not decided to confront them with equal aggression and crudeness.
Why do the banks charge exorbitant interest rates in India?
Thanks to some recent initiatives of RBI, when you apply for a personal loan, the banks have seemingly removed all the extra loadings on the sanctioned loan in terms of processing fee, one time fee etc. and they no longer talk of penalty on loans that are pre-closed.
The general interest rates in India have nose dived from a high of 15-20 per cent earlier down to around 10 per cent now. In spite of this, MNC banks charge over 40 per cent, for credit card spends, despite RBI's rumoured directive to them to charge no more than 3.1 per cent a month. There is absolutely no uniformity in these charges and some banks, like Deutsche Bank charge over 42 per cent per annum. In the US and Canada and other western countries, the rates hardly exceed 15 or 16 per cent per annum.
Why should RBI permit such a large difference in interest rates? After all the source of funds (seed capital) of these MNC banks is the west when they start their operations in India and this is obtained at a much lower insignificant rates of interest, say 2 or 3 per cent per annum, which is the ongoing bank rate for personal loans. It is high time RBI seriously looked at these vast interest differentials.
Life time membership fee fraud
Initially, when these banks brought their cards into India, the standard practice was to charge membership fee every year. Since new entrant banks were desperate to make a breakthrough, some of them waived off this annual fee for using the card. To get even, the established banks played a new trick. They came up with a scheme of a one time life membership charge for say VISA or MasterCard. If you heaved a sigh of relief after having paid this one time life time fee, you were again in for a major surprise.
Six months later, the same bank introduces a new version of the VISA or MasterCard and again debits you with a new lifetime membership fee.
The simple logic one understands is something similar to the life time tax you pay for your car. Once you have paid the life time tax for your car, you are not required to pay for it again, just because you put a new coat of paint on it or just change the worn out tyres.
So, why should this be any different in the case of lifetime membership of credit cards?
I raised this issue with RBI long time back and a response is still forthcoming.
Bottom line
It is very obvious that RBI has been totally unequal to the dubious machinations of the MNC banks in India so far and has a lot more homework to do to bring in some discipline in the working of these banks.
Unless there is a quick induction of checks and balances these banks will continue to merrily fleece the average Indian card holder. Perhaps, the finance ministry under a veteran like Pranab Mukherjee can take the quick initiative and push these reforms through RBI.
SS Kumar is CMD of ASTRAL Systems (India).
7 myths about Swiss bank accounts busted
You are watching a movie and in that a well-dressed gentleman, arrives in an expensive car and alights in front of a building whose doors are flanked with mercenary-looking guards. The gentleman walks inside and is met by a distinguished-looking elderly gentleman, to whom a series of numbers are rattled off. The man is then ushered into a vault-like facility. Welcome to the stereotypical depiction of a Swiss bank.
When you think about Swiss bank accounts, words like mysterious, secret, guarded, rich and out-of-league come to a person's mind. What many don't know is that Swiss banks are just like any bank in the world. Here are some myths which need to be shattered about Swiss bank and bank accounts.
Swiss banks only service the filthy rich
Nothing is further than the truth. Majority of a Swiss bank's clients are not major manufacturers, movie stars or heirs of businesses, but everyday people like you and me. You can open a Swiss bank account with a deposit of only 5,000 Swiss francs. Swiss banks even offer accounts with no minimum balance.
No interest on money invested
Absolutely wrong! Just like any other bank, Swiss banks also have a variety of investment options such as mutual funds, stocks, bonds, commodity and derivatives investment etc. Swiss bankers are among the best finance managers in the world, so it comes as no surprise that they manage over 35 p[er cent of offshore holdings. Moreover, owing to a very consistent financial stability in Switzerland [ Images ], your money is much better handled here.
Swiss banks are financial havens for criminals
Nothing can beat this rumour. However, for people who are unaware, Swiss bank accounts have very stringent policies on who invests money in the bank. The vast majority of Swiss bank account holders are honest people who want to keep their savings in a country renowned for its stability. Swiss banks are extremely cautious regarding politicians who wish to open an account and they systematically refuse to accept any money that is of dubious origin.
Numbered accounts guarantee anonymity
There is nothing like anonymity in Swiss banking terminologies. On the other hand, there are very strict rules over client-banker confidentiality which ensures that the number of fraudulent transactions that can happen with your account are negligible. However, the identity details of numbered accounts are accessible, albeit only to the bank manager and a few select people.
Swiss bank accounts can only be opened in person
Just like any other international bank, Swiss bank accounts can be opened through correspondence as long as you comply with their opening procedures and provide the bank with the necessary documents. Moreover, all other banking facilities such as telephone banking, Internet banking, bank transfers and credit cards are available in the kitty of a Swiss bank's services.
Swiss bank accounts are very expensive to maintain
This is not true. Most of the Swiss bank accounts don't charge a cent in annual fees. Even if you would like additional services such as retained correspondence or numbered banking relations, the annual fees are very reasonable.
But why would anyone want to open a Swiss bank account if it is like any other?Source: BankBazaar.com
Monday, October 19, 2009
Arrest of Hedge Fund Chief Unsettles the Industry
“It is pride, and I want to win,” Mr. Rajaratnam said in “The New Investment Superstars,” a book by Lois Peltz published in 2001. “After awhile, money is not the motivation. I want to win every time. Taking calculated risks gets my adrenaline pumping.”
Now prosecutors are claiming that Mr. Rajaratnam, 52, crossed the line into criminal activity.
At dawn on Friday, Mr. Rajaratnam was arrested at his expensive Manhattan home, charged with running the biggest insider trading scheme involving a hedge fund. He and five others are accused by the Justice Department and the Securities and Exchange Commission of relying on a vast network of company insiders and consultants to make more than $20 million in profit from 2006 to 2009.
Mr. Rajaratnam’s lawyer has said his client is innocent. He is free on $100 million bail and is expected to be in the office Monday to address Galleon employees.
In 2007, Mr. Rajaratnam’s name arose in connection with an inquiry into fund-raising for the Tamil Tigers, the Sri Lankan rebel group that was defeated in May after a quarter-century of violence.
News of Mr. Rajaratnam’s arrest has also shaken the secretive hedge fund world, in which intelligence on companies is often shared among Wall Street analysts, traders and other investors.
“The defendants operated in a cozy world of ‘you scratch my back, I’ll scratch your back,’ ” Preet Bharara, the United States attorney for the Southern District of New York, said on Friday. He added that the case should be a “wake-up call” for hedge fund managers who even think about insider trading.
Hedge funds often use lobbyists, investigators and other connected people to dig for information about a company or industry.
Most of the information is obtained legally. But the government’s use of wiretapping and confidential witnesses in the Galleon case raises questions about when investors can act on nonpublic information. The case also signals a new zeal by authorities to clamp down on Wall Street crime after failing to detect the $68 billion Ponzi scheme by Bernard L. Madoff.
At the center of this purported insider trading ring is Mr. Rajaratnam, who rose from a technology analyst to become a hedge fund billionaire.
Mr. Rajaratnam always remained close to his homeland, Sri Lanka, which was riven by fighting between its government and the Tamil Tigers, formally known as the Liberation Tigers of Tamil Eelam. The hedge fund manager often reached into his wallet for causes related to the country. When the island was struck by a tsunami in 2004 — he had been there at the time, but was inland — he organized a charity to raise money to rebuild homes.
In 2004, he also helped raise $120,000 to buy dogs to detect land mines littered throughout Sri Lanka.
Yet his giving was not without controversy. In 2005 and 2006, the charity he created, Tsunami Relief, gave $1.5 million to the Tamil Rehabilitation Organization, a group officially dedicated to helping victims of the fighting. But prosecutors have since charged the Tamil charity with aiding the rebel group, and its nonprofit status has been suspended.
A criminal complaint filed in Brooklyn federal court in 2007 described an “Individual B” who donated $2 million to the terrorist group in 2000 and 2004. People briefed on the matter confirmed a report by The Wall Street Journal that Individual B was Mr. Rajaratnam, who was never charged. Several defendants in that case have pleaded guilty to raising money for the Tigers.
A lawyer for Mr. Rajaratnam, James Walden of Gibson, Dunn & Crutcher, said in a statement that his client was not a Tiger supporter and that the money had been spent on “rebuilding thousands of homes for Tamils, Sinhalese and Muslims without discrimination.”
Within the hedge fund industry, Mr. Rajaratnam was long known for his expansive contacts within the technology sector.
People close to the company describe the pressure within Galleon as intense, with Mr. Rajaratnam demanding long hours and highly detailed research reports.
By the time he was arrested, Mr. Rajaratnam had cemented his position as a member of New York’s financial elite. Forbes estimated his net worth this year at $1.3 billion, earning him a spot on its list of richest people in the world. He donated more than $30,000 to Barack Obama, Hillary Rodham Clinton and the Democratic Party in 2008.
And he sat on multiple charity boards, including those of the Harlem Children’s Zone and the American India Foundation.
Mr. Rajaratnam built his fortune from the ground up: born in Sri Lanka, he was sent away for schooling, including at the Wharton School at the University of Pennsylvania. He became a technology analyst at the investment bank Needham & Company, rising through the ranks to become president. In 1992, he began a hedge fund for Needham clients, many of whom were technology executives themselves.
Mr. Rajaratnam left the firm in 1997, but took the fund and called it Galleon, after the Spanish empire’s ships used to ferry gold and spices from the New World.
Several of Galleon’s employees had an engineering background, like him. Many outside analysts envied the extensive research reports their counterparts at Galleon produced, culled from regulatory filings, checkups on supply chains and sources within the companies they covered. At its peak, the firm managed $7 billion in assets, but that figure has since fallen to about $3.7 billion.
The firm made no secret that its investors included technology executives. Among them was Anil Kumar, a McKinsey director who did consulting work for Advanced Micro Devices and was charged in the scheme. Another defendant, Rajiv Goel, is an Intel executive who is accused of leaking information about the chip maker’s earnings and an investment in Clearwire.
Prosecutors also say that a Galleon executive on the board of PeopleSupport, an outsourcing company, regularly tipped off Mr. Rajaratnam about merger negotiations with a subsidiary of Essar Group of India. Regulatory filings by PeopleSupport last year identified the director as Krish Panu, a former technology executive. He was not charged on Friday.
Galleon has previously been accused of wrongdoing by regulators. In 2005, it paid more than $2 million to settle an S.E.C. lawsuit claiming it had conducted an illegal form of short-selling.
Subscribe to:
Posts (Atom)