FraudFocus

PE-Promoter Ties Go Into a Tailspin In India - Alliances break down because of mistrust and lack of transparency

2011-12-10T17:33:00.002+11:00

Four years ago one of the world’s biggest private equity (PE) funds paid over $600 million to get a foot into the door of one of India’s most respected financial services conglomerates. After the two heads duly paid tributes to the eminence of the other’s institution at the time of signing up, the partnership was expected to blossom. Perhaps it did – until some six months ago when the financial services house abruptly stopped inviting the PE firm’s representative to its board meetings.

The problem: the head of the financial institution and the PE firm executive could just not hit it off. That’s just one reason — a distinct lack of chemistry — for relationships between PE firms and their investee companies going awry. Other reasons include differences over objectives and how to attain them; and breakdown of trust between the two sides.

PE industry circles are abuzz with stories of PE fund managers and promoters who have stopped talking to each other; of PE heads getting irked because the funds they provided are being used for purposes that weren’t mentioned at the time of signing the deal; and of investors discovering enough holes in the books of investee companies to sink an armada.

A few months ago, three representatives of as many PE investors stepped down from the board of KS Oils, a maker of edible oils, after the management failed to appoint a new auditor to examine the company’s books.

More recently, two PE investors in Lilliput Kids wear accused the company of accounting fraud – not dissimilar to what ICICI Ventures did with retailer Subhiksha a year ago.

FINANCIAL FRAUD Investors discover that promoters are cooking up the books

INABILITY TO ADD VALUE
Promoters get frustrated with PE fund’s inability to add value

SLOW PACE OF PROMOTERS: Promoters go slow on projects after promising a faster pace of execution when signing up

RACE FOR VALUATIONS
With an exit in mind, PEs make haste to prepare for a bumper IPO

None of the Parties Willing to Accept There are Differences Between Investors and Promoters

Almost none of the parties involved are willing to accept that there are differences between investors and promoters.

In the case of KS Oils, the resignations of the PE representatives leave the company with little to hide. But the management's story is different from that of the investors.

Ramesh Chandra Garg, chairman & managing director, says an income tax raid on the company triggered the resignations.

But Jacob Kurian, partner of New Silk Route, one of the three PE investors in the company, says: “We believe KS Oils has fudged its accounts. So we had no option but to step down from its board.” Citigroup Venture Capital and Baring Private Equity Asia are other two PE investors in the company.

According to a senior executive at a PE fund, varying goals of investors and promoters can trigger tensions. Typically, a PE investor has a three to five year horizon to maximize profits – and valuations. In that frenzied rush, the fund might suggest a strategy that is at odds with the promoter’s original game plan.

In the case of Lilliput, the executive adds, it is quite possible that the investors started losing faith in the business model.
When Bain and TPG came on board Lilliput, the two along with company owner Sanjeev Narula changed the strategy from opening 1,000 sq ft stores to larger formats between 6,000 and 8,000 sq ft. The idea may not have been bad – but that they opened several such stores in quick time sent the company’s fixed costs spiraling.

As Lilliput told the Company Law Board – which it had approached a week ago to restrain the PE investors – it had agreed to pay Rs 33 lakh per month as rent for a property in South Extension. “The two sides may blame each other for such a decision but the fact is the company took it. With this kind of rent, it is impossible to break even, forget making profits,'' says a retail sector analyst on the condition of anonymity.

Investors are often in a hurry to push growth as they are keen to build a valuation that will enable a timely exit. That may have been the case with Lilliput; it expanded furiously opening a store a day, began advertising on the business channels and also held discussions with Aishwarya Rai's agent to rope her as a brand ambassador—all this was done to build up to an IPO.

“A PE investor’s investment horizon often differs from that of the promoters,” says Rahul Bhasin, managing partner, Baring Private Equity Partners India. If there are PE funds that are making haste to exit at handsome valuations, there are an equal number of promoters either not keen or unable to maintain time lines decided at the time of investing. Kurian of New Silk Route attributes conflicts to poor governance, dishonesty and lack of integrity on the part of the promoters. He feels a rift is inevitable if a PE sees his investee company getting involved in fraudulent practices.

“Conflicts are guaranteed when a promoter enjoys economic interest disproportionately more than his equity interest. Many Indian promoters don’t adhere to regulation, which does not go down well with global PE funds,” adds Bhasin. The flip side is that promoters lose faith in the fund’s ability to bring that extra to the table. According to the former head of a large fund who is now setting up his own venture, one big reason for conflict lies in the PE investor’s inability to add substantial value to the investee companies. Rather, there are PE funds that introduce a heap of systems and processes that are more likely to curb growth than add value. If the relationship becomes irreparable, PE investors who think investee companies have flouted the agreement can take recourse to legal remedies, including arbitration.

“If an entrepreneur does not honour the contract, the PE investor can go to arbitration and it can also take legal steps. Generally, most PE players do the arbitration outside India, mostly in Singapore and London,” says Akhil Gupta, chairman of Blackstone India. The best way to avoid such a scenario is of course to start well – by choosing the ‘right’ partner. That may be easier said than done but it isn't difficult to spot the initial tell-tale signs of trouble on the horizon.

Sanjay Nayar, CEO, KKR India Advisors, says his company takes at least seven months to seal a deal. “We take our time to understand the promoters,” he explains. Nayar says that with so many PE funds in the fray, there is often “an auction like situation when a deal is up for grabs.” This could well prove to be a recipe for looming disaster, adds New Silk Route’s Kurian, as a PE investor may well promise more than it can deliver to seal the transaction.
In some sectors, like retail for instance, a review of the business can be a tricky affair. Anil Khatri, director at the Delhi-based Coralbay Advisory, which is advising Koutons Retail on a debt restructuring package, says all PE investors do a reality check but the review is generally time bound and limited; so due diligence at times does not bring out all the exact details – and devils – in businesses.

Source: Economic Times

Tax evasion: The farce continues

2011-07-06T03:10:00.002+10:00

Who says the government wants to go after black money stashed abroad?

The fact that at least 18 Indians have nearly Rs44 crore stashed in Liechtenstein, a tiny European tax haven, was known and reported by the media way back in early 2008. Their names were among the 1,400 that a bank official sold to tax authorities in Germany and other countries. While countries like the US, the UK, Australia, Germany and Italy immediately initiated action, India has been moving at a snail’s pace.

In the three intervening years, mounting pressure from activists and opposition parties to bring back tax-evaded money to India forced the government to sign agreements with dozens of countries to share information on tax evasion.

Finally, on 9th June, a daily published the 18 names with exact details of cash held in Liechtenstein banks and the tax penalty that has been computed by tax officials.

Does it mean that this paltry tax-evaded money would now boost our tax coffers?

It is unclear. One media report says that the CBDT (Central Board of Direct Taxes) has submitted an affidavit in the Supreme Court saying: “18 Indians had deposited Rs24.26 crore as tax on Rs43.83 crore held in the bank accounts.” Another says that the process of recovering money with penalty has been initiated in 17 of the 18 cases. But this, too, may not be accurate.

Vishwabandhu Gupta, a retired income-tax commissioner based in Delhi, tells us that the tax authorities are still reluctant to take any action. He says that the very fact of stashing money in a tax haven is proof of an intention to ‘wilfully evade taxes in India’. This does not require a long-drawn litigation, if the authorities are determined to collect tax.

Under Section 276 (C) of the Income-Tax Act, a person who ‘wilfully attempts’ to evade tax, penalty or interest chargeable, then ‘without prejudice to any penalty’ that may be imposed under the Act, is punishable with rigorous imprisonment of not less than six months, extending to seven years. This harsh penalty is applicable even when tax evaded exceeds just Rs1 lakh.

The Income-Tax Department has no qualms arm-twisting honest taxpayers, even on TDS (tax deduction at source) issues arising out of its own confused drafting. Yet, it drags its feet over return of black money from tax havens and collection of interest and penalty.

The government simply does not want money coming back from tax havens.

Source: Moneylife, By Sucheta Dalal

Gupta secretly defied McKinsey before tipster charges surfaced

2011-05-18T16:46:00.002+10:00

Govt records show that Gupta called Rajaratnam nine times in 2008 and 2009, providing him information for trading

Source:- Livemint, By John Helyar, Carol Hymowitz, Mehul Srivastava

------------------------------------------------------------------------------------

Atlanta/New Delhi:

On a sunny Friday afternoon in June 2003, Rajat Gupta was greeted at his waterfront home in Westport, Connecticut, by scores of his McKinsey and Co. partners. They had come from London, Frankfurt, New Delhi and other cities around the world—and brought along an elephant, which they tethered on the front lawn.

Gupta was stepping down after nine years as managing director of the global consulting firm, and his colleagues were gathered to celebrate his tenure and wish him the best in the next phase of his career.

They offered champagne toasts and took photos of Gupta, standing next to the elephant, which was draped in a brightly coloured shawl.

Today, some of those same people say they’re stunned by what they’ve since learnt about Gupta. In March, the US Securities and Exchange Commission (SEC) filed an administrative order against Gupta saying that he had passed confidential information to hedge fund billionaire Raj Rajaratnam, the central figure in the biggest crackdown on insider trading in US history.

Rajaratnam was convicted on 14 counts of conspiracy and securities fraud on 11 May and could face 19 years in prison, pending his 29 July sentencing in federal court.

Government wiretaps and phone records show that Gupta called Rajaratnam nine times in 2008 and 2009, giving the hedge fund manager information to make trades for his New York-based Galleon Group Llc.

Gupta, 62, who divides his time among his Connecticut home, a Manhattan apartment and a Florida getaway, has lived a double life. For 34 years until 2007, he worked for McKinsey, including nine years as the top executive of one of the world’s most trusted and prestigious consulting firms.

He was the confidant of chief executive officers such as Goldman Sachs’ Lloyd Blankfein and Procter and Gamble Co.’s (P&G) former head A.G. Lafley. Gupta sat on the boards of both of those companies—and he was a director at four other publicly traded corporations.

As a philanthropist, Gupta raised millions of dollars for education and healthcare, especially in India where he was born and to which he wanted to give back. He’s done charitable work with Microsoft Corp.co-founder Bill Gates, former US president Bill Clintonand Indian Prime Minister Manmohan Singh. Friends describe him as brilliant and humble.

At McKinsey, a firm known for keeping secrets, Gupta harboured a few of his own. As the managing director and then as senior partner of McKinsey for four more years before he retired, he ran his own consulting business on the side—a violation of McKinsey rules.

He and Anil Kumar, a former McKinsey partner who last year pleaded guilty to passing confidential information to Rajaratnam, set up their own consulting company. Gupta also independently advised Gurgaon-based GenpactLtd, which manages business processes for other companies. That work, too, broke McKinsey’s rules.

“It has always been a clear violation of our values and professional standards for any firm member to provide consulting or advisory services outside of McKinsey for personal monetary gain,” says Michael Stewart, a McKinsey partner and director of communications.

McKinsey conducted an internal investigation of Gupta and Kumar, and has cooperated with prosecutors and SEC.

During the past decade, Gupta, who was already a millionaire, began to veer off track. He spent more time with Wall Street money managers. He told colleagues that he wanted to be a deal maker, not just a consultant. Gupta declined to comment on what he told his colleagues or on anything else reported in this story.

While Gupta was devoted to his philanthropy in India, his quest to amass great wealth led him to lapses in judgement, says Bala Balachandran, dean of the Great Lakes Institute of Management in Chennai, and a friend for almost three decades.

“He wanted a billionaire’s life and the question for him was how could he become a billionaire in a short time,” Balachandran says.

Gupta, a man to whom corporate chieftains turned for advice and counsel, chose poorly when it came to investment partners.

In December 2006, two years before he reached McKinsey’s mandatory retirement age of 60, Gupta co-founded private equity firm New Silk Route Partners Llc(NSR Partners) with investors, three of whom had previously paid fines to settle SEC actions against them.

Among the three was Rajaratnam, whose Galleon Group paid $2 million (around Rs. 9 crore today) in a fine and forfeited profits to the government in May 2005 to settle an SEC complaint it had made improper trades. He neither admitted nor denied wrongdoing.

Two other investors in New Silk Route, Parag Saxenaand Victor Menezes, like Gupta, had connections in the US and India.

Saxena, a former money manager, paid a $250,000 fine in 1994 to settle civil claims that he had received pre-initial public offering stock in companies at big discounts and then recommended the shares to his clients at Chancellor Capital Management Inc., after the companies went public.

In January 2006, Menezes, a former CitigroupInc.senior vice-chairman, paid $2.7 million in a fine and forfeited trading profits to the US to settle SEC charges that he sold Citigroup holdings ahead of an announcement of losses from a subsidiary in Argentina. Both men neither admitted nor denied wrongdoing.

Balachandran says he warned Gupta of his choice of business partners.

“You’re an eagle, so why do you want to be with these chickens who can’t fly?” Balachandran says he told Gupta. “You’ll get the chicken flu.”

Gupta hasn’t been charged with a crime in the Galleon insider trading scandal. The SEC administrative action against him is a civil complaint—and the most that could happen to him is a fine and a consent decree that could bar him from serving on public company boards in the US.

Gupta and Rajaratnam have known each other since the 1990s, and their relationship is both personal and professional. Gupta invested $10 million of his own money with Rajaratnam, according to Gupta’s lawyer, Gary Naftalis. Gupta gave Rajaratnam more than money; he passed along information on Goldman Sachsand P&G, prosecutors said during Rajaratnam’s trial in Manhattan.

Justice department prosecutors called Gupta an unindicted co-conspirator. They presented wiretap evidence to the Rajaratnam jury showing that Gupta had told the hedge fund manager that in 2008, Goldman Sachs’ board was discussing possible acquisitions of American International Group Inc.or Wachovia Corp.

He also gave Rajaratnam early word on earnings at Goldman Sachs and P&G, SEC says in its action.

Gupta sent an email in late February to fellow directors of the Indian School of Business (ISB), Hyderabad, declaring his innocence. “I have done nothing wrong,” he wrote to the board of the school, which he co-founded in 2001. “The SEC’s allegations are totally baseless.”

For the 85-year-old McKinsey, the Kumar conviction and the SEC action against Gupta have been a blow to its elite image. The firm counts among its clients hundreds of the world’s leading corporations and governments.

Consultants never talk about their clients in public, and the firm won’t even disclose customers’ identities. Leaders of major companies have started their careers at McKinsey, including Boeing Co.chief executive officer (CEO) Jim McNerney, former American Express Co.head Harvey Goluband one-time International Business Machines Corp.CEO Lou Gerstner.

For decades, until the 1970s, the firm was the ultimate old boys’ club, where consultants were required to wear hats and long, dark-coloured socks, with white, button-down cotton shirts and conservative suits. Gupta was the first non-white and non-US-born elected managing director of the firm.

McKinsey veterans have been deeply troubled by Gupta’s run-in with SEC.

“I was shocked, totally and completely shocked, at the news of the allegations,” says Ian Davis, who succeeded Gupta as McKinsey’s managing director from 2003 until 2009 and is now a director of BP Plc and Johnson and Johnson Services Inc.

Gupta got caught up in envy and emulation of the super rich, says Terry Connelly, dean of the Ageno School of Business at Golden Gate University in San Francisco.

“You can never underestimate the seductive power of three or more zeroes added to net-worth numbers,” says Connelly, a former managing director at Salomon Brothers Inc. “You can be successful, but if you’re in hedge fund managers’ circles and you’re not rich like them, you can start asking, ‘Why can’t I get that? I’m every bit as smart.’”

Smart is a word people often use when describing Gupta. His ascent from lower-middle-class roots in Kolkata to the top of McKinsey is a triumph of brain power and drive.

He was born in December 1948, 14 months after India became independent of British rule. His father, a journalist who worked for two newspapers, fought for India’s independence and was jailed several times for his political activism. His mother was a teacher in a Montessori school.

The family moved to New Delhi when Gupta was five. He, his two sisters and younger brother attended Modern School, one of India’s few English-language, Western-style high schools at the time—located off what was then New Delhi’s most exclusive shopping district, Connaught Place.

Gupta was orphaned at the age of 18 after both his parents died of natural causes within two years of each other. He persuaded an unmarried aunt to live with him and his siblings, according to a 1994 interview Gupta gave to Business Today magazine.

He said he was shattered by his father’s death and became very studious, careful never to make a mistake that could cost him his high school scholarship.

Gupta ranked in the top 20 applicants among hundreds of thousands of Indian youth who took the entrance examination in 1966 for a spot at the elite Indian Institutes of Technology, according to an interview he gave to The Economic Times when he became head of McKinsey.

He chose the Delhi campus, which kept him close to home and, in 1971, he earned a bachelor’s degree in mechanical engineering. His main leisure activity was acting in plays in the school’s drama club, where he met his future wife, Anita Mattoo, an electrical engineering student.

In the socialist India of the 1970s, white-collar positions outside the civil service were scarce. Gupta got his first job offer from ITC Ltd. He turned it down when he was admitted to Harvard Business School on scholarship.

The academic workload was unrelenting for most, but not for Gupta, says John Carberry, who lived in the same Boston dormitory and was Gupta’s friend.

“Sometimes we’d still be doing cases at 2am, but he’d be done by 11pm and lying on his bed, watching Johnny Carson,” says Carberry, who’s now president of Wellesley, Massachusetts-based FL Putnam Investment Management Co. “But if you had problems with your school work, he’d always help.”

At a time when students at Harvard Business School were overwhelmingly white, Gupta stood out culturally and intellectually, Carberry says.

“Gupta was unassuming and humble,” he says. “When he spoke in class, though, everyone put their pencils down and listened. He was the smartest guy in my section, just brilliant.”

Gupta became a Baker Scholar, a distinction earned by the top 5% of students in his graduating class in 1973. With his Master of Business Administration degree, he applied for a spot with McKinsey.

Even with his stellar academic record, the firm turned him down. Walter Salmon, one of Gupta’s professors who had McKinsey connections, wrote Gupta a recommendation, and the consulting firm decided to hire him in New York.

Gupta advanced steadily, becoming a McKinsey partner in 1980 and moving to Copenhagen the following year. In 1984, Gupta began overseeing all of the firm’s business in Scandinavia. He moved to McKinsey’s Chicago office in 1987 and became head there in 1989. The office served many of the region’s manufacturing and consumer products companies.

James Kilts, a former CEO of Nabisco Group Holdings Corp. and GilletteCo., says he was impressed when he first met Gupta in Chicago in the late 1980s. Kilts was then an executive at Kraft FoodsInc., and Gupta advised him about strategy for cheese products.

“He was very thoughtful and self-deprecating,” Kilts says. “He could take a complicated subject and simplify it.” Kilts kept in touch with Gupta as both men advanced. “You could always learn something from him,” he says.

Gupta’s big career leap came in 1994, when McKinsey held elections for a new leader, something that happens every three years. The firm’s 427 partners nominated seven of their peers in the order they preferred. After several rounds of ballots, Gupta, who was 45 at the time, was elected. He became McKinsey’s youngest managing director.

McKinsey grew rapidly under his leadership. He won re-election twice, and during his three terms, the maximum the firm allows, revenue increased to $3.4 billion from $1.2 billion. The number of partners rose to 891, according to Kennedy Information Llc, a research firm that tracks the consulting industry.

McKinsey opened 26 new offices in 30 countries under Gupta, who pursued global expansion in India, China and other emerging markets where the firm’s biggest clients increasingly were doing business.

As the tech boom took hold in the 1990s, Gupta pushed McKinsey to take on Internet start-ups as clients, even when they could pay only in stock. That broke from the firm’s tradition of serving mostly blue-chip clients who paid fees. The equity, which McKinsey accepted from about 150 fledgling firms, went into a profit pool for partners, according to former partners.

Client demand for McKinsey services declined following the bursting of the Internet bubble in 2000. Global Crossing Ltd, Kmart Corp., Swiss International Air Lines AG and other companies McKinsey had advised filed for bankruptcy. The biggest public embarrassment was Enron Corp.’s collapse.

The Houston-based energy trader, which had been the seventh largest company by assets in the Standard and Poor’s 500 Index, lost almost all of its value when regulators found the company had used accounting gimmicks to create a massive fraud.

Enron had McKinsey in its bloodlines. Jeffrey Skilling, the firm’s CEO, had once been a McKinsey partner, and the consulting firm had advised the company for 18 years as it transformed itself from an oil pipeline operator to a derivatives trader. Skilling was convicted of fraud in 2006 and sentenced to 24 years in federal prison.

As McKinsey’s spate of woes swelled, so did Gupta’s outside interests. He raised personal donations from India’s top business executives, including Infosys Technologies Ltd chairman N.R. Narayana Murthy, to start ISB.

He also tapped McKinsey consultants based in India, including Kumar, who would later get caught up in the Galleon scandal. ISB, which has become the most prominent one-year business school in India, opened in July 2001.

When an earthquake struck Gujarat in April 2001, Gupta co-founded the American India Foundation (AIF) to raise funds for victims. The foundation has since raised millions of dollars from Hollywood stars, executives and money managers to aid India’s poor.

Rajaratnam and his wife donated $1.5 million to the foundation in 2006 for an HIV-AIDS programme, and made more donations later.

Gupta’s McKinsey partners supported his philanthropic efforts. They didn’t, however, know about the for-profit work he did while still at the firm, according to Stewart, McKinsey’s director of communications.

In 2001, Gupta and Kumar set up their own consulting company, Mindspirit Llc, in the names of their wives, Anita Gupta and Malvika Kumar, according to a filing with SEC by Omaha-based InfoGroup Inc. The two men, working for Mindspirit, gave advice to the company’s CEO, according to the SEC filing.

InfoGroup, a database company, compensated Mindspirit with 200,000 stock options, which the consulting company exercised for an undisclosed amount, the filing said.

Bill Clinton, honorary chairman of AIF and another InfoGroup consultant, according to the filing, was granted 100,000 stock options he never exercised.

The same filing disclosed the settlement of a shareholder suit against InfoGroup’s CEO Vinod Guptafor his use of company funds for personal pleasures. He had 20 cars, a yacht with an all-female crew and a private jet he used to fly his family and friends to Africa, Cancun and Italy.

Vinod Gupta, who’s not related to Rajat Gupta, had collaborated with the latter in building AIF. He resigned as CEO in August 2008 and repaid InfoGroup $9 million, according to the filing.

Another company that Gupta independently advised was Genpact, spun off from General Electric Co.(GE). Genpact’s sole client initially was GE, to which it provided back-office support.

Gupta was an advisory director from 2005 to 2007, for which he was granted 81,405 stock options, valued at 93 cents each then, according to Genpact’s 2008 proxy statement. He hasn’t exercised the options which expire in 2015, according to company filings. Genpact shares traded at $16.88 on 16 May.

Gupta became enamoured of private equity as he saw others on Wall Street earning far more than he could make at McKinsey.

In 2006, he co-founded NSR Partners, which eventually raised $1.3 billion to invest in India and other emerging economies, company filings show. Rajaratnam dropped out as a partner before NSR Partners opened. He invested $50 million in the firm. He withdrew his stake last year, according to Kathleen Lacey, an outside spokesperson for NSR Partners.

After retiring from McKinsey in 2007, Gupta globe-trotted constantly. He travelled to India to look for investments for NSR Partners and to cities throughout the US and overseas for meetings at the five public companies and many non-profit boards on which he was a director.

When Gupta was in New York, he spent time with Rajaratnam. According to testimony at Rajaratnam’s trial, Gupta and his NSR Partners co-founders initially worked in cubicles at Galleon’s headquarters. NSR Partners later leased an office on Madison Avenue that was less than a block-and-a-half from Galleon’s. Gupta, in 2007, joined Rajaratnam and a third partner to form GB Voyager Multi-Strategy Fund, an investment fund, contributing $10 million of his own money. The $50 million fund invested in Galleon hedge funds, including those that traded on Gupta’s allegedly illegal tips, SEC says.

Gupta passed confidential information to Rajaratnam in 2008 and 2009, SEC says. He disclosed information on two calls to Rajaratnam in September 2008 about the $5 billion investment in Goldman Sachs from Warren Buffett’s Berkshire Hathaway Inc., the regulator says.

Rajaratnam’s Galleon technology funds, which held no Goldman Sachs investments before those calls, bought 120,000 Goldman Sachs shares after Gupta talked to Rajaratnam, SEC says. On a phone conference call at 3.15pm on 23 September, the Goldman board approved Berkshire’s $5 billion investment.

“Gupta participated in the board meeting telephonically, staying connected to the call until approximately 3.53pm,” SEC wrote. “Immediately after disconnecting from the board call, Gupta called Rajaratnam from the same line.

“Within a minute after this telephone conversation, at 3.56pm and 3.57pm, and just minutes before the close of the markets, Rajaratnam caused the Galleon technology funds to purchase more than 175,000 additional Goldman shares,” the regulator wrote.

Galleon made more than $900,000 on the Goldman stock bought in advance of the announcement of Berkshire’s stake, according to SEC.

A month later, Gupta called Rajaratnam 23 seconds after a Goldman Sachs board call during which senior executives informed directors of poor results by the bank, SEC says.

Gupta also knew that Kumar, who was still employed at McKinsey, was being paid by Rajaratnam from offshore accounts, according to phone calls tape-recorded by federal investigators.

“You know, Rajat, I’m paying him a million a year for doing literally nothing,” Rajaratnam told Gupta in a July 2008 call recorded by federal investigators.

“I think you’re being very generous,” Gupta replied. “He should sometimes thank you for that, you know?”

Kumar, in pleading guilty, said Rajaratnam paid him $1.75 million to $2 million.

For himself, Gupta wanted at least a 10% stake in the Galleon International Fund, one of Rajaratnam’s hedge funds, in exchange for attracting investors. In a May 2008 wiretapped call, Rajaratnam told Kumar that he was ready to offer this to Gupta.

“He’s not giving me the luxury of saying, ‘Why don’t you come up with a package?’” Rajaratnam said. “He’s telling me, ‘I want so much’.”

Gupta never got that stake, according to testimony at Rajaratnam’s trial. The $10 million he invested in the Voyager Fund with Rajaratnam was wiped out in the 2008 global financial meltdown.

Gupta’s NSR Partners private equity fund hasn’t turned a profit with exits on any of its investments to date, according to Venture Intelligence, a Chennai-based research firm that tracks private equity in India.

Rajaratnam was arrested in October 2009. Gupta left the Goldman Sachs board in 2010, remaining a director at AMR Corp., Genpact, Harmon International Industries Inc., P&G and OAO Sber bank of Russia.

In January 2011, SEC notified Gupta that it had tied him to Rajaratnam and would file an administrative action against Gupta. He gave no hint of his legal perils when, on 27 February, he joined friends and business colleagues in a corporate box at Bangalore’s Chinnaswamy Stadium.

India was facing England in a group stage match of the cricket World Cup.

“He was chatty and looked dapper and cheerful,” says Shoba Narayan, an Indian author and acquaintance of his.

Gupta had already informed fellow directors at ISB that an SEC action was imminent.

“Just to be clear: There are no tapes or any other direct evidence of me tipping Mr Rajaratnam,” he wrote in the email he sent directors. “I have spent my entire professional career zealously guarding the confidences of my clients. There is no reason for me to suddenly deviate from a lifetime of probity and honour.”

Gupta flew back to New York after the match, which ended in a draw. Two days later, on 1 March, SEC filed its administrative action against him.

Gupta’s civil case is scheduled to be heard by an SEC administrative judge in July. He has filed a suit to get the SEC civil case transferred to a federal court where it would be heard by a jury. Naftalis, Gupta’s lawyer, declined to say why his client wanted a jury trial and declined to comment on any aspect of the SEC action.

Meanwhile, McKinsey has tightened its rules, barring consultants and support staff, as well as their spouses and children, from investing in any company McKinsey has served in the past five years or is cultivating.

Employees are also required to take a test about this policy and won’t receive their bonus unless they achieve a 100% score.

Gupta’s former Harvard dorm mate Carberry says he’s dumb founded as to what went wrong with his friend.

“If the SEC charges are true, something happened to Rajat,” he says. “The Rajat I knew at business school was of the highest integrity. The Rajat I’ve heard on wiretapped conversations isn’t the person I knew.”

Backdoor Amnesty: A New Window for Swiss Bank Account Holders

2011-05-18T03:03:00.001+10:00

(What Supreme Court described as wrong doings, Government found way to legitimize illegal wealth and allow them to keep it too…Way to Go!!!)

Bring back the money, legitimize it by paying 15% tax, & park it in any account with an Indian bank

SUGATA GHOSH

There’s some delightful news for those with Swiss bank accounts. Indians, who opted for such numbered account service, have a way to mislead anyone trying to hunt them down. For them, a new window in the tax law has flung open just when some of the doors are about to shut. The law of the land has made it possible for them to bring back the money, legitimize it by paying 15% tax, and park it in any account with a bank in India. No questions will be asked.

The taxman won’t harass them because it’s money on which tax has been paid. Officials at the enforcement directorate can’t slap a summon because it’s authorised transfer of funds from an overseas firm to a company in India through official banking channels. There are certain expenses involved as lawyers and accountants have to be hired to make the money transfer look genuine. You can’t really ask your Swiss banker to send the money straightaway to your savings account with the State Bank’s Santacruz branch. The man may think you have finally lost it.

There are other foolproof ways of going about with such business. A new company has to be set up in one of the tax havens, money has to be moved out from the secret numbered account to the account of the newly-formed company with another bank and then pay the amount as dividend to an Indian company. Ask your chartered accountant; he knows all about it, and even if he doesn’t, he will give you the telephone number of a professional who does. Such a professional will guide you through the maze of foreign exchange and tax rules to help you bring back the money that is rightfully or wrongfully yours.

Take one step at a time:

Step 1: Set up a company in Dubai. It’s easier than setting up one in India: Apply for a name with Dubai authorities and submit a simple memorandum. It will cost a few lakhs and will be done in a week. You will get an address, bank account and directors pooled in from an army of ‘service providers’ floating around in Dubai. (In a recent seminar, one of the Dubai state officials promised all assistance to Indian companies setting up arms in UAE). An Indian firm controlled by the Swiss bank account holder floats the Dubai subsidiary. This new subsidiary has a single purpose: to hold the money that will move out of Switzerland to Dubai, before it travels to India.

Step 2: Now, the money lying with the Alpine bank has to be transferred to a Dubai Bank, where the newly set-up company has an account. Let’s call this firm Fei Qian — the Chinese term for flying money. Since it’s unlikely that any company in Dubai will carry such a name, authorities in UAE will take little time in giving the permission. Hours after the Swiss bank receives instruction, money flows out of the numbered account to Fei Qian’s account in Dubai. Fei Qian poses as a global consultant with clients across Europe, and the money that has just flown into its Dubai account are fees from these clients. Swiss banks will never say why and where they transfer funds, while Dubai survives by instructing their banks not to ask such silly questions.
Step 2 is over. What follows is the last leg of the money flow — the passage to India.

Step 3: The Indian parent of Fei Qian receives the money as dividend income from its subsidiary in Dubai. The money may travel in tranches with decent intervals to avoid needless suspicion.
Indians with Swiss bank accounts couldn’t have asked for a better deal from New Delhi. Pay a 15% one-time tax and everything is forgotten and forgiven. Dubai has no tax. So, Fei Qian pays no tax — neither when it ‘earns’ the money nor when it distributes dividends to the Indian parent. The only tax that’s paid is 15% of the money after it comes to India. It’s a tax rate that’s 2-3% lower than Singapore’s, and half of what firms and individuals in India pay.

More and more individuals are beginning to spot the beauty of the 15% tax rule. It’s nothing but a backdoor amnesty scheme. A full-blown amnesty scheme, particularly calling it ‘amnesty’, would have stirred a hornet’s nest: bad press, hue and cry from the Opposition, public interest litigations filed by righteous individuals and embarrassing questions from Supreme Court judges. Why turn things ugly? Lower the tax on certain inflows from abroad and let smart guys figure out the rest.
What’s more, once the Dubai subsidiary is up and running, the Swiss bank account holders do not have to snap their ties with the banks that have guarded their secrets for years.

All they have to do is close the numbered account and let the Dubai Company open a new account with the Swiss bank. The money that’s not sent to India as dividend can come back to the new account in Switzerland. If the Indian government fishes for details on certain individuals after January 1 when the now-famous Indo-Swiss treaty comes into force, Swiss banks are not bound to talk on accounts that have already been closed. Numbered accounts will be history while new accounts opened by some Dubai firms will pass off as normal corporate business. Like Dubai, Switzerland too needs our money.

Source: Times of India, By Sugata Ghosh.

Fraud-Fighting Over The Next 5 Years: The Future Of Claims Investigations

2011-05-08T02:45:00.003+10:00

Over the next five years, we should expect dramatic changes in claims handling and fraud detection—mirroring emerging trends already evident in society today. What will this brave new world look like? What are the key trends, and what will be their impact on the claims-handling and fraud-fighting workflow between now and 2016?
Here are some predictions:

• The Explosion of Social Networking
Whether communicating via Facebook, Twitter, Tumblr, You Tube or other social networking sites, consumers are opening up their lives—and possibly revealing details that could be helpful to claims adjusters and fraud investigators. The trend has already begun, for example, with workers’-compensation fraudsters posting pictures and messages online, revealing that their health is much better than they had led claims administrators to believe.

• The Rise of Information Everywhere
Where is news, entertainment and e-mail accessed? Today, the answer includes TVs, desktop computers, laptops, iPads, smart phones and even gaming systems. While many of today’s information technologies are entertainment-oriented, in the not-too-distant future the entire claims process could well be carried out on these devices. The old model of sitting at a desk to do work is changing, as work moves with people to their cars and even to their pockets.
The impact for claims adjusters is significant. The current claims-analysis systems tied into desktop and mainframe systems will be available as mobile applications that will allow on-site claims information gathering as well as instantaneous claims-data analysis. We already see evidence of such trends in mobile access to estimating data for auto and property.

• Telematics
Today it’s possible to locate people by triangulating their position via their cellphone GPS. That technology is a useful tool in crime investigations. The next-wave technology in a similar vein is telematics. When telematics devices are installed in vehicles and transmit data, insurers know not just where but how drivers are operating their vehicles. The data provided by telematics devices can inform underwriting decisions and reduce misrepresentation of fact in auto accidents.

• New Uses for Satellite Photography
Today, satellite photography is used primarily for assessment of weather conditions and to assist scientists in measuring global change. Image resolution is getting sharper, however, and the range of available images is getting larger all the time. The impact for property-claims evaluation will be significant. In the future, checking the validity of property claims may be as easy as accessing high-resolution photographs of the property before and after a loss event, all done virtually—from anywhere in the world.

• Expanded Uses for Weather Data
Weather data has greatly improved meteorologists’ ability to predict storm systems. And the accuracy with which weather events can be measured has also significantly increased. Today, technology allows the detection of lightning strikes within a two-mile radius. In the future, data will be even more precise, affecting property claims in which unscrupulous property owners try to fake structural damages to receive payments. Weather forensics—such as detecting if or when there were lightning strikes or wind damage in the vicinity—will become easier in the future, helping investigators catch property owners and unscrupulous contractors who wish to take advantage of local weather events.

• Data-Driven Investigations
In today’s claims investigation world, claims adjusters collect information, and if something seems irregular, they alert the SIU staff. The investigator then makes phone calls, hits the street and knocks on doors to discover the facts of the case: a time-consuming and laborious process.
In five years, this model will be turned on its head. As soon as claims data is input, the system will begin searching through multiple channels of information to seek out suspicious data and behaviors. The explosion of information currently being generated—through social networking, news outlets, weather data, telematics devices, satellite photography and other data-gathering systems—will be accessed instantly, with each aspect of the claim being checked for possible fraud.

Predictive and network modeling will look at data to identify which claims require special handling or investigation. The data will tell investigators whom to pursue: the clinic that always bills just up to the threshold that won’t trigger an investigation; the claimant who uses four Social Security numbers; or the auto-repair shop that bills the insurance company for new parts but installs used ones.
In 2016, the speed of investigations will seem lightning fast in comparison with current methods. Once a suspicious individual or business is discovered, the investigator will be able to drill down with just a few clicks to put the case together. The old days of hitting the streets will be replaced with hitting the device. And in 2016, investigations will be as mobile as the personal communications routines of today.

• Point-Of-Sale Perimeter Defense
A decade ago, insurance applicants came into the office to apply for a policy, and the agent could actually get to know the applicant. Today, the personal interaction is being replaced by an online application—and what’s frequently lost is the ability to evaluate the applicant in a personal way. In five years, applicants will still be applying online, but the decisions of agents and underwriters will be supported by rigorous prescreening technology.
From the moment applicants begin to research an insurance product online, the screening system will begin to analyze their identities and their insurance and loss histories. The system will also look at other available records, such as whether there is a criminal or insurance-related fraud background. By the time the application is submitted, the system will already have gathered and scored information to know much about individual applicants and the risk of fraud. Insurers will be able to stop would-be fraudsters well before they become actual policyholders.

• Implications
In the next five years, developments in communications, information acquisition and analytic techniques will allow underwriting and claims staffs to collect better data perform better analytics and make better business decisions. The implications for insurance-claims handling and fraud fighting will be both exciting and challenging. Companies that move forward with technology but still maintain a collaborative relationship among the underwriting, claims and investigations staffs will have a leg up on the competition.

Source: Thomas Mulvey

Sebi favours self regulation for wealth managers

2011-05-02T01:59:00.000+10:00

In its new set of rules for an estimated $1 trillion wealth management industry, Sebi is planning to set up an intermediary regulatory body with representation from among the wealth managers themselves.

In the proposed self-regulatory model, the market watchdog will put the onus entirely on wealth managers for compliance to the regulations and the new entity to be created under Sebi's guidance would work as the first-stage regulator as also market development authority, a senior official said.

The decision to set up a self-regulatory organisation for wealth managers has been taken with a twin objective of regulating them without hampering the growth prospects of this burgeoning segment of financial services sector, he added.

The SRO model, where the wealth managers or investment advisors would be asked to develop a stringent code of conduct in consultation with Sebi, would be complemented with stern penalty measures for erring entities.

Sebi would provide an initial funding of Rs 10 crore for setting up of this SRO for wealth managers, after which the industry would have to pool in their own resources.

The proposed move is in line with similar measures earlier taken for mutual funds and merchant bankers, whose industry bodies AMFI (Association of Mutual Funds in India) and Ambi (Association of Merchant Bankers in India) serve as first-stage regulators.

The new body would also serve as a medium for Sebi to implement its various initiatives for the wealth managers.

The new rules would cover entities offering wealth management or investment advisory services across various asset classes irrespective of the different financial markets.

These would include stocks, commodities, fixed deposits, derivatives, insurance, mutual funds, private equity, pension funds as also alternative investment products such as funds investing in art works, antiques, coins and stamps.

For past few months, Sebi has been in consultation with the government, RBI and other financial regulators for framing a new set of rules for the wealth managers.

Given the size of the industry, and therefore a higher risk of large-scale frauds or manipulations, the new rules would also allow Sebi and RBI to impose strict penalties.

Although there are no official figures for it, the size of wealth management industry is pegged at about USD 1 trillion -- nearly double the size a couple of years ago.

While RBI and Sebi would be primarily responsible for compliance of the rules, help would be sought from other regulators, namely commodity regulator FMC, insurance watchdog Irda and pension fund regulator PFRDA, whenever needed.

The proposed rules are also being discussed by the Financial Stability and Development Council (FSDC), a high-level regulatory body chaired by Finance Minister.

The need for new norms was felt after an estimated Rs 400-crore fraud allegedly perpetuated by a relationship manager at Citibank and initial probe into the matter pointing towards various loopholes in existing regulations.

Subsequently, the government roped in all the financial sector regulators to formulate the all-encompassing and stricter wealth management guidelines, given the huge surge in the size of assets managed by them.

The new set of rules would collate all the existing practices and regulations for wealth management space from the different regulators and thereafter seek to do away with the loopholes, if any.

Wealth managers, who mostly act as investment advisors for HNIs, are currently regulated by different regulators as per the sectors in which they are offering their services.

However, there are no comprehensive rules to regulate the wealth managers for services across various sectors such as banking, markets, insurance, commodity and pension funds.

After the Harshad Mehta scam in 1992, RBI banned banks' portfolio management services. Since then, banks are limiting their wealth management business to advising their wealthy clients without taking custody of the capital or assets.

Sebi does not allow brokers to insist on PoAs from their clients and might suggest the same for bankers and others. As such, the portfolio management services in the capital market are regulated by Sebi, but these regulations do not cover asset classes such as fixed deposits and other banking products, insurance, commodity and pension funds.

Source: The Business Standard

Step back from regulating corporate governance

2011-05-02T01:53:00.002+10:00

How regulatory systems should deal with corporate governance came to the fore at the annual conference of the International Organisation of Securities Commissions last week in Cape Town.

Opinion across securities regulators seemed to be evenly mixed.
A section of the opinion was for adopting a “light-touch” approach to corporate governance instead of a prescriptive regime, others felt that general statements of principle will never work with people fundamentally “unprincipled”.

What was evident is that every regulatory regime is grappling with how to regulate listed companies in relation to corporate governance.

Hand on heart, each regulator understands that there is no ideal framework to ensure best behaviour by companies listed in its market, although the approach of the regulators could vary from a completely prescriptive one to a system based exclusively on moral suasion of directors of listed companies.

In India, regulation of corporate governance in listed companies has come to stay with Clause 49 of the listing agreement prescribed by the Securities and Exchange Board of India (“SEBI”).

This framework essentially revolves around the composition of the board of directors having to include a certain component of independent directors with the hope that the independent directors would have some fear of reputation and litigation risk, and therefore, act as a check and balance.

Such an approach muddles its way around the subject. By appointing the specified number of independent directors one could claim to have attained technical compliance with the prescribed norm. However, every director, including the independent director, holds office at the pleasure of the shareholders.
Indian listed companies entail substantial concentrated shareholding in the hands of promoters, who therefore would have.

Therefore, Clause 49, through its various amendments, has become confused between whether it should target being a check and balance on the promoter, or on the company’s management.

The Reserve Bank of India’s (“RBI”) approach to corporate governance in banking companies, which may seem “light-touch” in approach (with statements of principles from the RBI on matters to which the banks’ boards should apply their minds to) the RBI has over-arching statutory powers to veto even the appointment of a single director to the board of a bank.

The RBI has the power to supersede the entire board of directors of a bank. Indeed, SEBI too reads such powers as part of its omnibus power to issue directions “in the interests of the capital market” under Section 11B of the SEBI Act.

In the past, SEBI has directed specific individuals not to associate with listed companies in any manner, which is nothing but a ban on becoming a director of a listed company.

Against this backdrop, the question regulators should ask themselves is what their real intended object is in the area of corporate governance.

It may be useful to introspect whether having a wider chest and broader shoulders with ever-increasing powers is a matter of pride, or whether facilitating private parties to settle disputes is a more effective approach.

One radical solution, particularly in common law jurisdictions such as India, is for governments to focus on cleaning up inefficiencies in the judicial system so that shareholders and stakeholders can settle scores with corporates and their managements in a judicial forum.

Fear of having to face expensive litigation and suffering a reputation risk alone would deter mis-governance and spur logical decision-making by corporate boards. Indeed, SEBI has instituted a scheme to fund class action suits by shareholders, and that is a foundation it should build on.

If trial of a suit for damages were capable of resolution within a reasonable period of time, regulators would be saved much time and energy spent in measures that make them look like chasing their own tails. Therefore, regulatory energy would be better spent in pushing governments to make courts work better.

The fraud by Satyam management provides us with a classic example. Satyam investors in the United States have been able to extract a settlement from the company for the accounting fraud committed by it and have been able to lay hands on real money.

In contrast, investors in India have and will lag behind, although the fraudster is Indian and the issuer of securities is Indian. SEBI may issue regulatory directions to individuals allegedly involved in the fraud under Section 11B of the SEBI Act “in the interests of the capital market”.

However, apart from giving the regulator the pride of having inflicted injury on an alleged wrong-doer, SEBI’s jurisdiction would enable it do precious little for the pockets of the investors.

It is only the court system that can use its jurisdiction to assess and award damages for wrong-doing. Our law-makers and regulators should strive towards making the private litigation and dispute resolution system efficient instead of expending tax-payer’s resources in regulatory interventions that do nothing for the bottomline of the investors.

Source: The Business Standard.

The World's Most Ethical Companies

2011-03-20T01:15:00.000+11:00

The World's Most Ethical Companies

http://www.forbes.com/2011/03/15/most-ethical-companies-leadership-responsibility-ethisphere.html

Microsoft employee steals $460,000 from the company

2011-01-28T19:21:00.000+11:00

REDMOND:
Software giant Microsoft has reportedly sued a former director of business development in a US state court, accusing him of stealing nearly $460,000 from the company. According to a news report in ComputerWorld, the employee Robert D Curry tried to siphon off another $1.5 million before his scheme was uncovered. In its complaint, Microsoft has alleged that Curry created a fake company called Blu Games and submitted bogus invoices for non-existent services. According to the report, as a director of business development, Curry dealt with companies that promoted the downloading of Bing Bar, an Internet Explorer (IE) toolbar add-on designed to boost IE use. "On at least 3 occasions between April 19, 2010 and November 22, 2010, defendant Robert D Curry ... fraudulently induced Microsoft to pay through a vendor approximately $459,341.63 for defendant Curry's benefit, while falsely representing that the payments were for legitimate Microsoft business expenses," Microsoft stated. Curry duped a legitimate Microsoft vendor, Pentad Solutions, into paying Blu Games for supposedly distributing the Bing Bar, then asking Microsoft for reimbursement. Curry created fake invoices, distribution agreements and reports and also forged his manager's signatures to support his scheme, Microsoft alleged. The company Microsoft has demanded that Curry repay the entire $459,000, and that it be awarded triple damages under the state's Criminal Profiteering Act, says the ComputerWorld report. Curry fired on January 13, worked with Microsoft for some five years.

Read more: 'Microsoft employee steals $460,000 from the company' - The Times of India http://timesofindia.indiatimes.com/tech/news/software-services/Microsoft-employee-steals-460000-from-the-company/articleshow/7377564.cms#ixzz1CJal3gCa

Outsourcing Risks - Role of People, Process and Technology

2010-12-05T01:37:00.003+11:00

Abstract :

Outsourcing non-core business activities to third parties is a world wide trend these days. However while doing so, organizations often incur risks that may put the entire business operations at stake either immediately or a time later.

Thus special care is needed while stepping into any kind of outsourcing arrangement with a service provider.

By Nikhil Parulkar

Full article is as below:

Babu asked bribe for Delhi posting: Bedi

2010-11-29T23:58:00.000+11:00

AHMEDABAD: After Ratan Tata revealed how he had refused to pay bribe when he wanted to start an airline service, it was Kiran Bedi's turn to expose a similar case. She recounted a bribe demand by a government official in return for a desirable post in Delhi police at the IIM-A campus on Sunday.

Attending the B-school's annual event Confluence 2010, Bedi disclosed that a government official holding an important position at that time asked for Rs 6 lakh if she wanted a posting in Delhi as her tenure in Mizoram had ended in 1992.

"I refused to pay the amount and asked them to print the money themselves and take it. Because of this, they kept me waiting for nine months and did not assign me any duty after which they finally posted me in Tihar Jail," she said.

Bedi shared these experiences related to corruption while speaking at the valedictory function of IIM-A's business school summit. However, she refrained from sharing the name or identity of the official who demanded the bribe. She said the biggest corruption scams in the country are handiworks of corporates.

"Corporates are corrupting the government" she said, adding, "It is my sincere request that the institute undertakes research to find out why these young talented and educated officers are getting into corruption." According to her, another research must be conducted to find out why these talented bureaucrats corrode and why don't they speak up about corruption before their retirement.

Referring to other issues, which need to be researched she said, "So many engineers are getting into administrative services. Is not it waste of all the skills they learnt as engineers? We need to find out who are better managers; people from arts background or people from the science background."

Source: The Times of India; November 29, 2010

Conducting a forensic investigation post the incident reporting

2010-11-24T01:17:00.001+11:00

Abstract:

Fraud is a prevalent and a pervasive incident, and the investigation needs to be thorough and fair. Good investigators are those who seek facts with a substantial degree of independence. It is also critical that good investigators imbibe values of thoroughness and objectivity while conducting an investigation; such investigators are likely to have more credibility and their findings are more likely to be accepted as fair & unbiased.

Full Article Link is as below:

http://searchsecurity.techtarget.in/tip/Investigate-fraud-with-these-best-practices

ON GUARD:- ‘Wipro fraud probe hints at involvement of multiple officials’

2010-10-05T22:41:00.001+11:00

PROBE COMMITTEE TO SUBMIT REPORT BY MONTH-END

EARLY investigations into the embezzlement reported at Wipro, earlier this year, hint at the involvement of multiple officials and units within the company’s financial department, people familiar with the ongoing probe told ET. Last week, Wipro said it will file its annual report with the US Securities and Exchange Commission for the yearended March 2010 more than a month after the scheduled September 30 deadline, as it awaits the investigations to be completed.

Audit firm Ernst & Young, apart from an internal probe committee led by Narayanan Vaghul, former chairman of ICICI and an independent director with the country’s third-biggest software exporter will submit their reports to the company’s board later this month, according to persons with knowledge of the developments.

“The embezzlement has been happening over three years. It cannot be carried out in isolation. The objective of investigations is to identify the process improvements and even fix accountability,” one of the persons told ET, requesting anonymity. He added that it was still too early to draw conclusions, since the investigation is expected to be completed by October-end only.

The fraud came to light in December last year after a banker to the firm alerted Wipro about an overdraft. An employee working with Wipro’s ‘controllership’ division, within the finance department, had embezzled about $4 million by exploiting the exclusivity of access to the company’s banking accounts. Wipro declined to offer any comments, as the company is in a silent period ahead of its second quarter results later this month. An Ernst & Young spokeswoman did not respond to a query sent by ET.

As reported by ET in February this year, a Wipro staff embezzled crores of rupees over the past three years, sending the country’s thirdlargest software exporter scrambling to tighten internal controls in the finance division, where the incident took place. The employee had been working with the company for the past three years in the ‘controllership’ division, within the finance department. This cell is responsible for keeping the company’s financial books and also has powers to authorise payments whenever needed. The employee siphoned off the company’s money to his personal savings accounts in multiple transactions, worth anywhere between 1 lakh and 1.2 crore, and used the money to acquire jewellery, apart from making other investments, including buying land.

Apart from investigating how the processes were tweaked to carry out the embezzlement, E&Y, along with the internal auditors, is also examining if there were more departments and people involved in the incident. For instance, while the controller ship unit, where the embezzlement happened, is responsible for authorising payments, such requests are processed by Wipro’s payments-processing department called Wividus.

However, Suresh C Senapaty, CFO of Wipro, had denied involvement of more than one Wipro staffer in this embezzlement. “Our investigations have revealed that only this employee was involved, and nobody else in the team had any clue,” Mr Senapaty had said. Wipro has since disbanded the controllership unit and even introduced several changes.

“Already, no cheque payments are being made by Wipro to any vendor, especially after the embezzlement was reported. There could be more changes after the recommendations are accepted,” another person familiar with the developments told ET.
Among other changes being examined is the rotation of staff handling sensitive functions within the finance department.
In a statement issued last week, Wipro said it has already recovered all of the embezzled money.
“Wipro, together with its audit committee, conducted an investigation to determine, among other things, the materiality of the amounts embezzled and to assess the design and implementation of internal control processes. Based on its review of the facts discovered during its investigation, Wipro believes that the amounts embezzled were not material,” the company said in a statement issued on October 2.
Wipro brought Ernst & Young to minutely verify the audited accounts that were earlier certified by the company’s statutory auditor BSR — an audit arm of KPMG. Both E&Y and KPMG are part of the Big Four accounting firms that typically audit large companies such as Wipro.
Among other measures being considered, employees working in sensitive functions within the finance department may be rotated more frequently. Currently, employees in such functions spend around three years before a transfer. Going forward, Wipro also plans to make it mandatory for employees working in the finance division and elsewhere to sign an undertaking about sharing of passwords and any unauthorised transactions.
CHECKS & BALANCES
Wipro said last week, it has already recovered all of the embezzled money
As a precautionary measure, employees working in sensitive functions within finance dept may be rotated more frequently
Wipro also plans to make it mandatory for staff working in finance dept to sign an undertaking about sharing of passwords and any unauthorised transactions.

Source: The Economic Times; dt. 05.10.10

'Another US recession likely'

2010-09-28T12:01:00.000+10:00

NEW YORK: University professor Nouriel Roubini said there's a high probability of another recession in the US, with Japan's outlook anemic, underscoring risks to the global recovery.

China, the world's fastest-growing major economy, may face greater headwinds should there be weak growth in the US and Europe, Roubini said in Kuala Lumpur on Monday, where he is attending a conference. "Second-quarter GDP figures for the US are likely to be revised lower after June real-estate numbers," he added.

Austerity measures to cut debt in advanced nations are hurting consumer and business confidence and households in some of the largest economies are holding back spending. "Emerging economies may have to get used to relying on domestic demand in a period of subdued growth for developed countries," Roubini said. "We know the H2 of the year is going to be worse than the first half of the year because of the tailwinds to growth from the fiscal stimulus turning into austerity," he said.

Source: - The Times of India

Vatican Bank head in money laundering probe

2010-09-22T00:21:00.000+10:00

ROME: The head of the Vatican bank is under investigation for suspected money laundering and police have frozen 23 million euros ($30.21 million) of its funds, Italian judicial sources said on Tuesday. Neither Ettore Gotti Tedeschi, who has been at the helm of the bank for a year, nor the Vatican spokesman would comment immediately on the case, which involves alleged violations of European Union money laundering regulations.

The sources said Gotti Tedeschi and another executive of the Institute for Religious Works (IOR), as the bank is officially known, had been put under investigation by Rome magistrates Nello Rossi and Stefano Fava. The sources said Italy's financial police had preventively frozen 23 million euros of the IOR's funds in an account in an Italian bank in Rome.

Two recent transfers from an IOR account in the Italian bank were deemed suspicious by financial police and blocked. One was a transfer of 20 million euros to a German branch of a U.S. bank and another of 3 million euros to an Italian bank. Gotti Tedeschi, a devout Catholic who has taught financial ethics at the Catholic University of Milan, is a close adviser to Treasury Minister Giulio Tremonti. He is currently also head of an Italian unit of the Spanish Banco Santander, according to its website, and serves on the board of several major Italian banks.

The IOR principally manages funds for the Vatican and religious institutions around the world, such as charity organisations and religious ordes of priests and nuns. It was involved in a worldwide scandal in 1982 when it was embroiled in the fraudulent bankruptcy of Banco Ambrosiano, then Italy's largest private bank. The IOR held a small stake in Ambrosiano, whose president Roberto Calvi was found hanged under London's Blackfriars Bridge the same year. Several investigations failed to determine whether Calvi, known as God's Banker, had been killed or committed suicide. At the time the IOR was headed by American Archbishop Paul Marcinkus, who died in Arizona in 2006. The Vatican denied any responsibility for the collapse of Banco Ambrosiano but made what it called a "goodwill payment" of $250 million to Ambrosiano creditors.

Source: The Times of India, Sept 21,2010

Violence against whistleblowers in India prompts calls for laws to protect them

2010-09-14T11:54:00.002+10:00

IN NAYAKANPETTAI, INDIA When police found Vaidyalingam Balasubramanyam's body dumped beside a road in this southern Indian village recently, his family said that telling the truth had cost him his life. The hand-loom weaver turned whistleblower had been fighting corruption in the local weavers' cooperative for the past three years.

"We suspect some people kidnapped him, forced open his mouth to pour in poison or pesticide and threw him out of a moving vehicle," said his son Shanmugan Vel, 25 , as he sat on the floor next to his father's framed, garlanded photograph at his home in the sari-weaving district of Kancheepuram, in Tamil Nadu state. "My father spent all his time investigating the office files for corrupt practices. He sent dozens of complaints to the top officials and leaders."

His father had been warned of the risks he was running, Vel said, but had responded that the documents "contained the explosive truth that will clean up the system."
Eleven people have been killed or found dead in mysterious circumstances in India this year after exposing corruption in schools and public utilities, illegal mining and unauthorized water and electricity hookups, according to activist groups.

Hundreds of others have been attacked, threatened or harassed for similar crusades. In July, about 500 whistleblowers marched in New Delhi to protest the deaths and demand effective anti-corruption and whistleblower-protection legislation in a country where graft is more the norm than the exception.

The demand for such a law began six years ago after a national outcry over the killing of a 30-year-old engineer who had exposed a corruption scandal in highway construction.

Last month, the Indian government finally introduced landmark draft legislation - titled the Public Interest Disclosure and Protection to Persons Making the Disclosures Bill - that proposes a system for dealing with corruption allegations and a three-year jail term for officials who disclose whistleblowers' identities.
"It has been felt that the persons who report the corruption or willful misuse of power or willful misuse of discretion, which causes demonstrable loss to the government . . . need statutory protection," said Prithviraj Chavan, minister of state for personnel, public grievances and pensions, while introducing the bill.
Despite recent rapid economic growth, the expansion of the middle class and the spread of education and mass media, India was ranked 84th out of 180 countries last year in the annual corruption perception survey conducted by the global watchdog Transparency International. Of the various Indian departments analyzed, the police force emerged as the biggest offenders.

Since 2005, anti-corruption crusaders have used a law mandating the right to information to access official files and expose malfeasance. Balasubramanyam had collected hundreds of official documents indicating that a single family held a monopoly over the cooperative management, according to Vel, who showed a reporter photocopies of the documents. The files also showed evidence of embezzlement.

"Due to heavy rainfall last year, the government sent compensation money to hand-loom weavers. But I did not get any of it, even though the records in the cooperative showed that all the weavers had been paid," said Sukha Lingam, 40, a weaver in Nayakanpettai. "The managers ate up all the money meant for the poor."
Balasubramanyan always carried with him a yellow cloth bag containing files he had accessed. The bag is now missing. The police registered a case of "suspicious death" after his killing and sent his body for examination.

Analysts say public intolerance of corruption has grown in recent years, spurring the push for stronger laws to combat it - but also inviting violent reprisals.
"For many decades, Indians kept saying, 'What can we do?' But now corruption has reached a level that it is difficult to look the other way," said Sumaira Abdulaali, a member of the Movement Against Intimidation, Threat and Revenge against Activists, an independent coalition. "When illegal activities take place on such a major scale, then we can be certain that the entire system of politicians, officials, police and criminals are mixed up in it."

Many activists say, however, that the new whistleblower bill is still inadequate. It covers only the government bureaucracy and not the military or the corporate sector. It is silent on those exposing corrupt politicians. The bill empowers a body called the Central Vigilance Commission to investigate cases, but the government is not bound to follow its recommendations. It also says anonymous complaints will not be accepted.

"It is just a showpiece legislation," said Arvind Kejriwal, head of Parivartan, a New Delhi-based group that campaigns for transparency. "The entire emphasis of the bill is in keeping the name of the whistleblower a secret. That is the last concern of the people who blow the whistle. What they want is swift, guaranteed investigation and action on their complaint so that they are not vulnerable to physical threats and professional harassment."

The ministry has invited activists to comment on the draft legislation by the end of September.

Last month, the Delhi High Court ordered the government to pay compensation to Mahendra Kumar Tyagi, 65, who was harassed at work for complaining against his bosses' corrupt activities in the state-owned oil company. For 10 years, Tyagi said, nobody spoke to him at the office and he received no promotion.

"I was made an outcast and a prisoner in my office cubicle. It was like slow poisoning," Tyagi recalled.

Last month's court order hailed him as "courageous."
"I have been vindicated," he said. "But at what cost? I ruined my life, my health and my peace of mind. Today I tell my son, 'Don't be honest. You will get nothing but trouble. In India, the honest are punished, the corrupt are rewarded.' "

Source: The Washington Post, By Rama Lakshmi, Dt. September 11, 2010

Attack on China whistleblower shows risk of unveiling corruption, fraud

2010-09-07T19:29:00.000+10:00

China whistleblower Fang Zhouzi was mugged after his criticism of a Chinese hospital. 'I’ve had threatening phone calls and e-mails before, but this was the first time I have been attacked,' he says.

Beijing

A bungled attack on a whistleblower famous for his exposés of fraud and pseudoscience has drawn fresh attention to the vexed issues of academic dishonesty and popular gullibility in China.

Fang Zhouzi, a popular science writer and blogger, was assaulted by two men as he walked to his Beijing home Sunday evening; one sprayed a chemical in his face, the other beat him with a hammer. He was only slightly injured and was released from hospital later Sunday night.

“I’ve had threatening phone calls and e-mails before, but this was the first time I have been attacked,” Mr. Fang said in a telephone interview.

The anticorruption activist has been involved recently in a number of high profile cases, most notably questioning a claim by a former president of Microsoft China that he had earned his PhD from the prestigious California Institute of Technology.

Tang Jun, who had listed his degree as an achievement in a book recounting his success in business, later acknowledged that his PhD actually came from Pacific Western University in California. That institution was a diploma mill that sold academic credentials and required no classroom instruction, according to a 2004 report by the US Government Accountability Office.

In a number of recent blog posts, Fang also poured skepticism on celebrity Taoist sage Li Yi, who claims extraordinary feats of prowess and counts pop stars and business luminaries among his disciples. Mr. Li stepped down from his public positions Saturday, in the wake of accusations against him of rape and tax evasion.
Who attacked Fang?

Fang’s lawyer, Peng Jian, said he thought the attack was most likely ordered by a private hospital in Zhengzhou, the capital of Henan Province, which specializes in a controversial operation on the nervous system to control urinary incontinence.

A Chinese journalist who had written an article raising doubts about the operation’s efficacy was assaulted last June. Fang, in a blog posted three weeks ago, cited an article in a US magazine criticizing the operation. A court in Zhengzhou is due later this month to hear a malpractice suit brought by Mr. Peng against the hospital on behalf of a group of patients claiming the operation did them more harm than good.
More to be done on fraud in China

Last year the Ministry of Education urged universities to weed out plagiarists from their faculties. This meant reporting plagiarists, denying them research funding, sacking them, and possibly suing them. The measures were designed to “keep the academic field clean,” an official said at the time.

New scandals this year however, including plagiarism accusations against an internationally respected political science scholar Wang Hui and the dismissal of a top professor of energy and power studies found guilty of over 30 cases of plagiarism, led the state-owned “China Daily” to editorialize last month that “it is by now evident that the nation needs better regulations to counter the practice in academia.”

"The government is not doing enough," agrees Fang.

Academia is not the only field to be plagued by plagiarism, nor the only one reluctant to face up to it. Last January, Sang Yuzhu, the winner of China’s highest photography award, was stripped of his medal and his post in the Chinese Photographers’ Association when it was shown he had submitted other photographers’ work to the competition.

The CPA did not acknowledge the plagiarism, however. Officially he was accused only of “joint collaboration” with the two other photographers, in violation of competition rules.

Source: The Christian Science Monitor

Retail fraud management is need of the hour

2010-09-07T11:51:00.002+10:00

India, for the fourth time in five years, has been ranked as the most attractive country for retail investment among 30 emerging markets, according to the Eighth Annual Global Retail Development Index (GRDI) 2009 by A T Kearney. Retail accounts for a significant portion of the country’s GDP, with organised retail accounting for around 5% of the total retail market. Organised retail is expected to grow at a CAGR of 20–30% over the next few years.

However, with rapid growth in the sector, the associated perils and issues are also coming to the forefront. The shrinkage or fraud in retail is a key issue that is becoming a cause of concern for Indian retailers. Shrinkage is the “loss in inventory on account of a combination of employee theft, shoplifting, vendor fraud and administrative error.”

According to the Global Retail Theft Barometer (GRTB) 2009, India recorded a shrinkage of 3.2% of the total size of the country's retail industry (including the unorganised sector), amounting to about $2.6 billion. This is very high compared to other global markets like the US (1.6%), the UK (1.4%), and China (1.1%). In India, customer theft contributed around 44.7% of shrinkage losses, employee theft contributed 23.7%, as compared with 8.4% by suppliers/vendors, while administrative errors accounted for the rest.

In India, thefts are typically targeted on small and easily-concealed, expensive and branded items that have considerable popular appeal and are easily re–sellable such as electronic games, DVDs, iPods/MP3 players, clothing, cosmetics, perfumes and alcohol. The designer garments topped the list of things stolen in 2009.

In the past, it has been observed that hypermarkets, departmental stores and books & music formats experience high inventory losses because of the size of their products and product value. In mom-and-pop stores, the owners do not feel the impact as it is believed that manning the store themselves is vigilant enough. In large-format stores, however, it is difficult to check as wares are spread out.

Various categories of fraud constitute a major component of the shrinkage. Among the factors responsible for shrinkage losses, employees and vendors are critical factors that need to be managed by retailers. Employees may resort to direct theft, under invoicing in collusion with customers, stealing cash, etc., whereas vendors can under-deliver in terms of number, size or quality of items as against the bill invoice.

The growing motivation among employees to lead a luxurious life, high reliance on skilled resources, thereby leading to weaker internal controls, and overdependence on existing systems and processes give rise to increased risk of fraud in retail sector. While marketing fraud, inventory theft and return fraud (observed in product exchanges) are common instances of fraud in the sector, other frauds such as cash skimming and skim and fall also exist.

With potential risks and marked instances of fraud and theft, it is imperative for retail companies to:

a. Adopt robust internal controls backed by strong data analytics to mitigate key fraud risks and to raise red flags at early stages.

b. Devise a whistle blower policy allowing employees, customers and vendors to report malpractices directly to the management.

c. Determine policies pertaining to prevention, detection and investigation of frauds and to have action plans defined for conducting investigation if an incident occurs.

d. Set up dedicated team–internal/external–to handle stock checks at each of the stores periodically.

e. Collate an end-to-end study of material movement from source to destination, including counter checks and cross tallying.

With rising challenges in the sector, the key to success is staying competitive without compromising on the quality of services. Cost effectiveness is necessary to achieve this, and it is here where an effective fraud risk management will help companies to identify potential leakage points and opportunities to save

Source: Arpinder Singh, Partner & National Leader & Anurag Kashyap, Associate Director - Fraud, Investigation and Dispute Services, E&Y published in Economic Times dt. Sept 7, 2010

Undisclosed Stanford Loans Prove Fraud, Examiner Says

2010-08-30T14:35:00.001+10:00

Stanford International Bank Ltd.’s $1.7 billion in undisclosed loans to its owner, indicted financier R. Allen Stanford, are proof of the bank’s involvement in fraud, an examiner said in a U.S. court trial in Houston.

“There’s a complete disconnect between what the bank is saying, that it has fully liquid, short-term, fully monetized assets, and the fact a third of these assets are loans to the shareholder,” fraud accountant Mark Berenblut said today.

Berenblut, testifying for a second day in a civil trial over whether Lloyd’s of London Underwriters will have to cover Stanford’s legal defense costs, said there was a gap between the claimed assets and what Stanford International Bank had on hand when regulators seized it.

“That money went somewhere, and very likely to the primary shareholder,” said Berenblut, who was asked to testify by Lloyd’s.

Lloyd’s is arguing that Stanford’s companies’ alleged criminal conduct voids the directors’ and officers’ they bought.

Berenblut said his examination showed two large loan balances on Stanford International Bank’s books -- one for $1.7 billion to Stanford himself and another for $1.8 billion to Stanford-related companies. The examiner testified both items should have been disclosed to investors and were not.

Accounting Entries

Stanford’s lawyers have repeatedly claimed Berenblut is misinterpreting the accounting entries. They say the two loan balances refer to the same money, because Stanford claims he assumed personal responsibility for loans the bank made to the related companies, which then recorded the funds on their balance sheets as capital contributions from Stanford.

“You’re making the assumption that whoever recorded it did it wrongly,” Berenblut said today, when asked about the two balances by Kirk Kennedy, one of Stanford’s lawyers.

Robert S. Bennett, another attorney for Stanford, challenged Berenblut’s testimony that many parts of the bank’s financial records included “fictitious information.”

“Have you seen any direct communications from Allen Stanford to Kuhrt, Lopez, Davis or Holt that you consider to be fictitious information?” Bennett asked, referring to Stanford’s co-defendants.

“No,” Berenblut replied.

Antiguan Bank

Investors bought more than $7 billion in certificates of deposit from the Antiguan bank, which Stanford controlled as sole shareholder until the U.S. Securities and Exchange Commission sued the financier in February 2009, and seized his businesses.

Stanford and three other executives were indicted by a federal grand jury in Houston in June 2009 on charges they had run fraud scheme centered on the certificates of deposit. They pleaded not guilty.

Investors were told the bank’s portfolio consisted of conservative, highly liquid investments that offered above- market returns.

Forensic accountant Alan Westheimer, who was hired by comptroller Mark Kuhrt and chief accountant Gilbert Lopez to examine Stanford’s financial statements, testified today that Berenblut was wrong that there were separate loans outstanding to Allen Stanford and to the related companies.

‘One Basket’

“There’s one basket, not two,” Westheimer said. “And there’s a number of documents that support that conclusion.”

U.S. District Judge Nancy Atlas told the lawyers she was less concerned with the number of loans to Allen Stanford than that the size and nature of them weren’t disclosed.

“It wasn’t consistent with the investment promotional materials for the CDs,” she said.

The Stanford defendants claim they can’t afford to hire defense lawyers without the Lloyd’s proceeds because their assets were frozen by court order when the SEC filed suit.

Lloyd’s last year rejected the executives’ pleas for coverage under the $100 million worth of insurance bought by the business after Stanford Group Cos. Chief Financial Officer James M. Davis pleaded guilty to charges he aided in the scheme.

Atlas today said she would admit into evidence part of Davis’s plea agreement with prosecutors.

”I am really only accepting Davis’s statements against his own conduct,” not what he says about others he claims were involved in the scheme, she said.

The trial, now in its third day, will continue tomorrow.

The case is Laura Pendergest-Holt v. Certain Underwriters at Lloyd’s of London, 4:09-cv-03712, U.S. District Court, Southern District of Texas (Houston).

The criminal case is U.S. v. Stanford, 09-cr-00342, U.S. District Court, Southern District of Texas (Houston). The SEC case is Securities and Exchange Commission v. Stanford International Bank, 09-cv-00298, U.S. District Court, Northern District of Texas (Dallas).

Source: Laurel Brubaker Calkins in Houston at laurel@calkins.us.com & Andrew M. Harris in Chicago at aharris16@bloomberg.net.

Medicare's private eyes let fraud cases get cold

2010-08-11T15:25:00.000+10:00

By RICARDO ALONSO-ZALDIVAR (AP)

WASHINGTON — They don't seem that interested in hot pursuit. It took private sleuths hired by Medicare an average of six months last year to refer fraud cases to law enforcement.

According to congressional investigators, the exact average was 178 days. By that time, many cases go cold, making it difficult to catch perpetrators, much less recover money for taxpayers.

A recent inspector general report also raised questions about the contractors, who play an important role in Medicare's overall effort to combat fraud.

Out of $835 million in questionable Medicare payments identified by private contractors in 2007, the government was only able to recover some $55 million, or about 7 percent, the report found.

Medicare overpayments — they can be anything from a billing error to a flagrant scam — totaled more than $36 billion in 2009, according to the Obama administration.

President Barack Obama has set a high priority on battling health care fraud and waste, hoping for savings to help pay for the new law covering millions now uninsured.

Medicare's private eyes don't seem to be helping much.

Sen. Charles Grassley, R-Iowa, questions whether taxpayers are getting good value from for-hire fraud busters. His office, which is investigating the contracting program, obtained Medicare data for the last four years on how long it took to refer cases to federal agents.

"Medicare is already a pay-and-chase system when it comes to fraud, waste and abuse," said Grassley. "Providers are paid first, then questioned if there's a problem. Add to that mix contractors who sit on cases of ongoing fraud when they should be referring them to law enforcement, and you have a recipe for disaster."

As ranking Republican on the Senate panel that oversees Medicare, Grassley is trying to find out why it takes the contractors so long, and how much the government is currently paying the companies. In 2005, taxpayers paid them $102 million.

At least seven private companies Medicare calls "Program Safeguard Contractors" are working to detect fraud, part of a program that dates to the late 1990s. They oversee specific areas of jurisdiction, and some have more than one contract with Medicare.

The contractors investigate allegations of wrongdoing, acting as scouts for the government's criminal investigators. And they're also supposed to conduct "proactive" analysis to spot emerging fraud trends. For instance, they can use sophisticated computer models to scan millions of Medicare records for suspicious patterns to identify dishonest providers.

In practice, their performance has been uneven. The contractors have widely different track records. One identified $266 million in overpayments in 2007, while another found just $2.5 million, the Health and Human Services inspector general said in May.

Earlier, the inspector general found gaping differences in the number of new cases the contractors generate for law enforcement. Some had hundreds of cases, while others were in the single digits. Most were doing a poor job at spotting new fraud trends, with "minimal results from proactive data analysis," the inspector general concluded.

The Obama administration says it's aware of the problem and is close to completing a reorganization of the contractors, to consolidate their work, define their jurisdictions more clearly, and help them coordinate better with claims processors and law enforcement.

The private sleuths will now be called "Zone Program Integrity Contractors" — or ZPICs for short.

"By using these new contractors that can review claims across multiple providers and benefit categories, we will be better able to identify cases of waste, fraud or abuse," said Medicare spokesman Peter Ashkenaz. "And, we will be better able to monitor both the ZPICs' overpayment and collection efforts to make sure that they are performing their own oversight responsibilities."

In fairness to the contractors, the low collection rate may not just be their fault. Investigators say that when Medicare notifies a provider about a disputed payment, the fraudulent ones often just close up shop and move on.

Copyright © 2010 The Associated Press. All rights reserved.

Hack makes ATMs spew out cash

2010-08-01T23:35:00.003+10:00

July 30, 2010

A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.

The attacks successfully targeted standalone ATMs, but they could potentially be used against the ATMs operated by mainstream banks.
Criminals have long known that ATMs aren't tamperproof.

There are many types of attacks in use today, ranging from sophisticated to foolhardy: installing fake card readers to steal card numbers, hiding tiny surveillance cameras to capture PIN codes, covering the dispensing slot to intercept money and even hauling the ATMs away with trucks in the hopes of cracking them open later.

Computer hacker Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. These were standalone machines, the type seen in front of convenience stores, rather than the ones in bank branches.
His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.

He showed off his results at the Black Hat conference in Las Vegas, an annual gathering devoted to exposing the latest computer-security vulnerabilities.
His attacks have wide implications because they affect multiple types of ATMs and exploit weaknesses in software and security measures that are used throughout the industry.

His talk was one of the conference's most widely anticipated, as it had been pulled a year ago over concerns that fixes for the ATMs would not be in place in time. He used the extra year to craft more dangerous attacks.

Jack, who works as director of security research for Seattle-based IOActive, showed in a theatrical demonstration two ways he can get ATMs to spit out money.

Jack found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got to pictures of other keys, found on the internet.
He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.

Jack also hacked into ATMs by exploiting weaknesses in the way ATM makers communicate with the machines over the internet. Jack said the problem was that outsiders were permitted to bypass the need for a password. He didn't go into much more detail because he said the goal of his talk "isn't to teach everybody how to hack ATMs. It's to raise the issue and have ATM manufacturers be proactive about implementing fixes".

The remote style of attack is more dangerous because an attacker doesn't need to open up the ATMs.

It allows an attacker to gain full control of the ATMs. Besides ordering it to spit out money, attackers can silently harvest account data from anyone who uses the machines. It also affects more than just the standalone ATMs vulnerable to the physical attack; the method could potentially be used against the kinds of ATMs used by mainstream banks.

Jack said he didn't think he'd be able to break the ATMs when he first started probing them.

"My reaction was, 'This is the game-over vulnerability right here,'" he said of the remote hack. "Every ATM I've looked at, I've been able to find a flaw in. It's a scary thing."

Kurt Baumgartner, a senior security researcher with anti-virus software maker Kaspersky Lab, called the demonstration a "thrill" to watch and said it was important to improving the security of machines that can each hold tens of thousands of dollars in cash. However, he said he does not think it will result in widespread attacks because banks don't use the standalone systems and Jack did not release his attack code.

Jack would not identify the ATM makers. He put stickers over the ATM makers' names on the two machines used in his demonstration. But the audience, which burst into applause when he made the machines spit out money, could see from the screen prompts on the ATM that one of the machines was made by Tranax Technologies, based in Hayward, California. Tranax did not respond to email messages from The Associated Press.

Triton Systems, of Long Beach, confirmed that one of its ATMs was used in the demonstration. It said Jack alerted the company to the problems and that Triton now had a software update in place that prevents unauthorised software from running on its ATMs.

Bob Douglas, Triton's vice-president of engineering, said customers could buy ATMs with unique keys but generally do not, preferring to have a master key for cost and convenience.

"Imagine if you have an estate of several thousand ATMs and you want to access 20 or so of them in one day," he wrote in an email to the AP. "It would be a logistical nightmare to have all the right keys at just the right place at just the right time."
Other ATM manufacturers contacted by the AP also did not respond to messages.
Jack said the manufacturers whose machines he studied were deploying software fixes for both vulnerabilities, but added that the prevalence of remote-management software broadly opened up ATMs to hacker attacks.

Source: Sydney Morning Herald

Central Bank of India recruiting Flying Squad Officer

2010-08-01T21:12:00.000+10:00

Central Bank of India recruiting Flying Squad Officer

Satyam accounts restatement is Rs 50-cr windfall for audit firms

2010-07-31T12:13:00.001+10:00

Mahindra Satyam may end up paying a huge fee for restatement of its book of accounts that were allegedly fudged by its former Chairman Mr B. Ramalinga Raju.

Indications are that the Hyderabad-based company will shell out close to Rs 60 crore by September when the accounts are expected to be restated.

“If you include the forensic accounting and all other payments the company has to make for the restatement, the outgo will easily be ‘north of Rs 50 crore'. With every round of delay, the costs are going up,” a top official in the know told Business Line.

Days after Mr Raju confessed to fudging the Satyam accounts, a Government-nominated board had appointed auditing firms KPMG and Deloitte to help clear the mess.

Audit issues

Due to a host of reasons ranging from the complexity of the fraud to the unavailability of key documents, the restatement has fallen behind schedule three times already with the concomitant affect of pushing up the overall costs.

The company's outgo goes up given that most audit firms charge on a man-hour basis, sources said.

Mr Vineet Nayyar, Chairman of Mahindra Satyam, referred to this at a recent press conference, when he said that the Satyam accounts restatement is “costing the company a fortune”. However, he did not provide further details

A spokesperson for KPMG said, “We do not comment on client matters.” His counterpart at Deloitte said it was now the statutory auditor for the Mahindra Satyam accounts and no longer associated with the process of account restatement.

So, how do industry watchers view this development?

“If the company is paying over Rs 50 crore for restating its accounts, just imagine what could potentially be the size of the fraud itself. I think that it is detrimental to shareholder interests,” Mr Uttam Prakash Agarwal, former President of the Institute of Chartered Accountants of India, said.

The positive part, according to him, is that it sends a message to the corporate world that cost of investing in compliance cannot be substituted with anything else

In all fairness to the audit firms, the Satyam challenge was something unparallel in accounting frauds. During the course of the process, the two accounting firms had dredged almost two terabytes of data from laptops and personal computers at Satyam. Since this information is much more than what could have been warehoused anywhere in India, it was moved to the UK till lab facilities could be created here, a recent news report said.

Source: The Hindu Business Line; By Adith Charlie, dt: July 30

Indian-American woman pleads guilty in $34 million fraud case

2010-07-29T23:38:00.001+10:00

WASHINGTON: An Indian-American woman executive has pleaded guilty to defrauding her company of $34 million to pay for her "irrational" buying sprees and faces up to 20 years in jail on conviction.

46-year-old Sujata Sachdeva, a former Vice President of finance at Koss Corporation, pleaded guilty to all the six counts of wire fraud, for which she was charged early this year, before a Milwaukee court in Wisconsin on Tuesday.

"Ms Sachdeva recognises the harm she has caused to her employers, the company shareholders, her colleagues and her friends, but she most regrets the pain and public embarrassment she has caused to her husband, Ramesh, and their two young children," her attorney Mike Hart said.

Reading out a statement with Sachdeva standing besides him outside the Milwaukee court, Hart said she has cooperated with federal prosecutors to recover as much of the merchandise as possible to pay restitution to Koss Corporation, a headphone manufacturer.

Sachdeva has begun to address the issues that led to her conduct and accepts full responsibility for her actions, and hopes for a fair and just result, Hart said.

Facing five to 20 years of imprisonment, if convicted, Sachdeva remains free on bond pending sentencing, which is scheduled for October 22.

According to the indictment, Sachdeva authorised numerous wire transfers of funds from bank accounts maintained by Koss to pay for her American Express credit card bills.

In addition, Sachdeva used money from Koss' bank accounts to fund numerous cashier's checks, which she also used to pay her personal expenses.

Sachdeva used the money she fraudulently obtained from Koss to purchase personal items including women's clothing, furs, purses, shoes, jewellery, automobiles, china, statues, and other household furnishings.

Sachdeva also used the money to pay for hotels, airline tickets and other travel expenses for her and others; to pay for renovations and improvements to her home; and to compensate individuals providing personal services to her and her family, the indictment alleged.

According to the indictment, Sachdeva sought to conceal her fraud by directing other Koss employees to make numerous fraudulent entries in Koss' books and records to make it appear that Sachdeva's fraudulent transfers were legitimate business transactions.

Source: The Times Of India; 29.07.10

SEBI makes cell ban in dealing rooms official

2010-07-22T17:20:00.000+10:00

MUMBAI: Most mutual funds have barred use of mobile phones in their dealing rooms to prevent front-running, though regulations didn’t require them
to do so until recently.

Last week, the Securities and Exchange Board of India (Sebi) made this ban official on the heels of its recent order, which pulled up an equities dealer at HDFC Asset Management for leaking information of its planned trades to a few other investors.

In a communication to mutual funds, the market regulator, in addition to the ban on mobile phone usage in dealing rooms, also asked asset management companies (AMCs) to record telephone calls from or into dealing rooms. Also, recorded calls by dealers should be regularly monitored by its compliance department, Sebi said.

Mutual fund officials said the practice of front-running is unlikely to cede, following the new rules by Sebi, as most AMCs already have such systems in place. “It doesn’t say anything more than what we are already doing,” said a top official with a private mutual fund.

Mutual fund officials said more steps are already in place to check front-running than what are mentioned in the circular. These include having restrictions on the rates at which dealers can place the ‘buy’ or ‘sell’ order in a day and checks on any changes in their lifestyles.

“If a dealer suddenly manages to buy a house in a plush locality or even a luxury car, then, we step up our vigilance. Similarly, we look if any particular broker talks more to a particular dealer than the fund manager...These are leads for us,” said the chief investment officer with a private mutual fund.

In a mutual fund, the practice of front-running harms unitholders, as it increases the cost of share purchases or reduces the realisations from share sale, thereby depressing returns.

Some mutual fund officials and brokers said Sebi’s emphasis to tackle front-running only in the dealing rooms is misplaced. “The focus is more on the small fish (dealers), while big sharks (some fund managers and market operators) have been let off the hook,” said a fund manager with a bank-owned mutual fund. “The profits made by the dealer (HDFC AMC) and his associates are paltry compared with what is being made outside the dealing room,” he said.

The three investors, who placed orders in the same set of stocks just before those were traded by dealer Nilesh Kapadia on HDFC AMC’s behalf, made combined profits of about `2 crore in four months, according to the Sebi order on June 17.

Brokers said fund managers, who usually buy or sell shares ahead of their employers, escape the regulatory radar by spreading their trades across various brokers. “Fund managers ensure that there is no pattern in the way any person or broker, who has been assigned to buy shares on their behalf, has done the trade,” said a broker, who is familiar with such trades. “There is no way that the regulator can catch them in the existing regulatory situation,” he said.

Source: The Economic Times

ICAI for compulsory Outsourcing of Internal Audit functions

2010-07-12T11:34:00.002+10:00

Accounting regulator the Institute of Chartered Accountants of India (ICAI) has asked the government to make outsourcing of internal audit functions mandatory for companies to prevent a Satyam-like fraud from happening again.

The suggestion is part of the recommendations by a high-powered committee of ICAI to the Corporate Affairs Ministry in the aftermath of a Rs 10,000-crore scam in Satyam Computer and is intended to strengthen the internal audit system of companies.

"We have recommended that internal audit should be outsourced rather than in-house because internal audit in-house is always dependent on the management of the company. Internal audit from outside will always be better, and then it should be given to chartered accountants," ICAI President Amarjit Chopra told PTI.

The role of internal auditors came under scanner after Satyam Computer founder B Ramalinga Raju confessed to having cooked the books of the company for years. The IT firm's internal audit head S Prabhakar Gupta was arrested for his alleged role in the multi-crore fraud.

Interestingly, Satyam's internal audit team was given recognition of commitment award by the US-based Institute of Internal Auditors in 2006.

Chopra further said that since internal audit is the first check-post for any accounting fraud, due care should be taken to ensure it is conducted by the right people and independently.

"We already have 17 internal audit standards and we have asked the Government to make these standards mandatory for internal audits, whether through Sebi or through company law, so that there is standardisation of internal audit procedures," Chopra said.

The standards are benchmarks for internal auditors and are aimed at ensuring standardisation, independence and more consistency in the functioning.

They also differentiate auditor's responsibilities when it comes to complying with the law and regulations that have direct impact on financial statements as well as significant effect on the functioning of the company.

Source: Business India; July 8,2010; By Press Trust of India, New Delhi

Raise the bar on corporate governance

2010-07-06T14:08:00.001+10:00

THERE IS A NEED TO EXPAND THE NET & IMPROVE IMPLEMENTATION OF GOVERNANCE NORMS

MONISH CHATRATH Executive Director,Mazars

THE START OF THIS CENTURY WAS MARKED by an emphasis on corporate governance,thanks largely to a string of collapses of several high profile companies.The world of business was shocked with both the scale and age of unethical and illegal operations.Consequently,the need for adoption of good corporate governance principles has not only got reinforced,but inevitably and inextricably,efforts to this end have gathered momentum every time a new corporate scandal came to light.And India is no exception to this phenomenon.

Events last year involving Satyam Computer Systems have prompted several questions and various forms of introspections on corporate governance practices,as well as brought focus on aspects relating to discipline exercised by the dominant shareholder,accountability of the management,role of the auditors (external and internal),functioning of the board and audit committee and also the value of ethical conduct in business.The spotlight is now firmly on key aspects of the governance framework,with particular emphasis on the audit and finance functions which have a legal,moral and ethical responsibility to identify and disclose aspects of a promoter-driven agenda that have the potential to impact the interests of other stakeholders adversely.

Although corporate governance is the legal framework,the ethical framework and the moral framework within which business decisions are taken;the focus in India continues to be largely around the legal framework.Since there is no dearth of legislation relating to corporate governance,it is the latter two aspects that need more focus in India.The challenge for policymakers in India is to reach an appropriate balance of legislative and regulatory reform,taking into consideration international best practices that augur well with the growth climate in India,while also fostering greater enterprise and enhancing competitiveness in a manner that can stimulate further investments.

While some of the current laws and regulations in India are possibly amongst the best in the world,there are several others which are somewhat archaic.India also needs greater focus and more proactive,yet a simplified monitoring and enforcement framework to ensure effective levels of compliance with regulations.Undoubtedly unless there is a genuine intention within an organisation to incorporate compliance in principle as opposed to compliance in legal form into corporate strategy and operations,regulations will only have a limited effect.

In business ethics,what was good is becoming bad and what was considered bad is now good.Standards for corporate governance that have worked for decades are looking old fashioned or immoral while other practices that raised questions are now becoming totally acceptable.Debates,discussions and reviews on corporate governance have predominantly focused on large,listed and high profile companies with dispersed shareholdings and there is an impending need to expand the net,in recognition of the impact of issues relating to financial transparency,the role of access to outside capital and conflict resolution,to non-listed and family controlled companies.These today are considered a crucial component of the growth engine for the Indian economy.
While analysing corporate governance in PSUs,the consideration that often come up relate to the perceptions on the over-regulation of state-owned units in India,which on one hand are accountable to various authorities under several regulations including Parliament,Comptroller and Auditor General of India,Central Vigilance Commission and the Right to Information Act and on the other are susceptible to bureaucratic hurdles.

Good governance has been further augmented in the past few years by a rise in the recognition of CSR.This is based on an understanding of the expectations that our communities have regarding the social contract that organisations have with communities.This may include public reporting,openness to input,access points for complaints about services or tips regarding illegal actions of employees.
Corporate governance and CSR are both extremely important to an organisation.But it is not a natural thing to separate the two.If an organisation has a well formed governance programme in place,the same would possibly also take care of most of the social issues.Organisations are increasingly focusing on the impact of their business activity on society and in doing so many have created CSR programmes to balance their operations.Taking responsibility for its impact on society means in the first instance that an organisation takes accountability for its actions and the effect of the same on particular interests groups within the society.

In todays globalised,interconnected and competitive world,the way that environmental,social and corporate governance issues are managed is a part of the organisations overall management philosophy to compete successfully.Organisations that perform better with regard to these issues can increase shareholder value by properly managing risks,anticipating regulatory action or accessing new markets while at the same time contributing to the sustainable development of the societies in which they operate.

Sustainable value also emanates from an organisations ability to adhere with a corporate culture of conscience and consciousness,transparency and openness,fairness and accountability,propriety and equity.Certain combinations of governance mechanism may work for certain periods of time.Change,however,will inevitably occur.
Development of norms and guidelines are an important first step in a serious effort to improve corporate governance.The bigger challenge in India,however,lies in the proper implementation of those rules at the ground level.More needs to be done to ensure adequate corporate governance in the average Indian company.Further,even the most prudent norms can be hoodwinked in a system plagued with widespread corruption.
Nevertheless,with the successful turnaround of Satyam with the commendable and active support of the government which itself took swift and planned action,at the same time exercising considered restrain wherever required instead and with industry organisations and chambers of commerce themselves pushing for an improved corporate governance system,the future of corporate governance in India promises to be distinctly better than the past.

(Views are personal).

Ex-Brocade CEO sentenced for fraud

2010-06-28T20:10:00.001+10:00

LOS ANGELES: A US judge sentenced the former chief executive of Brocade Communications Systems Inc to 18 months in prison for securities fraud, and ordered him to pay a $15 million fine, said Jack Gillund, a spokesman for the US Attorney's Office.

Gregory Reyes was found guilty in March of securities fraud, after becoming one of the highest profile executives to be accused of illegal stock options backdating.

The sentence that US District Judge Charles R Breyer imposed on Reyes in San Francisco was similar to one handed down in the former executive's first trial in 2007.

That conviction was overturned by the US Court of Appeals for the Ninth Circuit, over prosecutorial misconduct. The appeals court ruled that prosecutors made a false assertion of material fact to the jury during closing arguments.

But US prosecutors re-tried Reyes, resulting in a conviction and a win for the government, which has struggled to secure convictions in backdating cases.

Backdating is the practice of retroactively pricing option grants on days a company's stock price was low, to lock in financial gains. The practice in effect increases the value of the options, but is not illegal if properly accounted for.

Prosecutors said that Reyes engaged in illegal backdating to reward insiders and mislead investors, and to pad his own pocket from the scheme.

Reyes had originally been given a 21-month prison term and a fine of $15 million. The backdating of stock option grants became a major issue in 2007, with more than 170 companies either investigated by US authorities or conducting internal inquiries into possible manipulation of stock-option grant dates.

Source: TOI, 28.06.10

US sees 78 bank failures in 2010

2010-05-30T23:20:00.000+10:00

NEW YORK: With five more US banks biting the dust this week, a whopping 78 entities have folded up their businesses so far this year.

Mirroring the financial woes faced by the American banking industry, an average of 15banks are going bankrupt every month.

Recently, the Federal Deposit Insurance Corporation (FDIC), which insures deposits at over 8,000 American banks warned of more failures in the coming months.

Authorities shut down five entities on May 28. They are Bank of Florida -- Southwest; Bank of Florida -- Southeast; Bank of Florida-- Tampa Bay, Sun West Bank and Granite Community Bank.

These failures are expected to cost the FDIC as much as USD 317 million.
The three Florida-based banks were owned by Bank of Florida Corporation.

In the first three months of 2010, the number of 'problem' banks climbed to 775, the highest in nearly 17 years. The same stood at just 702 at the end of 2009.

This month alone, 14 banks have gone out of business. The count of collapses are anticipated to rise in the wake of high unemployment levels, which is resulting in increased defaults at banks.

Last year, a whopping 140 banks in the US went belly up.

"There will be more failures, to be sure. The banking system still has many problems to work through and we cannot ignore the possibility of more financial market volatility," FDIC chairperson Sheila C Bair said recently.

Source: The Times of India, 30.05.10

Make phone banking more secure: RBI -

2010-04-26T20:33:00.001+10:00

NEW DELHI: Banks will have to soon put in place an additional authentication cover for their credit and debit card customers transacting over phone, or get penalized.

Taking forward its efforts to tackle identity frauds in non-branch banking transactions, the Reserve Bank has asked all the banks operating in the country to put in place by next year a system where credit and debit card customers would need to provide an additional password for IVR (interactive voice response) transactions.

IVR transactions are done over phone, wherein customers dial bank's customer care number and are prompted by a recorded voice to dial designated digits for different kinds of transactions such as balance enquiry, bill payment etc.

The customers would now need to key-in an additional password on their phone, besides prevalent details like card number, date of birth, card issue or expiry date and in some cases a telephonic password. As RBI has also noted, there has been a stupendous rise in banking transactions through channels other than traditional branch banking.

Source : Times Of India

IMP UPDATE : RBI Guidelines - Prohibiting alterations / corrections on cheques

2010-04-24T17:08:00.001+10:00

Dear All,

Please go through the attached Notice/ Circular post the communication from RBI for Banks on Guidelines to follow in case of alterations on cheques. This will get implemented from July 01, 2010.

As per RBI Circular - DPSS.CO.CHD.No. 1832/01.07.05/2009-10 dated 22nd February 2010

Prohibiting alterations / corrections on cheques :

No changes / corrections should be carried out on the cheques (other than for date validation purposes, if required). For any change in the payee’s name, courtesy amount (amount in figures) or legal amount (amount in words), etc., fresh cheque forms should be used by customers. This would help banks to identify and control fraudulent alterations.

In view of the above guidelines, with effect from July 01, 2010 no alterations in cheque will be allowed (even if signature is made at the place of alteration on cheque). These kinds of altered cheques will not be honored by Bank.

Source : Reserve Bank Of India

Jail for White Collar Criminals

2010-04-23T17:13:00.001+10:00

How to Avoid Hiring a Bad Egg

2010-03-01T14:25:00.002+11:00

As you begin recruiting and interviewing employees, you'll obviously be drawn to certain candidates because of their experience, educational background and personality. While it's easy to make a decision based on what you see in front of you, it's wise to consider what may be hidden from view, too.

Small businesses, unfortunately, are particularly vulnerable to embezzlement and other kinds of employee theft because they lack the checks and balances of big corporations. One report by the Association of Certified Fraud Examiners found that the median loss for small firms with fewer than one hundred employees was $190,000. The most common schemes? Employees fraudulently writing company checks, skimming revenues and processing phony invoices.

You can increase your chances of avoiding problems— and spotting dishonesty— by beefing up your hiring practices. Here's how to do it.

• Use a formal job application. Take a page from corporate America's book and supply job candidates with an application that requests full name, address, education, employment record (with years) and references. An application that includes all of this information can give you a clearer picture of someone's background than, say, a resume that he or she provides. Also, it's wise to state on the application that supplying false information can lead to dismissal. Documentation can help protect you in the event of an employee lawsuit.

• Ask tough questions. Carefully review the application, and during the in-person interview, ask probing questions, especially about gaps in employment. A candidate may certainly have any number of innocent explanations (such as attending school, reevaluating his or her career or caring for a child or other family member), but gaps between jobs can indicate an inability to hold down a position, a sudden dismissal or, at worst, a prison stay. Arrange for others at your company (or a trusted advisor, if you're a solo entrepreneur) to meet the person as well; getting a second or third opinion to confirm your impressions will help you make more solid hiring decisions.

• Call former employers and check references. Often, former bosses don't want to provide too much negative information, for fear that they could be sued for defamation. At the least, you should be able to verify the person's employment history and salary history. The best question to ask a former employer is simply, "Is this person eligible for rehire?" If the answer is no, that's a definite red flag.

• Perform a background check. Preemployment checks can screen out applicants who may be unfit (or dangerous) for your workplace because of a criminal record. Some states may require that employers in certain industries— say, child care or health care— conduct background checks. A background check also can confirm the accuracy of information that the candidate provided on the application. While a background check isn't necessary for all employees, it's smart to conduct one on a job candidate who will have access to sensitive data or your company's finances. The Fair Credit Reporting Act, which sets standards for employment screening, requires that you get consent from a potential employee before conducting a background check. Check the FTC's website to make sure you are in compliance. Also, you don't want to run afoul of state or federal laws concerning the kinds of information an employer uses to make employment decisions. If you do perform a background check, ask a business owner or your attorney for a referral to a reputable firm.

• Invite a potential hire for a paid tryout. You can learn a lot about potential employees, including how well they fit into your small business environment, by inviting them to work on a test project or spending a trial run in your office. A tryout may be a particularly good way to test an applicant's technical skills— say, a proficiency with a type of software— and may reveal far more than a reference or background check.

Source :- The Wall Street Journal, By Colleen Debaise

Customer Vs. Bank: Who is Liable for Fraud Losses?

2010-02-23T15:10:00.001+11:00

Comerica/EMI Case Raises Key Questions About Responsibility, Security

At first, this court case was a curiosity: Experi-Metal Inc. (EMI), a Michigan-based metal supply company, sued Comerica Bank, claiming that the bank exposed its customers to phishing attacks.

Now this story shapes up as a significant test case for the banking industry, raising several key questions that must be answered about fraud and responsibility.
"It will establish who is liable in the U.S. - the bank or the customer - for fraud losses that result from phishing," says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy & Research.

The Basics

The lawsuit, filed by EMI in a Michigan circuit court, alleges that Dallas-based Comerica opened its customers to phishing attacks by sending emails asking customers to click on a link to update the bank's security software. In January 2009, an EMI employee opened and clicked on links within a phishing email that purported to be from Comerica. The email duped the employee into believing the bank needed to update its banking software. Subsequently, more than $550,000 was stolen from the company's bank accounts and sent overseas.

EMI says even though the bank had two-factor authentication using digital certificates for its online banking portal, the phishing scam was able to circumvent these measures. The bank says its online security methods were reasonable "because they were in general used by other similarly situated customers of other banks." Now that this case is in the courts, observers say, several important questions will be debated re: trust, responsibility and security.

Among them:

#1: How Much Trust is Lost?

Clearly, Comerica has lost EMI's trust, but how much further can this costly loss of confidence spread among banking customers - even at other institutions? "Cases like this, when they hit the courts and the press, work at a macro level to erode the trust of all banks by all customers, even affecting those institutions with good anti-phishing programs in place," says Javelin's Wills. "It will make it that much harder for all banks to migrate their customer base to the highly cost-effective (from an operational standpoint) online channel."

Anytime a company incurs a data breach that compromises personal information, the organization risks having its customers walk away for good. "That's why it's so important that, before an incident occurs, a company take proactive steps to implement a reasonable security program," says Alysa Hutnik, a lawyer at Kelley Drye & Warren, a Washington DC-based law firm that specializes in post-incident response. "Even after a breach, if a company handles the issue responsibly, those efforts can earn back trust bit by bit. But here, where a customer is out of pocket hundreds of thousands of dollars as a result of a breach and was compelled to file a lawsuit to redress the issue, yes, the trust is likely lost."

Because trust is so fundamental to banking institutions, they have to draw a distinct line, says Avivah Litan, an analyst at Gartner. "Either banks explicitly and visibly warn their customers that banking with them is not safe and that [customers] are held liable for hacking into their accounts through online banking," she says. "Or they assume liability."

#2: Is a Bank Liable For Phishing?

Should a bank be held liable for a customer's employee falling for a phishing email that supposedly represents the bank? The EMI/Comerica case highlights several hotly debated issues.

On the plaintiff's side, the employee's vulnerability to the phishing attack raises the core question of 'What is sufficient training?,' says attorney Hutnik. Most employees have been warned about phishing attempts, but even the most robust training does not protect against occasional human error. Does this training need to occur more frequently, or is it a matter of customizing the training to the evolving and specific types of phishing attempts? If a company is going to be responsible under the law for employees' vulnerability to phishing attempts, Hutnik says, that's a pretty good incentive to increase training.

Can a bank be held liable? Some security experts say emphatically 'No.' "The bank clearly could have made better decisions on how to update security information," says Branden Williams, Director of VeriSign's PCI Practice. "But judging by the timelines, they may have been ahead of their time with offering multi-factor authentication for online business banking."

Williams quotes an old saying: "I'll open the door for you, but only you can walk through it." Comerica did open the door with its security updates, he says, but a simple training issue would have prevented the employee from walking through that door. "Companies that become complacent with security become easy targets."

#3: What is 'Reasonable Security?'

In this case, was the bank's two-factor security token technology an unreasonable safeguard based on the information available at the time it was implemented by the company? Discovery and expert testimony on this point will be critical, says Hutnik. So too, will the surrounding facts on what information the bank provided to its customers about giving personal information online, or in response to an email alert, leading up to and after it transitioned away from the digital certificate security process.

Hutnik sees a third key issue, which is often a gap in many companies: What measures were in place to detect unauthorized, unusual activity involving this customer account, and did the bank act quickly enough in response to such detection? "All companies could benefit from evaluating and assessing how they compare the issues raised in this case against their own information security programs," she says.
David Navetta, a lawyer at the Information Law Group, a Colorado-based law firm, says one of the issues that will be key in this case is whether the bank has a legal duty to prevent these types of phishing attacks. And if so, whether the security measures it took were "reasonable" under the law. To the extent a bank has a general duty to protect client accounts, does that duty extend to preventing (or reducing the risk of) its customers from being duped by social engineering attacks such as phishing? "That will be the threshold legal question, and I don't know what the answer will ultimately be," he says.

Another point that Navetta says will be considered is "Reasonableness." Under the law for purposes of negligence, a defendant can avoid liability even if a plaintiff suffered harm, as long as the defendant did not breach its duty of care. "In this context, if the bank's security measures where 'reasonable' under the law, it would not be liable," Navetta says. "I think the fact that the bank used two-factor authentication will help its cause in this respect," he says. On the other hand, he adds, "Many security professionals I have spoken to/read have indicated that a phishing attack was a known weakness, or at least a theoretical weakness, of two-factor authentication."

Regulators Were 'Asleep at the Wheel'

While EMI and Comerica argue over liability, Gartner's Litan says the nation's legislators and banking regulators bear the bulk of the blame for such breaches. "It's their job to set the rules for soundness and safety of the U.S. banking system, and to enforce that the banks execute those rules," she says. "They are negligent here - in not passing legislation that protects business accounts (as Reg E protects consumer accounts) and in not enforcing security measures at the banks, as set forth by the FFIEC strong authentication guidance," Litan says.
Litan also has strong words for bank examiners. "Frankly, they are also asleep at the wheel," she says. "And the banks are taking advantage of the current legislative and regulatory environment by not proactively securing business accounts."

No matter the outcome, this case will set a precedent, predicts Rohyt Belani, CEO of the Intrepidus Group, a New York City-based security firm. Banks and other e-commerce providers need to take some of the responsibility to help their customers mitigate the risk associated with phishing attacks - especially those that exploit the institution's brands. "Just posting information about phishing on the login page doesn't cut it," Belani says. "I believe banks need to work on enhancing their authentication mechanisms, changing the way they communicate with their clients (not embedding active links, etc.), and educating the customers using techniques that are proven to reduce susceptibility.

"Banks should view it as a wake-up call and work on mitigating phishing attacks."

Source: Bankinfo Security; By Linda McGlasson, Managing Editor

‘Whistle-blower policy the best way to check frauds’

2010-02-22T02:41:00.002+11:00

FINANCIAL EXPRESS:

As corporate India debates ways and means to strengthen the corporate governance framework for the listed companies, post the Satyam scandal, an international expert says a whistle blower policy is the best way to prevent corporate frauds from blowing up. The rider: it should be implemented in spirit, and not just in form.
“Whistle blower policy is the best way to check corporate frauds,” says Marc Duchevet, global head for governance risk & internal control, Mazars. Mazars is one of the world’s largest audit firms with a turnover of more than $1.2 billion and 12,500 professionals in over 55 countries. Duchavet also made the point that in any organisation, where fraud develops with management collusion, there will be at least one good, solid whistle blower. "In addition, there will be several others who will be able to smell the rat that is feeding on the business and who would be in a position to raise a red flag”.

On a tour to India recently, he was charitable enough to accept that it is the fear of possible abuse which may have held back corporate India from implementing the policy with zeal. “Often there is discomfort among the management over the confidentiality and requisite protection offered to such a whistle blower under the policy. Fear of abuse of such a framework by people out to settle scores or working on a personal vendetta keeps management from implementing the policy,” he said.
Whistle blower policies have become a matter of concern in the corporate sector. An area of concern, the Mazar expert said, is that once the implementation of the policy starts, there is no choice but to address "all the incidents that come to your attention".

According to him, experience shows that corporate India does indeed recognise the value of good governance. There are, of course, a large number of corporations that believe that there is a direct relationship between business governance and business valuation.

To the extent this consideration is applied by drivers of corporate governance in the right spirit, this is an positive sign. But where emphasis is on mere paper disclosure, it is a concern. International companies are focusing on key areas like risk management, values and ethics and internal control. These three go together.
The truly best or effective monitoring does not come from the number of bodies exercising oversight. Rather, it comes from those who are willing to accept full accountability and are duly empowered to take necessary punitive action.
Though the government moved fast to protect investor interests after the Satyam promoters’ frauds came into light in 2008, India’s image as a favourite investment destination was hurt. This led experts to question the effectiveness of the section 49 of Sebi’s listing guidelines in protecting investor interest.

Significantly, it is still not mandatory for listed companies here to implement the whistle blower policy. However, some companies like ONGC and GAIL India have adopted it on a voluntary basis. But, the government is seriously considering making it mandatory for the PSUs.

Source: The Financial Express

Grad held for faking credit cards | Deccan Chronicle

2010-02-18T21:52:00.000+11:00

Grad held for faking credit cards Deccan Chronicle

Wipro rushes to plug gap after $4-m fraud

2010-02-17T17:07:00.001+11:00

MUMBAI BANGALORE:

A Wipro employee embezzled crores of rupees over the past three years, sending Indiaâ€™s third-largest software exporter scrambling to tighten internal controls in the finance division where the fraud took place.

The employee had been working with the company for the past three years in the â controllership™ division within the finance department. This cell is responsible for keeping the companys financial books and also has powers to authorise payments whenever needed. The employee is believed to have embezzled about $4 million by stealing a password and transferring money from Wipros account at a bank.

Suresh C Senapaty, Wipros CFO, confirmed the incident. This has been a case of embezzlement, which we discovered in December, and its very unfortunate that this person succumbed to this,â€ Mr Senapaty said. â€œThe company has carried out an investigation and is undertaking actions with respect to stricter adherence to processes.

Wipro has since disbanded the controllership unit. The fraud is believed to have cost the company about $4 million. Wipro officials have succeeded in recovering about half the money, but will still face a loss of about $2 million.

Mr Senapaty said the incident did not involve more than one Wipro staffer. Our investigations have revealed that only this employee was involved, and nobody else in the team had any clue, Mr Senapaty said.

Apart from setting up an internal investigation team, Wipro has also taken help from external auditors and investigation experts who will vet its processes and certify the soundness of its controls. The company is already engaged with an external agency for conducting assessment of the existing audit and other processes in order to verify any potential loopholes.

The amount involved is not large, but the incident has upset people at the helm of Indias the IT major. Wipro has always taken pride in the sound work ethics of its employees and in the strictness of its controls. â€œWe have to be more alert in monitoring, and we need to tighten the processes for ensuring an early warning system and make it tougher, Mr Senapaty said.

Among other measures being considered by Wipro, employees working in sensitive functions within the finance department may be rotated more frequently. Currently, employees in such functions spend around three years before a transfer. Going forward, Wipro also plans to make it mandatory for employees working in the finance division and elsewhere, to sign an undertaking about sharing of passwords and any unauthorised transactions.

Wipro officials discovered the fraud after receiving an alert about overdraft transaction, even when the companys accounts had sufficient balance according to the official records. The employee, whose name cannot be made public, siphoned off the companys money to his personal savings accounts in multiple transactions worth anywhere between Rs 1 lakh to Rs 1.2 crore, and used the money to acquire jewellery, apart from making other investments, including buying land.

The employee stole password from a colleague and used it to transfer money to his and his family members personal accounts, an official told ET on condition of anonymity. While the company continues to believe that it was a fraudulent act committed by the employee, the issue raises questions about information security policies.

An interim report on the incident was presented to the management, board members and other authorities concerned, including disclosure and audit committees. We have recovered more than half of the amount, and its not substantial enough. However, we have kept all the stakeholders posted in an interim report submitted recently, Mr Senapaty added.

Mr Senapaty, according to several people who spoke with ET on condition of anonymity, had to face some tough questions from the management, and he had to act swiftly in terms of restructuring the entire division.

Source: The Economic Times, By MV Ramsurya & Pankaj Mishra

UK fraud cases reach 22-year high

2010-01-30T16:52:00.000+11:00

Serious fraud cases totalling £1.3bn ($2.1bn) reached the courts last year – the highest for 22 years – including mortgage fraud, which doubled, according to figures released on Monday.

The latest KPMG Fraud Barometer, which has been compiled each year since 1987, showed that last year 31 cases of mortgage fraud totalling £77m reached court compared with 25 cases worth £36m in 2008 as falls in the housing market have exposed scams such as buy-to-let properties being acquired by criminal gangs.

KPMG predicts that increasing amounts of mortgage fraud will come to light in the wake of the end of the property boom and as lenders increasingly scrutinise their mortgage books and reclassify their mortgage asset portfolios.

The study also showed that fraud cases have risen significantly in the past decade, where 1,750 cases of serious fraud totalling £7bn reached the courts compared to 700 cases totalling less than £5bn in the 1990s.

There has been a steep change in the number of fraud cases during the past five years where annual fraud figures have been running at around £1bn a year.

KPMG said that there was a jump in the number of cases coming to court last year that involved frauds by company managers – some £335m of cases were heard by the courts compared to £129m in 2008. However, organised criminal gangs continue to be the biggest perpetrators of fraud and are responsible for £719m of scams.

The government and public sector were the biggest losers , with £476m stolen in tax and benefit frauds ,although banks and other financial companies, which lost around £396m, were also major targets for fraudsters.

Hitesh Patel, partner at KPMG Forensic, said: “Britain appears to have a rising fraud problem, as is evident by looking at the steady increase through the last 10 years. The credit crunch will undoubtedly make the situation worse, and we are yet to see the full impact of it. The forecast therefore is: getting worse. The comfort, if there is any, is that more fraud cases are successfully being brought to court.”

He said that companies had become better at detecting fraud and there is a greater emphasis on corporate governance although fraudsters were becoming more sophisticated.

He said that globally there had been an increase in “superfraud cases” such as Bernie Madoff’s Ponzi scheme in the US, although the UK had yet to see a similar case. He added that advances in technology were helping criminal gangs execute larger fraud schemes.

“Over the last 10 years, the boom in technology has acted as a catalyst for a boom in fraud,” he said. “Computerisation and globalisation have made fraud easier, quicker to carry out and easier to conceal. Organised criminals in particular have taken advantage of this. Identity theft is a continual problem, alongside more ‘traditional’ frauds including insider trading and price-fixing cartels. The authorities in turn have sought to professionalise the fight against fraud in response.”

KPMG singled out a number of unusual cases including one fraudster who printed his own banknotes. Here a Scottish IT professional printed around £185,000 in fake notes and involved two of his sons in the scheme. When caught, he reportedly claimed that he was undertaking a business venture to create a banknote that could not be copied. But he was found guilty and jailed for over five years.

It also pointed to another case which could act as a warning ahead of London staging the 2012 Olympics, which centred around an alleged £5m racket involving selling non-existent Beijing Olympics tickets online.

The past year also saw continued fraud within accounting and book-keeping departments – 33 cases worth a collective £44m came to court in 2009. Many of the fraudsters had worked for their victims for years and were trusted by their employers. Several cases involved people with prior convictions, such as an accountant at a Birmingham-based property management company who took more than £350,000 from his employers by transferring money from clients into accounts in his own name. He already had a history of committing theft and deception under a different name.

Mr Patel said: “It is essential for companies to rigorously screen potential employees and carry out proper background checks. Knowing who you employ and the extent of any risk they pose to the organisation is a key line of fraud defence.”

Source:- The Financial Times, www.ft.com, By By Jane Croft, Law Courts Correspondent

Banking on bailouts

2010-01-28T22:40:00.001+11:00

Banks and financial institutions are hard to regulate as most operate globally and are attracted to countries with the least regulation. Governments must, therefore, cooperate for effective regulation

JUST as war is too important a matter to be left to the generals, banking sector reforms and regulations are too important to be left to bank executives, bank-executivesturned-policymakers or those who pretend to understand the intricacies of modern-day finance. As Paul Volcker, the former Federal Reserve chairman, once said, the only useful recent banking innovation was the invention of the autmatic telling machine (ATM).

All else is gambling with other people’s money — stating with a bit of exaggeration, of course. Investment bankers and hedge fund managers played the most damaging role in bringing the world economy to the colossal financial meltdown from which the economies of Europe and the US have yet to recover. They should not have a say in how the financial sector should be regulated.

At the hearings of the Financial Crisis Enquiry Commission in the US, last week, the executives of the top American banks appeared clueless, or pretended to be, of what caused the financial meltdown. If pretending dumb is the price they have to pay to save themselves from financial liability, they were all most willing to do so.

One executive compared the financial crisis of last year to a natural disaster that nobody could have predicted. Another said that financial crises happen every five to seven years — so get used to them. Consult these gentlemen about how banks should be regulated and there will certainly be another man-made financial disaster in the next five years.

The primary aim of the banking and financial reform should be to prevent the next financial disaster from happening. Policymakers need to check the weak spots in the system and install checks and balances to strengthen them, and avoid any systemic failure. The regulators should ensure that no bank or financial institution should be allowed to be too big to fail. The ones that are too big already should be subjected to scrutiny so that taxpayers do not have to spend hundreds of billions of dollars to bail them out.

The most often expressed fear among opponents of banking regulation is that too much regulation will stifle growth. The issue is: whose growth? If it means, restraining the growth or even shrinking the size of the financial sector, that’s a desirable outcome. In the past half a century, in most rich countries, the financial sector has become too large for the real economy. According to a report in the Economist , relative to the size of the economy banks in the UK are 10 times bigger now than they were 40 years ago. In general, banking sectors in most rich countries are too big, and should be cut in size.

Sadly, the message that the financial sector appears to have taken from governmental bailouts in Europe and America is that banks do not have to fear about failures; governments will always bail them out no matter what is happening in the rest of the economy. Such an attitude makes the banking and financial industry even more callous and irresponsible, and the next disaster more likely than before.

In addition,to bring economies from recession, governments in rich countries have been pumping cheap money into their economies through the banking sector. In return, whenever they get a chance, banks just pass on the cheap credit they receive as higher bonuses to their employees, in organising retreats and buying private jets.

THE behavior of bank executives seems so excessive that it sometimes appears that while everyone else has suffered from the financial meltdown, bank executives have benefited from it. To avoid the next financial disaster, governments have to install policies that send the financial sector the message that bailouts will not be free in future.

In the US and in Europe governments are trying to figure out how to create automatic checks and balances in the system to ensure that the next financial crisis is avoided. So far attempts have been more serious in Europe than in the US. However, it appears that the democratic debacle in the recent senate elections in Massachusetts and unfavourable ratings of Obama in several recent public opinion polls have sent a message to the US president that he needs to take the business of banking regulations and reforms more seriously. Last week, Obama announced what he called ‘the Volcker rule’ to ban proprietary trading by commercial banks. Indeed, proprietary trading should be banned for all investment banks and financial institutions, who pose the threat of creating a systemic risk.

Last month, a number of legislators also proposed that the Glass-Steagall Act that limited the scope of banks’ operations should be reinstated. The Act was passed in 1932 in response to the banking crisis that triggered the Great Depression, and repealed in 1999 by a Republican Congress and signed by President Clinton.

The Obama administration has also proposed a tax on financial institutions called the ‘financial crisis responsibility fee.’ The tax is expected to raise $117 billion to cover the projected bailout losses. A long-term solution would be for governments to charge an insurance tax on banks — a fee for insurance against future bailouts. Most importantly, banks have to increase their capital so that the chances of failures are minimised.

In last week’s hearings of the Financial Crisis Enquiry Commission, bankers and legislators debated the issue of how big is too big for commercial banks. Bankers, of course, argued that the government should not impose any limit to the size of financial companies so long as there is a regulatory framework that ensures that the taxpayers do not bear the burden of a banking failure. However, even the smallest of the bank failure does not happen in isolation. It creates contagion effects that spread to other banks and then to the rest of the economy and the entire society. Thus to avoid failures, banks that appear too big should be banned from indulging in activities that would result in risks that can lead to systemic failures.

In today’s global economy banks and financial institutions are hard to regulate as most operate in many countries. They are most likely attracted to countries with least regulation. Thus governments have to cooperate for any effective regulation of the banking industry.

Source:- The Economic Times, Neeraj Kaushal

Whistleblower exposes Swiss bank tricks

2010-01-20T17:11:00.002+11:00

From his home in the quiet village of Rorbas, outside Zurich, Rudolf Elmer is chipping away at the centuries-old traditions of Swiss banking secrecy.

Elmer, who ran the Caribbean operations of the Swiss bank Julius Baer for eight years until he was dismissed in 2002, moved to Mauritius in the Indian Ocean and began parceling out to global tax authorities what he said were the secrets of his ex-employer.

Now back in his native country, he continues to disclose the inner workings of Julius Baer — one of many Swiss institutions that investigators say help clients evade billions of dollars in taxes by routing money through offshore havens in the Caribbean and Switzerland.

"It is a global problem, and I am only the messenger who provides the bad news, or even better, the truth," Elmer, 54, wrote in a recent email message. "Offshore tax evasion is the biggest theft among societies and neighbor states in this world."

He said that he would fly on Tuesday to Düsseldorf, Germany, where the tax authorities are putting him up in a five-star hotel as he prepares to divulge client secrets.

Elmer joins a group of whistle-blowers that includes Bradley Birkenfeld, the former UBS private banker who disclosed the bank's secrets, pushing it toward a settlement with the US government, and Heinrich Kieber, a former data clerk at the LGT Group, the Liechtenstein royal bank, who stole client data and funneled it to American and European authorities.

Elmer's disclosures are attracting particular interest as the Internal Revenue Service and the justice department embark upon a strategy of "it takes a rogue to catch a thief" to encourage insiders who engaged in wrongdoing to reveal the secrets of their employers.

Lawyers and Congressional investigators who have begun to review Elmer's claims say that his internal bank and client documents provide fresh ammunition for American authorities as they take their crackdown on offshore tax evasion beyond UBS to clients of other banks.

Elmer has given documents to the IRS, a Senate subcommittee investigating tax evasion and investigators for Robert Morgenthau. They cover more than 100 trusts, dozens of companies and hedge funds and more than 1,300 individuals, from 1997 through 2002.

Elmer contends that his documents detail the undisclosed role of American investment management companies in funneling American, European and South American clients who wished to avoid taxes to Julius Baer; the backdating of documents to establish trusts and foundations used to evade taxes; and the funneling of trades for hedge funds and private equity firms from high-tax jurisdictions through Baer entities in the Cayman Islands.

"What he has is the confirmation of something very important: that a number of other banks in the voluntary disclosure process are turning up," Elmer's lawyer Jack Blum said, referring to 14,700 wealthy Americans, many of them UBS clients, who came forward to disclose their secret accounts last year. The IRS declined to comment on Elmer's case but said it was "probing other banks that have enabled Americans to evade taxes." Nothing indicates that Julius Baer, a 120-year-old private bank, is under IRS investigation.

Source:- The NYT News Service, By Lynnley Browning

Banks slip scan card into wallets

2010-01-09T15:35:00.000+11:00

MILLIONS of Australians have access to new technology that will make paying for small items quick and easy but may have no idea it is sitting in their pocket.

''Contactless credit cards'' have been given to more than 3 million Commonwealth Bank customers and were sent to National Australia Bank customers from November as well.
The cards work by using radio frequency technology, similar to that used in e-toll passes, to exchange payment instructions between credit or debit cards and card terminals.

The credit card companies Visa - in partnerships with the National Australia Bank, ANZ and Macquarie Bank - and MasterCard - with the Commonwealth Bank - have been introducing the cards but have not undertaken heavy promotion until more retailers have the ability to accept them.

"This has meant that a lot of people are not aware that they have the technology sitting in their wallets today," said Albert Naffah, the vice-president for strategy at MasterCard Australia.
Several thousand merchants accept the cards, including Sumo Salad and 7-Eleven outlets.
The Visa card can be used for purchases under $100 and the MasterCard can be used for purchases under $35.

"They are aimed at replacing cash [which] still accounts for 70 per cent of transactions in Australia,'' a Visa spokeswoman, Judy Shaw, said.

The companies have denied that the cards are more vulnerable to fraud than traditional credit cards, but in the United States there have been fears about their security.
A 2006 study by American scientists found that contactless cards were vulnerable to so-called ''skimming'' attacks.

"An attacker with [a card] reader can harvest information from a card, create an inexpensive clone device, and make charges against the legitimate card," the report found.
But Mr Naffah said MasterCard's ''PayPass'' card must physically tap the scanner in order to be activated.

A spokeswoman for Commonwealth Bank said its technology could only be activated within four centimetres of a reader.

"You would probably notice someone coming that close to you with a reader," she said.
However, a privacy expert, Roger Clarke, said he was concerned about the cards.

The banks and credit card companies had not consulted with appropriate security and privacy experts before providing the cards to customers, Dr Clarke said.

"People who should have been aware that this was going on did not know it was happening," he said.

Source: The Sydney Morning Herald, By Amy Corderoy

Insider trading: Anil Kumar, McKinsey ex-director, pleads guilty

2010-01-08T21:27:00.002+11:00

Indian-American Anil Kumar, a former director of consulting firm McKinsey, has pleaded guilty to fraud charges in the largest insider trading case in the Untied States' history, admitting that he got $1 million for giving secret information to its alleged ringleader Raj Rajaratnam.

"From 2003 through 2009, Kumar and Rajaratnam, who met in the 1980s while they were both at the same business school, conspired to engage in insider trading," a statement from US Attorney Preet Bharara's office said.

"Kumar received amounts ranging up to $1 million in certain years," it said.

Kumar, 51, who left McKinsey after being put on indefinite leave, had been accused of providing insider information about McKinsey's clients, including acquisition of ATI Technologies Inc by Advanced Micro Devices Inc.

On Wednesday, prosecutors claimed that Rajaratnam made $19 million in illegal profits from the ATI tip-off but his lawyer John Dowd said that the news of ADM acquiring ATI was already public.

Last week, Kumar waived his right to be indicted raising speculations that he would confess his alleged wrongdoings.

He pleaded guilty to conspiracy and securities fraud at a hearing before District Judge Denny Chin in Manhattan on Thursday, and Bharara said that he was cooperating with the investigation.

"I understood the conduct was unlawful and constituted a breach of my fiduciary duty," Kumar told the judge.

"Anil Kumar recognises the fact that he has committed a serious violation of the federal securities laws," Robert G Morvillo, his lawyer, said in a statement.

On Wednesday, prosecutors also said that they will slap new charges against Rajaratnam, 52, after it was revealed that Sri-Lankan born billionaire earned $36 million from inside information, which is double the amount originally calculated.

"The government now has evidence that Rajaratnam's illicit gains yielded profits that were at least twice as large as those previously alleged," assistant US attorney Joshua Klein wrote in the court complaint.

Earlier, investigators estimated that Rajaratnam had made about $17 million from the illegal actions.

In October, multibillionaire and Galleon Group founder, Rajaratnam, was charged in one of the country's largest insider-trading case. He received 13 charges -- four counts of conspiracy and eight counts of security fraud.

Galleon Group is a hedge fund with up to $7 billion in assets under management.

This is the first case to use authorised wiretaps and the investigators are still on the job. "People will probably ask just how pervasive is insider trading these days? Is this just the tip of the iceberg?" Bharara said, when the scandal broke. "We aim to find out."

Since then the case has grown to involve 21 people out of which seven have pleaded guilty.

Source : Rediff.com, By Betwa Sharma.

Ponzi collapses nearly quadrupled in '09

2010-01-04T20:08:00.000+11:00

It was a rough year for Ponzi schemes. In 2009, the recession unraveled nearly four times as many of the investment scams as fell apart in 2008, with "Ponzi" becoming a buzzword again thanks to the collapse of Bernard Madoff's $50 billion plot.

Tens of thousands of investors, some of them losing their life's savings, watched more than $16.5 billion disappear like smoke in 2009, according to an Associated Press analysis of scams in all 50 states.

While the dollar figure was lower than in 2008, that's only because Madoff — who pleaded guilty earlier this year and is serving a 150-year prison sentence — was arrested in December 2008 and didn't count toward this year's total.

In all, more than 150 Ponzi schemes collapsed in 2009, compared to about 40 in 2008, according to the AP's examination of criminal cases at all U.S. attorneys' offices and the FBI, as well as criminal and civil actions taken by state prosecutors and regulators at both the federal and state levels.

The 2009 scams ranged in size from a few hundred thousand dollars to the $7 billion bogus international banking empire authorities say jailed financier Allen Stanford orchestrated, as well as the $1.2 billion scheme they say was operated by disbarred Florida lawyer Scott Rothstein. Both have pleaded not guilty.

While enforcement efforts have ramped up — in large part because of the discovery of Madoff's fraud, estimated at $21 billion to $50 billion — the main reason so many Ponzi schemes have come to light is clear.

"The financial meltdown has resulted in the exposure of numerous fraudulent schemes that otherwise might have gone undetected for a longer period of time," said Lanny Breuer, assistant attorney general for the U.S. Justice Department's criminal division.

A Ponzi scheme depends on a constant infusion of new investors to pay older ones and furnish the cash for the scammers' lavish lifestyles. This year, when the pool of people willing to become new investors shrank and existing investors clamored to withdraw money, scams collapsed across the country.

"Some portion of the investors in the Ponzi scheme always get the short end of the stick and do not get paid," said Elizabeth Nowicki, a former Securities and Exchange Commission attorney who now teaches law at Boston University.

Even those who say they did their homework before investing ended up losing everything.

A retired Air Force sergeant, Tom Annis searched the Internet for red flags like complaints or lawsuits involving Minneapolis-based host Patrick Kiley after hearing about his investment on a weekly Christian radio show called "Follow The Money."

Finding none, the 63-year-old from Jacksonville, Fla., invested his $270,000 nest egg — money that has since evaporated after federal regulators shut down what they've called an elaborate, $190 million Ponzi scheme.

"I tried to do my level of due diligence," Annis said. "How could I be duped like this after years of investing?"

Ponzi schemes, named for infamous swindler Charles Ponzi, are extremely simple: Investors attracted by promises of high profits are paid with money from an ever-increasing pool of new investors, with the scammer skimming off the top. Sometimes the investments are at least partially legitimate but more often are completely fictional. There's no reserve fund for lean times, or for when droves of investors start demanding their money.

Ponzi himself was an Italian immigrant who concocted a scheme in 1919 involving bogus investments in postal currency. He cheated thousands of people out of $10 million, eventually going to jail for wire fraud before being deported back to Italy in 1934.

Eighty years after his scheme, federal statistics paint the picture of a Ponzi nation:

_The FBI opened more than 2,100 securities fraud investigations in 2009, up from 1,750 in 2008. The FBI also had 651 agents working in 2009 on high-yield investment fraud cases, which include Ponzis, compared with 429 last year.

_The SEC this year issued 82 percent more restraining orders against Ponzi schemes and other securities fraud cases this year than in 2008, and it opened about 6 percent more investigations. Ponzi scheme investigations now make up 21 percent of the SEC's enforcement workload, compared with 17 percent in 2008 and 9 percent in 2005.

_The Commodity Futures Trading Commission filed 31 civil actions in Ponzi cases this year, more than twice the 2008 amount.

Many of the 2009 cases have yet to head to trial. In its tally, the AP counted schemes in which prosecutions were initiated or in which regulators filed civil cases in 2008 and 2009.

The Justice Department does not have totals of how many people were convicted in Ponzi schemes for either year, or for previous years.

Experts believe the recession was the main reason for the collapse of so many Ponzi schemes, though the Madoff case brought greater regulatory scrutiny and heightened public awareness. More people are inclined to raise questions when things don't look right.

"We do get a lot more questions from investors now," said Denise Voigt Crawford, Texas Securities Comissioner. "They are really worried about Ponzi schemes. That's a good thing."

Source:- The Associated Press, By Curt Anderson

Visa prevents fraud by making Credit Card Changes

2010-01-02T20:27:00.002+11:00

Next Generation Credit Card sports an LCD and Keypad:

Visa plans to release a new version of credit card that will cut down online shopping fraud.

This new credit card will be the same basic size and form, but with one huge difference -

It will have a built in LCD and keypad on the back of the card,

Powered by a builtin battery that will last upto 3 years, these card will work until they expire and there is no need to worry about charging them.

These credit cards will prevent fraud is by making it necessary for users to input their pin everytime they make an online purchase. The card will display unique security code, which must be entered into the website, which it will forward to Visa server's where the purchase will be approved.

The company hopes that this card will boost shopping over internet and it will be tested in Britain early next year by company MBNA

Source:- Brickhouse Security, By Stan Shyshkin

Centre to tackle card fraudsters

2010-01-01T17:35:00.002+11:00

Faced with an exponential boom in credit card use and the related spurt in corporate crimes over the past decade, the Centre is contemplating constituting a monitoring cell to combat credit card frauds.

The cell, to be formed by the Union finance ministry in association with the Reserve Bank of India, will put in place an intelligence network that will maintain surveillance on potential criminal elements perpetrating credit card frauds which also includes identity thefts.Besides, the cell will recommend steps that domestic banks and credit card issuing institutions might like to follow to plug data breaches that potentially expose millions of credit and debit card-holders to the risk of fraud and identity thefts.The risks of credit card frauds is likely to increase as users adopt newer forms of transactions, including those done online.

According to data compiled by the Reserve Bank as many as 16,393 fraud cases in the credit card segment (both public and private banks) involving an amount of Rs 50.28 crore have come to light in the first nine months (Jan to Sept) of 2009.In 2006, as many as 17,258 fraud cases involving Rs 30 crore were noticed across the country. The next year, the number of frauds cases rose to 17,294 involving Rs 38.44 crore. A year later, various agencies of the finance ministry detected 16, 962 cases involving a total amount of Rs 44.97 crore.According to available statistics, the number of credit card holders stood at 2.46 crore at the end of March 31, 2009.

“The proposed cell will keep a watch over across-the-board transactions in the credit card segment. While reviewing the existing mechanism to prevent misuse of credit cards it will suggest up-to-date measures to curb probable frauds,” Finance Ministry sources told Deccan Herald.
The monitoring cell will have representatives from the RBI, select public and private sector banks as well as officials from investigating agencies like the Central Bureau of Investigating (CBI) and the Enforcement Directorate which lead the Central government’s agencies empowered to probe economic offences. The modalities of inter-agency functioning are being worked out by the Finance Ministry’s Department of Financial Services.

At 77.82 lakh, the maximum number of cards have been issued by ICICI Bank, followed by another private sector leader, HDFC Bank, at 43.88 lakh. Among the public sector banks, State Bank of India has issued the highest number of credit cards at 27.23 lakh. Among foreign banks, Citibank has issued 26. 40 credit cards, followed by HSBC at 19.75 lakh and Standard Chartered at 11.45 lakh. As part of its supervisory process, the RBI has been taking measures to check frauds in the credit card segment, sources said, adding that “commercial banks that credit cards have been advised to set up internal control mechanisms to combat frauds and to take pro-active fraud control and enforcement measures.”

The banks have been advised by the RBI to ensure that credit card operations are run on “sound, prudent and profitable” lines as also fulfill “Know Your Customer” requirements, assess the credit risk of customers and maintain customer confidentiality, sources said.

Source: The Ceccan Herald, By Aditya Raj Das.

Largest credit card theft in US history: man pleads guilty

2009-12-30T18:57:00.000+11:00

A 28-year-old Florida man has pleaded guilty to hacking into corporate computer networks and carrying out what US officials have described as the largest credit card theft in US history.
Albert Gonzalez, of Miami, pleaded guilty in the US District Court in Boston on Tuesday to two counts of conspiracy to gain unauthorised access to payment card networks, the Justice Department said in a statement.

Gonzalez and two unidentified Russian co-conspirators were accused of stealing more than 130 million credit and debit card numbers from firms supporting major retail and financial organisations.

More than 250 financial institutions were affected including Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven Inc., a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain.
Gonzalez was accused of leasing servers to other hackers who used the platforms to store malicious software known as `malware' and launch attacks against corporate victims.
Gonzalez is facing between 17 and 25 years in prison. Sentencing was scheduled for March 19.
"The Department of Justice will not allow computer hackers to rob consumers of their privacy and erode the public's confidence in the security of the marketplace," assistant US attorney general Lanny Breuer said.

"Criminals like Albert Gonzalez who operate in the shadows will be caught, exposed and held to account," Breuer said.

Gonzalez pleaded guilty in September to charges in two other cases related to hacking of major US retailers including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes and Noble, Sports Authority and the Dave and Buster's restaurant chain.

Source: The Sydney Morning Herald,

Show Us the E-Mail

2009-12-28T20:43:00.001+11:00

WE end this extraordinary financial year with news that the Treasury is in discussions with American International Group about selling the taxpayers’ 80 percent ownership stake in that company. The government recently permitted several banks to break free of its potential oversight by repaying loans made during the rescue. But with respect to A.I.G., the Treasury should not move so fast. There is one job left to do.

A.I.G. was at the center of the web of bad business judgments, opaque financial derivatives, failed economics and questionable political relationships that set off the economic cataclysm of the past two years. When A.I.G.’s financial products division collapsed — ultimately requiring a federal bailout of $180 billion — those who had been prospering from A.I.G.’s schemes scurried for taxpayer cover. Yet, more than a year after the rescue began, crucial questions remain unanswered. Who knew what, and when? Who benefited, and by exactly how much? Would A.I.G.’s counter parties have failed without taxpayer support?

The three of us, as experienced investigators and prosecutors of financial fraud, cannot answer these questions now. But we know where the answers are. They are in the trove of e-mail messages still backed up on A.I.G. servers, as well as in the key internal accounting documents and financial models generated by A.I.G. during the past decade. Before releasing its regulatory clutches, the government should insist that the company immediately make these materials public. By putting the evidence online, the government could establish a new form of “open source” investigation.

Once the documents are available for everyone to inspect, a thousand journalistic flowers can bloom, as reporters, victims and angry citizens have a chance to piece together the story. In past cases of financial fraud — from the complex swaps that Bankers Trust sold to Procter & Gamble in the early 1990s to the I.P.O. kickback schemes of the late 1990s to the fall of Enron — e-mail messages and internal documents became the central exhibits in our collective understanding of what happened, and why.

So far, prosecutors and regulators have been unable to build such evidence into anything resembling a persuasive case against any financial institution. Most recently, a jury acquitted Bear Stearns employees of fraud related to the collapse of the sub prime mortgage market, in part because available e-mail messages suggested the employees had done nothing wrong.

Perhaps A.I.G.’s employees would also be judged not guilty. But we would like to see the record to find out. As fraud investigators, we would like to examine the trading patterns of A.I.G.’s financial products division, and its communications with Goldman Sachs and other bank counter parties who benefited from the bailout. We would like to understand whether the leaders of A.I.G. understood that they were approaching a financial Armageddon, and whether they alerted their counter parties, regulators and shareholders to the impending calamity.

We would like to see how A.I.G. was able to pay huge bonuses to its officers based on the short-term income they received from counter parties for selling guarantees that, lacking adequate loss reserves, the companies would never be able to honor. We would also like to know what regulators knew, and what they did with the information they had obtained.

Congress wants answers, too. This month, during hearings on Ben Bernanke’s nomination to a second term as chairman of the Federal Reserve, several senators fumed about being denied access to his A.I.G.-related documents.

No doubt, some of the e-mail messages contain privileged conversations among lawyers. Others probably include private information that is irrelevant to A.I.G.’s role in the crisis. But the vast majority of these documents could be made public without legal concern. So why haven’t the Treasury and the Federal Reserve already made sure the public could see this information? Do they want to protect A.I.G., or do they worry about shining too much sunlight on their own performance leading up to and during the crisis?

A.I.G.’s board of directors, a distinguished group of senior business executives, holds the power to decide whether to publish the e-mail messages and other documents. But those directors serve at the behest of A.I.G.’s shareholders. And while small shareholders of public corporations generally do not have the right to force publication of internal documents, in this case one shareholder — the taxpayer — holds an 80 percent stake. Anyone with such substantial ownership has effective control over corporate decisions, even if the corporation is a large public one.

Our stake is held by something called the A.I.G. Credit Facility Trust, whose three trustees are Jill M. Considine, a former chairman of the Depository Trust Company and a former director of the Federal Reserve Bank of New York; Chester B. Feldberg, a former New York Fed official who was chairman of Barclays Americas from 2000 to 2008; and Douglas L. Foshee, chief executive of the El Paso Corporation and chairman of the Houston branch of the Federal Reserve Bank of Dallas.

Ultimately, these three trustees wield all the power at A.I.G., and have the right to vote out the 11 directors if the directors are unwilling to publish the e-mail messages. In other words, if these three people ask A.I.G.’s board to post the messages and other documents, the board will have no choice but to comply. Ms. Considine, Mr. Feldberg and Mr. Foshee have the opportunity to be among the most effective and influential investor advocates in history. Before A.I.G. escapes, they should demand the evidence.

The longer it remains hidden, the less likely we will be to answer many questions about the A.I.G. collapse and the larger economic crisis — including the most important one: how do we prevent a repeat? Time is the enemy of effective investigation; records disappear, memories fade. The documents should be released — without excuses, or delay.

Source:- The New York Times, By ELIOT SPITZER, FRANK PARTNOY and WILLIAM BLACK

China businesswoman gets death sentence for fraud

2009-12-28T20:40:00.000+11:00

BEIJING — A Chinese businesswoman was sentenced to death Friday for cheating investors out of $56 million — the latest case in the country's struggle against widespread corruption.

The 28-year-old Wu Ying started out a decade ago with a single beauty salon but eventually built up a holding group, Bense Holdings, that was known around the country, the state-run Xinhua News Agency reported.

The report said Wu collected the $56 million from investors over two years and was arrested in 2007.

Video posted online of her sentencing had the petite, ponytailed Wu showing little emotion as she was led into the courtroom.

In China, the death penalty is used even for nonviolent crimes such as corruption or tax evasion. The country's highest court, which reviews all death sentences, this year called for it to be used less often and for only the most serious criminal cases.

The Intermediate People's Court in Jinhua city, eastern Zhejiang province, said Wu used the money for personal use and operating costs and to pay off loans.

The Xinhua report said Wu confessed but then retracted her confession in April.

Rights group Amnesty International has said China put at least 1,718 people to death in 2008.

Source: The Associated Press Report

Career Trends Survey Results: 2010 Promises New Roles, New Skills

2009-12-25T02:25:00.003+11:00

Career Trends Survey Results: 2010 Promises New Roles, New Skills
1st Annual Survey Taps Risk Management, Cybersecurity, Fraud/Forensics as Growth Areas Across Industries

What will be the hot information security jobs in 2010?

How will professionals grow their skills - and will their employers foot the bill?

What are the minimum academic and professional requirements for information security
professionals and leaders today?

These are among the key questions answered in the first annual Information Security Today Career Trends survey. The goal of the research: to create the benchmark for information security careers - where the jobs are and what's required to fill them.

The challenge: to create this benchmark at a time when the economy is recovering, the threat landscape is shifting and organizations are re-setting their information security priorities.
But then this survey also takes advantage of a unique opportunity: Led by President Obama, the U.S. has embraced cybersecurity as a national priority, and as such the nation's businesses, academic institutions and government agencies are focused as never before on information security and assurance. There is no better time to benchmark information security careers. And, frankly, there might not be a better time to start - or re-start - one.

Key Findings
There are three key findings from this inaugural study:
Risk Management, Cybersecurity, Fraud/Forensics are Top PrioritiesNo matter how you ask the question - "What skills are required?" "What training will you seek?" "What are the top 3 concerns for CISOs?" - the answer consistently comes back to risk management, cybersecurity and fraud/forensics investigations. These topics emerge among the top choices of skills, studies and job opportunities in 2010.

Information Security Professionals Want New Skills - and Organizations Will Foot the BillConventional wisdom is that when economic times get tough, training budgets take the biggest hit. But survey results tell a different story: that 42% of respondents will seek academic training in 2010; 62% will seek new certifications; and a whopping 79% of their organizations continue to fund that training at least partially.

Schools, Professional Groups Stand to Benefit in 2010. Committed to growing their professional competencies, information security professionals will invest their time and resources in certifications bodies, professional organization and academic institutions in 2010. Asked what kind of training they intend to pursue, 62% choose certifications bodies, while 54% say professional groups and 43% select schools. No surprise: People work crazy hours these days, and so 53% of respondents say they prefer a mix of online and face-to-face training.
Some other interesting takeaways from each of our major survey categories:

Education - 23% of respondents say a graduate degree is now the minimum requirement for entering the information security profession;

Background Checks - At a time when we're continually told that we're at greatest risk of insider crimes, only 26% of respondents say they have undergone a background check in the past five years.

Leadership - Asked where senior security leaders are recruited, only 34% of respondents say "promoted from within." 46% say their leaders are recruited externally.

About This Survey
This study was conducted electronically by Information Security Media Group (ISMG) in September 2009.

In all, there were 255 respondents,
47% of them from financial institutions,
12% from government,
9% from consulting and
9% from technology.

When you look at the breakdown of respondents by role and responsibility, you see:

34% compliance or technology professionals;
14% in senior management;
37% have been in their current role 1-3 years;

The main objective of the survey was to benchmark 2010 trends in information security careers across industries.

The survey was constructed specifically to assess:

Background - The academic, security and business background of today's information security professionals;

Duties and Critical Skills - The roles these professionals are filling today - and will be asked to fill tomorrow;

Training Strategies - What they need - advanced degrees, industry certifications, business experience - and where they turn to get ahead;

Source:- Bank Info Security, By Tom Field (Editorial Director)

Top 8 Security Threats of 2010

2009-12-23T16:20:00.001+11:00

Top 8 Security Threats of 2010
Financial Institutions Face Risks from Organized Crime, SQL Injection and Other Major Attacks

It's a never-ending battle -- the list of naughty and downright evil security threats that challenge financial institutions and security professionals. From organized crime to SQL injection, here are the experts' choices of eight major security threats to watch in 2010.

1. Organized Crime Targeting Financial Institutions
Over the past several years, law enforcement investigations into cyber crime have uncovered global networks of organized crime groups, including overseas criminal organizations (many based in Eastern Europe) that hire and direct hackers.
Rob Lee, senior forensics investigator at Mandiant, a risk assessment firm, says the battle between "us and them" increasingly pits the financial services industry against organized crime organizations. "The days of the Maginot line of information security are long gone," Lee says, referring to the defensive World War I battle line created by Allied troops to keep German troops from invading France. The battle lines reach far wider than just an institution's firewalls, he adds.
Anton Chuvakin, an information security expert and author, predicts that 2010 will see a frightening rise in incidents attributable to organized crime. "Rampant, professional cybercrime, from the Russian Business Network (RBN) to its descendants, from individual criminal 'entrepreneurs' to emerging criminal enterprises -- all signs point to dramatic rise of cybercrime," he says. "This is simply the logical consequence of today's situation with the use of information systems: Insecure computers plus lots of money plus no punishment equals 'go do it!'"
In other words, there has not been a better time to go into a cybercrime business, Chuvakin says. "The strategy is pretty much the 'blue ocean' one, with a lot of unexplored opportunity and a low barrier to entry."

2. Assault on Authentication
The banking regulatory bodies have long called for mandatory two-factor authentication for all online banking sites. Now industry security experts warn that attacks against those traditional customer authentication methods are being challenged and defeated. Avivah Litan, a Gartner analyst, says the threats include man-in-the-browser attacks that defeat one-time-password authentication from a dedicated token (such as the popular RSA SecureID), and call-forwarding that tops phone-based authentication, as well as transaction verification using SMS or voice calls. "This is bad news for banks that use these authentication techniques to protect high-value accounts and transactions, such as those from business and private banking accounts," Litan says.
Uri Rivner, Head of New Technologies, RSA's Identity Protection and Verification division, is also seeing an increase in high-grade man-in-the-browser trojan attacks. "In 2009, the emergence of highly customizable, stealthy, MITB-capable trojan kits reached a new height with the introduction of Zeus 2.0," Rivner says. MITB trojans send money in real time, he explains, rather than just stealing credentials for sale in the underground. Rivner sees additional "Fraud-as-a-Service" models will make these kits available to more and more fraudsters. Solutions include anti-trojan detection and countermeasure services, desktop hardening, out-of-band authentication and transaction monitoring, he says.
Commercial banking has already seen early signs of man-in-the-browser attacks targeting two-factor authentication used to protect U.S. commercial online banking customers. "In 2010, we project this trend to greatly intensify, requiring commercial banks to deploy additional lines of defense such as adaptive authentication, out-of-band authentication, desktop hardening and anti-trojan countermeasure services," Rivner says.

3. More Malware
It seemed that almost every week in 2009 there was another announcement by a security researcher of a newly discovered malware variant. RSA's Rivner says malware spread like wildfire. "The rate of the malware infection of personal computers was 10 times higher during 2009 compared to 2008," he notes. Leading the infection methods are drive-by-download (taking over legitimate websites; routing visitors to an infection server) and social network infections (spamming a victim's entire social network "friend list" with links to infection servers).
Increasingly, sophisticated, distributed malware is being seen in forensic investigations of cyber crimes, says Dave Shackleford, an information security expert and SANS instructor. Criminals are also adding a flavor of social engineering to get the malware into a user's machine. "Large scale botnets are growing, and the quality of the code is improving, as these kinds of malware are increasingly funded by criminal organizations," he warns.

4. Return to Telephone-Based Fraud
One thing criminals attacking financial institutions and customers are is persistent, as seen by the number of attacks hitting US banks and credit unions in 2009. When one avenue of entry is closed, the criminals look to other ways to what they're after, says RSA's Rivner. As institutions beef up their online security, many fraudsters turned to more traditional telephony fraud.
"Armed with data stolen via trojans and phishing attacks - including 'vishing' (voice phishing), 'smishing' (SMS phishing or text phishing) and variants of spear phishing, fraudsters around the world call customer service departments at banks, credit unions and credit card companies in order to perform fraud called account takeover," Rivner says. These fraudsters often outsource the actual phone call to multi-lingual third party services provider operating 24/7 out of Russia, he adds. "Caller ID spoofing is also prevalent," he observes.

5. Increased Insider Threat
The trusted insider is the most dangerous foe for any institution -- and the most feared, as seen by the amounts of money and data taken by insiders The prevalence of insider crime can be blamed on several factors, but the insider threat at financial institutions is increasing, notes Shackleford. "I see there will be an increase in internally-driven fraud, caused in part by the bad economy and also the ease of access to data," he predicts.
Tom Wills, Security and Fraud senior analyst at Javelin Strategy and Research, agrees and adds the insider threat -- with the insider defined as anyone with access to the extended enterprise, not only employees and contractors, but partners and suppliers too -- may have financial problems that push them toward the crime. "Additionally, you have to consider individuals with significant IT knowledge who may not be fully employed and may have incentive to perform activities that they would not have previously," he notes.
Nathan Johns, a Crowe Horwath consultant, says disgruntled employees may also turn to crime. "These are people who are not receiving raises, bonuses, or potentially being laid off, who have the opportunity to do activities that they would not have done in better times," he observes.
Johns also warns that unauthorized access by former employees can lead to problems. "There has been an increase in people being released by organizations, but often times the removal of their access rights is lagging their departure from the organization," he says.
The employees who become insider threats may do so without even knowing they're involved, warns RSA's Rivner. "Already thousands of Fortune 500, government and bank employees are infected with financial trojans that targeted them as consumers. As a side-effect, there are also thousands of infected corporate laptops or PCs used at home for remote access via a VPN," he warns.
Rivner expects 2010 will see fraudsters developing ways to monetize these infected resources, which can lead them straight into the affected organizations' networks. "Bank employees will be a primary focus for these cybercriminals," Rivner predicts.

6. Mobile Banking Attacks
The move to mobile banking by financial institutions that want to offer customers instantaneous access to their accounts is catching fire around the country, with hundreds of institutions now offering customers the ability to look up their account data and balances on cell phones. But security experts see trouble ahead when institutions begin allowing more than just account balance checks to happen. The chance for fraud via the mobile phone is already here says Ed Skoudis, lead forensic investigator for InGuardians, a security forensic firm. "Exploits against the ever-growing base of smart phones [are on the rise], leading to the possible building of a botnet based on iPhone or Android phones," Skoudis observes.
RSA's Rivner concurs with the propensity for fraud in the mobile banking sector saying, "Mobile banking fraud is coming. More customers are enrolling in mobile banking, and more services are offered via mobile channels. Banks in Asia and Europe are already experiencing mobile trojans and SMS redirection attacks." He expects the U.S. to experience the first wave of attacks towards middle of 2010. "Banks will start funding the extension of their online banking protection to the mobile channel," he predicts.
Part of the problem is that customers don't always pay attention to what they're receiving on their mobile devices, says Johns of Crowe Horwath. "People rely more and more on their BlackBerrys and smart phones, and don't pay attention to the information that they are getting on them, and they push back to security being installed on the devices," he adds.
Javelin's Wills sees mobile fraud happening if banks start to enable full service banking on mobile devices. "This means money movement instead of just checking balances and finding ATM locations," he says.
The mobile target will continue to grow, says Shackleford, and as smart phones become more sophisticated, the number of attacks will grow too. "In many cases, these devices contain a huge amount of sensitive data, as well, and could even be a vital component of newer two-factor authentication used by banks," he says.

7. Web 2.0 and Social Media Attacks
At the same time institutions are flocking to Facebook and tweeting on Twitter, the cyber criminals are lining up their arsenals for attack via Web 2.0 and social media sites. InGuardians' Skoudis says attacks via social networking sites are the new way for criminals to get into bank accounts. "These sites are being used by the bad guys for reconnaissance to learn more about their targets," says Skoudis adding, "At the same time, they're delivering malicious content to unsuspecting users."
Institutions should also be on lookout for additional client-side spear phishing attacks will expand into new means of targeting users through use of social networks says Lee of Mandiant.

8. SQL Attacks -- More To Come
The biggest data breach on record -- Heartland Payment Systems -- was done using a "Sequel Injection," or SQL injection, attack. SQL attacks are a popular way to infect and take over websites, as seen by the recent findings by security researchers at Verizon Business. SQL injection attacks were one of the most common methods of breaching systems in the Verizon report's cases. They were used in 19 percent of the cases and accounted for 79 percent of the breached records.
There's more to watch for, says Javelin's Wills, including attacks on web applications -- especially drive-by downloads of keylogging trojans and man-in-the-middle attacks. The browser will become the favored attack vector, and zero day attacks on client-side software are also on horizon.
"Fewer operating system holes are being found, but more and more in Adobe, instant messaging, MS Office and other applications," says InGuardians' Skoudis. "The scenario would be: A victim views content from a bad guy, and the attacker then takes over the victim's browser," he explains. This technique is used to create botnets as well as skim credit card and account information from the client machine.
He also sees infrastructure attacks, launched via an infected browser happening. "Here, the bad guy uses a compromised browser to access an enterprise infrastructure controlled by that browser including the enterprise's firewalls, anti-malware solution and possibly HVAC and related systems," Skoudis says.
Within institutions, Shackleford sees VoIP and other converged networking issues coming up "From simple denial-of-service problems to new malware that affects voice systems, this will be a growing area that affects financial institutions," he predicts.

Source :- BankInfo Security, By Linda McGlasson, Managing Editor

10 Faces of Fraud for 2010

2009-12-15T15:59:00.002+11:00

"The more things change, the more things stay the same." This old saying holds true when it comes to the different types of fraud hitting financial institutions.
In 2009, institutions were hit from every angle with fraud schemes -- some were old, and some were new variations. Here is a roundup of the 10 predominant types of fraud that institutions and their customers can expect to see in 2010, according to industry experts.
1. ACH and Wire Transfer FraudThe attacks against small and medium businesses in the ACH channel in 2009 were a wake-up call to institutions for the New Year. Businesses and institutions alike suffer when fraudsters penetrate and pilfer accounts via hacking into electronic transactions.
"It started in earnest in 2009 and will only get worse in 2010 until banks put effective controls and fraud detection in place," says Gartner analyst Avivah Litan. "It is hard to tune fraud detection systems to detect this fraud in a timely manner -- especially wire fraud, since the data in a wire transfer instruction is not structured," she says. But good fraud detection systems can catch most of this activity.
2. Attacks on Institution NetworksThe level of protection provided transaction processing networks is often overlooked by institutions when it comes to servers outside of the "protected networks," says Mike Urban, Fraud Director at Fair Isaac, the provider of FICO credit scoring.
"I've seen this particularly with vendor-managed servers where their security standards may not be at the level practiced by the institution where they are deployed, including password management and patch management," Urban says. Identifying and managing all devices on corporate networks and protected transactional networks are critical to reducing the attack surface and eliminating weak links, he stresses.
3. ATM SkimmingThere have been multiple stories this year in the U.S. about ATM skimming crimes. Experts say this particular form of fraud will continue to grow, as criminals are targeting U.S. financial institutions with technologies shared from Eastern Europe. "We should also expect that other ATM frauds such as card or cash trapping and lower quality skimming devices will continue to be a problem," notes Fair Isaac's Urban. Criminals will also keep pressure on older point of sale (POS) terminals that are not PCI compliant, he adds.
4. Credit Account 'Bust-Outs'The bad economy has given rise to many types of fraud in the past couple of years, but credit "bust-outs" have been around for some time. This fraud type made the list earlier this year, but Debra Geister, Director, Fraud Prevention & Compliance Solutions at Lexis-Nexis, says the trend is still very much active in any bank she's talking with now. "By definition, credit bust-out schemes are a combination of a credit and fraud problem, although many organizations are not always sure where the losses sit -- or who might be the party responsible," Geister says.
Fair Isaac's Urban sees this as "first-party fraud," where criminals create accounts and build credibility as a customer with a financial institution, and then "bust out" the accounts once they are fully leveraged. And it may spill over to financially pressured consumers, "who may get caught up in this type fraud with high unemployment and benefits starting to run out," Urban says.
5. Variations on Phishing SchemesThere have been many phishing attacks against financial institutions in 2009, so much that the Anti Phishing Working Group cites a 600 percent increase in overall phishing attacks over 2008. But there are more insidious types of attacks hitting institutions and their customers now, say experts.
Fair Isaac's Urban says businesses will be targeted with spear phishing and hacking efforts to compromise online banking credentials. Why they're targeting businesses, he says, is because "Criminals can then target those accounts and initiate money transfers via wires or ACH to steal large sums of money at once or over time." Business checks will also be targeted in counterfeit check scams, he adds.
There is a increased level of sophistication being seen in the phishing attacks, says Ori Eisen, former worldwide fraud director for American Express, now head of 41st Parameter, a fraud solution company. Eisen sees increased sophistication in phishing and use of SMShing attacks, similar to the text phishing attacks that have been circulating around the country, hitting banks and credit unions.
"Fraudsters are using more realistic emails and other points of contact to try to entice credentials from victims," Eisen notes, including the SMS approach. SMS was considered to be a solution to unauthorized account access, Eisen says, "Since it was assumed sending a one-time use password to a cell phone would cause a challenge for fraudsters trying to gain access to accounts." Instead, it has begun to offer them a new way to scrape credentials. "This happens because customers don't expect to be targeted in this way and have accepted the practice as safe when they see a message that appears to be from their bank," Eisen says.
6. Check Fraud on RiseIt seems that everyone is using debit and check cards these days, and although paper check volumes are continuing to fall, Urban says the dollar losses to check fraud continue to rise. "Online banking account compromises contribute to check fraud when criminals can see cleared check images and identify sequence numbers," he says. One reason for the continued proliferation of this fraud is that there is easier access to check paper stock and cheaper printers and scanners to create fakes.
Eisen says one area institutions should look to lock down is the check image viewing online ability for customers. "It's a one-stop shop for data harvesting. Online checks offer visibility to an unauthorized view the account number, personal information including the social security number (on checks in 19 states)."
7. Insider CrimesThis year has witnessed several widely publicized insider fraud crimes uncovered at institutions, and next year doesn't look any better. Tom Wills, Security and Fraud senior analyst at Javelin Research, sees the definition of "insider" has expanded as a wider variety of parties interact with institutions via their computer network. "RSA calls this the 'hyperextended enterprise,'" Wills notes. An insider can be thought of as anyone with authorized access to the bank's network resources, Wills stresses, "Not only employees and contractors of the institution, but those of suppliers and partners as well."
Internal fraud will continue at institutions and their partners, adds Fair Isaac's Urban, "where key information is compromised and used for personal use or sold to criminals who will perpetrate fraud on the institution or its customers." Many of these schemes will fall apart in a similar manner to the investment schemes over the last year, when financially pressured consumers are more diligent monitoring their accounts or come in looking to withdraw the money from those accounts.
8. Mobile PhonesWith nearly every bank and credit union throwing their hat into the mobile banking ring, the threat of mobile phone fraud is cause for concern. This crime is still in its infancy, but experts expect the risk will increase as malware applications are designed and spread onto mobile devices. Urban sees the most likely way fraudsters will target the mobile phones are through Trojans. "These Trojans will compromise information on the phones which may include online banking account information as well as other data stored on the phone. These compromises will be similar to the attacks on computers," Urban says. The major difference will be the sheer number of mobile devices and operating systems in the market today, as compared to a dominant computer operating system, such as Microsoft Windows. Another reason to fear mobile phone fraud is that anti-virus and anti-malware applications are not as mature on mobile devices as they are on computers.
9. Online ApplicationsThe ease of customer applications over the web comes with another set of headaches: Application fraud, which experts see as a growing area for criminals. Lexis-Nexis' Geister says that alternative channel application crimes, including the Internet, Kiosk and point of sale channels, "are continuing to drive nearly 50 percent of application frauds since criminals are finding ways to skirt around the even the most sophisticated controls."
The ease of online account opening makes the creation of "cash repositories" easy and convenient for criminals, adds Eisen. Many times they will use multiple accounts to keep balances from becoming suspicious, he adds. Criminals are also using online applications to create "valid" identities for future activity.
10. Prepaid CardsThe gift card market has always been a target for criminals say, and prepaid cards will continue to be purchased fraudulently with compromised credit cards, says Fair Isaac's Urban. "The absence of an indicator in the transaction message means a prepaid card purchase cannot be identified during authorization," he notes. The purchase of prepaid cards with stolen credit cards is an optimal way for criminals to get their hands on what they really want - cash.
Another more recent scam is where criminals will steal prepaid cards from the j-hooks at retail stores, chemically wash off the printed card number, emboss the card with information from a compromised card, and then erase the mag stripe. "They then will use the card and have the cashier key the transaction after the terminal swipe fails," Urban says.

Source:- CU InfoSecurity, By Linda McGlasson, Managing Editor

Are hotel key cards safe? Well.....

2009-11-28T15:47:00.001+11:00

Many hotels and resorts use electronic key cards. These cards with a magnetic strip are programmed in such a manner that once the duration of the stay is over, the person does not get access to the room.

The key cards make it impossible to pick up a card and break into a room. Electronic door locking systems were introduced across the globe as they help enhance hotel security, but what information does it contain?

Are electronic key cards safe? Well, it could be a threat depending on the details it has stored on it.

"All hotels mention the customer's name, address, room number and duration of stay in the key card. The key card of the hotel has vital information. Some of the hotels and resorts do store personal details -- including credit card number and its expiry date," says Shah Amber, consultant (information security management services), Mahindra Special Services Group.

Agrees, Pramoud Rao, managing director, Zicom Electronic Security Systems, there are many ways the credit cards can be misused in a hotel. There are chances that key cards could be lead to a data theft.

Some of the five-star hotels declined to reveal details of the key card citing security reasons.

"The key card has the code to access a particular room. It does not store any other details, not even the name of the guests," Kanan Udeshi, manager communications, The Oberoi Group, said.

The key card has the name of the guest and the period of stay. Credit card details are recorded separately by the front desk to validate payment. There is also a provision in the system to make the credit card function as an e-key, according to an industry official.

If the electronic key card contains information like the credit card details it can be easily manipulated.

"There has been no data theft reported so far in India, but there are chances as the information remains on the card till it is handed over to another guest. If the credit card number is stored in the key card, when a guest uses other services in the hotel, he can swipe the card, which in turn is aligned to the front desk for billing," says Shah.

"We cannot reveal any details about the key card. We do not disclose any information that could be a threat to our guests," Nikhila Palat, Taj Hotel spokesperson, Mumbai, said.

The key card is not allowed to be taken by the guest and it remains with the hotel when the guest leaves the hotel.

"The details from the card can be accessed by swiping the card in a normal scanning device. There have been cases abroad where the key card details were used to make mock credit cards. Most of the time the customers are not aware of the fact that the key card holds their credit card number," Shah points out.

If some of the employees connive with miscreants they can access all the information by just swiping the card in any scanning device, Shah adds.

However, the All India Credit Card Users Association has not received any complaints. "There has been no case of fraud reported from a key card data theft. The possibility of hotels giving credit card numbers on key cards seems remote," says Vinod Kumar Chand, general secretary, AICCUA.

Meanwhile, Trend Micro, a leading antivirus and Internet content security software and services entity, says on its website that this a hoax and calls it an 'urban legend'.

The firm says that there is a 'rumour circulating via email which alarms the public that hotel key cards contain personal information about the guest that can be put to ill use by malicious hotel personnel who have easy access to it. This hoax erroneously claims that the guest's home address and credit card number are recorded on key cards dispatched by hotels, thus exposing their customers to unauthorised purchases and cash withdrawals made using the sensitive information'.

The company says that although the origin of the email is based on a real investigation effort of a Southern Californian police district, US authorities have ruled out any security risks this controversy may pose. Moreover, hotel owners have clarified that only minimal information about their guests -- like their names, room numbers and arrival/depature data -- are encrypted in the cards they use.

Data theft

Shah Amber explains how data theft can be prevented.

"Internal threat is a big risk factor for companies. Companies must see to it that any data that can be misused should be completely secure. There are all kinds of technologies to secure IT systems," Shah says.

"Companies have hiked IT security budget and have made no compromise on this. Many have changed application security procedures as well. They have learnt how to recoup from the crisis," he adds.

"As for individuals, they must be very careful about data theft with proper anti-virus systems installed in their computers. It should be updated. They must make sure their Wi-Fi is not misused. They must not disclose e-mail id to any unknown site. They must also make sure children do not surf sites and accidentally pass on information," says Shah.

"There are many fake sites which can lure you and many end up giving their passwords as well. So there is a big threat so one must be very careful. To avoid hacking they can secure ports."

Internet has become an open medium so it is exploited by terrorists. But it is not possible to shut down all those sites. One must be very cautious while surfing and sharing information.

Source: Rediff.com, By Manu AB

PEEP SHOW - Fake it & you may lose your dream job

2009-11-26T18:22:00.001+11:00

ECONOMIC RECOVERY HAS BROUGHT EMPLOYERS BACK TO THE HIRING ZONE, BUT IT’S NOT EMPLOYEES’ MARKET YET Cos Step Up Background Checks Of Prospective Employees’ Educational & Personal Information

Our Bureaus NEW DELHI | KOLKATA

As the economy rebounds and hiring begins to pick up pace, companies are going to unprecedented lengths with sweeping background checks of prospective employees. The scope of pre-employment screening, which has been traditionally limited mainly to senior executives and involved basic searches to verify the accuracy of the resume, the educational background and biographical data, is now getting vastly expanded. All job applicants, not just those at senior levels, are being scrutinised with a fine toothcomb. And almost no area is off limits.

While false claims about education and employment are among the main triggers for rejection, some job applicants have been tripped up by their personal lives. One such was denied a job after an agency specialising in background verification discovered that the individual was having an extra-marital affair. The agency asked the prospective employer, a multinational company, to put the application on hold by filing a ‘pink’ report and the employer obliged. “In our lingo, green means a goahead, pink is doubtful and red signifies rejection,” said SK Sharma, group director-HR at Premier Shield, a security solutions company that carries out background checks on behalf of corporates. A red flag can be activated by a number of other factors: criminal history, substance abuse, a poor credit track record or even dodgy equity trading. While former colleagues, classmates and those living in the applicant’s neighborhood are tapped for information, some agencies go even further.

Premier Shield admits to setting up sting operations to test for ethics and some companies infiltrate staff into the organization where the applicant is working to gather information about the prospective employee’s conduct with colleagues, especially women.

Arun Bhagat, vice-president, HR, with infrastructure group GMR said he visits colleges and universities and at least two past employers to do reference checks of candidates. It recently sacked an employee just days after he joined after it was discovered that he had falsified some documents. “For key roles in finance and at executive levels, we make discreet enquiries on the reliability of the professional, his reputation in and outside the organization and even carry out a search on the internet,” he said. Mr Bhagat insists that the checks are carried out with the consent of the prospective employee. Software and back-office service providers were among the first to make background checks mandatory for all potential hires. Many IT companies and HR consultants like Ma Foi engage firms such as First Advantage, PP Verify, PremierShield, Onicra, Authbridge for pre-employment screening, which can cost between Rs 1,000 and Rs 5,000 per employee.

Pinkerton Consulting & Investigations India, a detective agency, which undertakes screening for several multinational firms, found in a recent survey for IT and IT-enabled Services providers that about 4,000 companies, universities and institutes of dubious background were providing fake documents. Pradeep Bahirwani, vice-president (talent acquisition) at Wipro said that in the IT industry the average percentage of fake resumes is 20-30%. “Based on preventive and corrective actions less than 1% of the total active applications we receive would be fake,” he added.

Among other sectors, the financial services industry, which hires an estimated 75,000 employees every year, is now actively adopting the practice started by IT companies. Battling a marked rise in the incidence of fraud by employees — a recent study by risk consultancy Kroll showed that fraud is increasing twice as fast in the financial services sector than in others — companies are snooping on potential hires more than ever before.

“This is part of the new belt-tightening system in all high-profile recruitments in the financial sector,” said veteran headhunter, Ajit Isaac, MD & CEO of Ikya Human Capital Solution.

While nearly all leading banks carry out verification with the police for criminal history, some private banks like Axis Bank have also started checking the credit history of recruits. “Since credit history is closely associated with one’s reputation, reviewing it is becoming a norm before recruitment,” a senior Axis Bank official said. The country’s largest private sector insurer ICICI Prudential Life concedes that nearly 7% of the candidates it reviewed for hiring had a fraudulent past. The company has now partnered with reputed risk management agencies to undertake background screening.

“As one of the leading players in the insurance space, we are deeply concerned about the incidence of fraud and are working with the industry to explore ways to mitigate the risk of fraudulent activities,” said ICICI Prudential Life HR head Judhajit Das. The insurance sector is now even thinking of creating a common central database that will include the names of all employees fired for fraud. The proposal, put forward by Bajaj Allianz General Insurance, is now being discussed by all leading players.

The Life Insurance Council, the grouping of life insurers, is also keen on the idea. “However, someone has to manage such a database of delinquent employees — it may either be us or the regulator IRDA,” said chairman SB Mathur. With curious employers prying deeper into the backgrounds of potential employees, there are concerns that they could intrude into individuals’ privacy. E Balaji, CEO of HR firm Ma Foi, observes that in Europe, there are stringent privacy laws and strict regulations and guidelines about how much an employer can check the background of an employee. “In comparison, awareness about privacy laws is much lower (in India). Companies just take a broad declaration from the individual about such background checks,” he said.

Reporting by Monica Behura & Mahima Puri in New Delhi and
Writankar Mukherjee, Debjoy Sengupta & Atmadip Ray in Kolkata

Good times for fraud

2009-11-12T21:44:00.000+11:00

Fraud is a growing problem for corporate Australia, but there are tools that can detect suspicious activities.
Litigation is often cited as the main beneficiary of any business downturn, but there is another oblique area of financial services which proliferates during a financial crisis. Accountants are now reporting an unprecedented boom for their forensics departments, because in a downturn, fraud is rife.
Deloitte Australia claims that it has undertaken as much as five times its normal work in this area over the past 12 to 18 months and there is no sign of it slacking off. KPMG has also reported a considerable increase in its forensics business, and the need to take on new personnel to cope with the “boom”.
Unlike litigation, fraud is far less heralded – it is the corporate stain which dare not speak its name. Often accountants are brought in with both a covert and an overt role – overtly as auditors to check accounts and covertly to dig deep inside company data to check for both forced and unforced errors.
Frank O’Toole, Deloitte’s national financial crimes services leader, says the uncovering of fraud tends to occur when companies are compelled to examine their spending. “Sometimes it comes up during a normal cost-cutting exercise,” he notes.
While the media tends to hype up the proliferation of external, web-based fraud, internal fraud is by far the bigger problem for corporate Australia, costing the economy around $3.5 billion a year, according to the Australian Institute of Criminology. KPMG says around 65 per cent of frauds perpetrated on companies are internal. O’Toole says that often it is the employee who would be least expected to commit fraud who is tempted. “Normally those who would choose to do the right things are faced with certain pressures – they’re not getting a pay rise and they’re struggling with mortgage repayments and school fees – faced with the opportunity to misappropriate $20,000 or even $50,000, they succumb.”
KPMG’s head of forensic, Gary Gill, says it will continue for some time to come: “They’re saying the worst is over and things are looking good – well the bottom line is people are still doing it tougher now than 12 months ago,” Gill says.
Simple tricksWhat kinds of frauds are being discovered? Gill says much of the fraud is very simple – on the accounts payable side KPMG is seeing a lot of false invoicing – the setting up of bogus vendors and then the processing of false invoices.
Gill also sees a lot of simple online payments fraud, much of which is barely disguised. “Sometimes they just transfer money straight out of the company account into their personal accounts,” says Gill.
O’Toole mentions slightly more canny pretences – the collusion with suppliers, whereby invoices are inflated for the benefit of both parties. Expenses fraud is also escalating, says O’Toole. “They tend to be around the $10,000 or $15,000 mark but we have seen expenses fiddles of up to $1million occurring.”
Forensic departments never tire of saying that companies which fail to segregate authorization and custodial duties will always be more susceptible; they also point to the need to regularly test internal controls for weaknesses.
Last but not least, a whistleblower process – which may incorporate a number of lines of access to report suspicions anonymously, is deemed essential.
Deloitte Forensic research found that around 70 per cent of frauds are usually identified by someone else in the organization, and over 80 per cent of staff who will not report fraud cite a fear of retribution as the reason.
Insurers even say that without good lines of reporting suspicions, a company will not be considered for fidelity insurance, which covers Corporates for internal fraud. See Fire, flood or … fraud?
Technology sniffs out fraudBoth Gill and O’Toole say one of the most exciting developments has been the growth of data analytics technology to monitor suspicious electronic transactions among thousands of pieces of information.
Document management systems are also becoming critical to support complex legal cases stemming from the misdeed.
Deloitte has its own proprietary system, as does KPMG. Both are constructed to analyze the million pieces of data in everyday business systems, such as comparing vendor master files to employee records. They can uncover real frauds as well as operational mistakes.
What kinds of things can they flag? Gill says you can run a comparison between accounts of employees on the payroll system against your vendor bank account numbers. “If an employee has the same number, you know there’s a problem.”
“You can look for duplicate payments – one legitimate, one false. Also round sum payments – very few invoices are for round sums. It’s a good idea to have them checked as well as any payments processed outside of normal business hours,” Gill says.
Deloitte cites a number of “red flags” the technology is most likely to throw up, which also includes things such as short-term changes to employee or supplier accounts.
Another give-away that fraud may be occurring is the repeated structuring of transactions just under the delegated authority limit. “Of course, five payments of $9999 authorized by a staff member with the authority to approve costs up to $10,000 would certainly be subject to close investigation in any organization … if detected,” says O’Toole.
Transactions conducted directly through the electronic funds transfer system rather than the accounting system is also subject to scrutiny. “Typically, instances of EFT fraud appear to be linked to issues around access to computer log-ons and inappropriate use of passwords,” says O’Toole.
Is the cost of using this technology worth it? A company can spend millions trying to get to the bottom of its problems, but huge frauds have been discovered quickly – and at a relatively low cost.
Source:- The Sydney Morning Herald; By Adam Courtenay

Banks pushing chip-and-PIN place elderly at high risk of fraud

2009-11-02T00:57:00.000+11:00

Customers kept in the dark as banks are reluctant to be upfront about alternative to chip-and-PIN cards
Thousands of elderly people are being left vulnerable to fraud because of the banking industry’s failure to explain to customers that there is an alternative to chip-and-PIN technology.
Under the Banking Code, all banks must offer a “chip-and-signature” account for those who may find it difficult to remember their PIN, or cannot use a chip-and-PIN terminal. However, Times Money has discovered that some banks are reluctant to tell customers of this alternative method.
Vulnerable people who are forced to use chip-and-PIN are likely to write down the number or tell it to someone else, which means that it is highly unlikely that they will be reimbursed if they become a victim of fraud. Jane Vass, of Age Concern and Help the Aged, says: “Many older people are driven towards payment methods that they are not comfortable with, putting their financial security at risk.”
John Walter, a pensioner from Devizes, Wiltshire, was recently sold a fee-based NatWest current account that came with a chip-and-PIN card. The card was stolen and thieves drained his account of £7,000 by withdrawing money at cash machines over 14 days. Mr Walter, who is 73 and described by friends as vulnerable and forgetful, admitted to NatWest that he had written his PIN in his diary. Although the diary was not stolen, NatWest still refused to reimburse his losses.
Elizabeth Merritt is a friend of Mr Walter and has taken up his case with NatWest. She says: “John has been with NatWest for 50 years and trusted the bank implicitly. He does all transactions inside his branch and had never even used his card. Despite this, NatWest still persuaded him to pay £13 a month for a chip-and-PIN account with features that he would never need. He was never told about chip-and-signature.”
NatWest told Mr Walter that somebody with access to his home must have seen the PIN and stolen his card, and that this constituted a breach of his terms and conditions. He was also told by NatWest that none of the cash machines used in the fraudulent transactions had CCTV cameras, and “this may be something the fraudster had considered before using the card”.
When Times Money approached NatWest, the bank maintained that Mr Walter had been negligent. However, it agreed to refund the £7,000 as a gesture of goodwill. Mr Walter has now been given a basic bank account and will request chip-and-signature.
Another pensioner, Rosa Farrell, of Hereford, recently had £3,500 fraudulently withdrawn from her bank account by her eldest son, who had a gambling problem. Mrs Farrell, 65, wrote down the PIN and kept it well hidden in her house, away from her card, but on a visit her son managed to find the card and the number. He was convicted for the theft.
Mrs Farrell’s bank, The Co-operative Bank, said that because she had written down the number she had been negligent and would not be reimbursed. She had to take her case to the Financial Ombudsman before she recovered her money. “I don’t know why the bank did not stop the suspicious transactions, which were totally out of character,” she says. “In the end, the ombudsman ruled that I was entitled to believe that my bank details were safe in my own home.”
The Financial Ombudsman Service, which resolves disputes between consumers and banks, deals with about 150 complaints about chip-and-PIN fraud every month — usually when someone’s bank has refused to compensate them for losses.
Fewer than 500,000 people have a chip-and-signature account, according to the UK Payments Association, despite the banks agreeing to offer vulnerable people an alternative to chip-and-PIN when it was introduced in 2004. However, there are 700,000 people with dementia in the UK, according to the Alzheimer’s Society, while the Royal National Institute for the Blind says that 1.8 million people are blind or partially sighted. Many of these people should have chip-andsignature accounts.
Sandra Quinn, of the UK Payments Association, says: “It would be very disappointing if banks were not giving chip-and-signature to customers who need it. Some people may find in the future that chip-and-PIN is not suitable. They have every right to ask for an account with chip-and-signature.”
Pensioners are also encouraged to use chip-and-PIN to receive their state pension and other benefits via the Post Office card account, which was introduced in 2003 to replace pension books. Neil Duncan-Jordan, of the National Pensioners Convention, says: “Some pensioners still queue up to receive their pension holding a piece of paper with their PIN on it. Anyone who is uncomfortable with PINs can request to have benefits sent by cheque in the post.
“Chip-and-PIN is simply not suited to many elderly people, and banks and the Government should do more to promote alternatives.”
Ross Anderson, a security expert at the University of Cambridge, says that it is in banks’ interests to push chip-and-PIN. He says: “Quite simply, if you use a PIN, disputed transactions are your fault. However, a forged signature makes a transaction null and void, which means that the banks cannot hold customers liable. Banks are exploiting the old and vulnerable because they want to take away their consumer protection. It’s a disgrace.”
The Banking Code, to which all banks must adhere, states: “We will tell you about alternatives to chip-and-PIN, which are available if you are unable to use a PIN because of a disability or medical condition.”
Several high street banks confirmed to Times Money that they offered chip-and-signature, but emphasised that it was only for specific types of customer. A spokeswoman for Barclays says: “Chip-and-signature is for customers who have a disability that makes using a PIN difficult or imposs-ible, either because of dexterity problems, visual impairment or difficulty remembering the number. All other customers are issued with a PIN.”
A spokesman for Santander, which owns Abbey, Bradford & Bingley and Alliance & Leicester, adds: “Chip-and-PIN is an important tool in fighting card fraud, and PINs should not be divulged to other people or written down. Customers can change their PIN to a more memorable number.”
New rules relieve customers of burden of proof
The Banking Code will be abolished next month and replaced with a complex set of rules, the Payment Services Regulations (PSR).
Experts fear that consumers will no longer have a user-friendly set of guidelines that clearly explain banks’ responsibilities. Instead, they will have to wade through a 152-page document for details of their rights.
The Financial Services Authority, the City watchdog, will enforce the new regulations. It says that victims of fraud will actually have more protection, with the onus on the bank to act quickly to prove that a transaction was the customer’s. Unless the bank can show a good reason why it needs to investigate the claim, it will have to refund the amount immediately.
Page 38 of the PSR states that if a person notices a suspicious transaction on an account, it is for the bank to prove that the transaction was “authenticated, accurately recorded and not subject to technical breakdown or other problem”.
Currently the onus is on customers to prove that suspicious transactions were not their own. The Banking Code states: “We will need you to give us confirmation or evidence that you have not authorised a transaction.”
Source:- Times Online, UK ; By Lauren Thompson

Lawyers, CAs more prone to loan fraud

2009-10-24T12:49:00.002+11:00

ntermediaries such as lawyers, valuers, charte red accountants, statutory auditors, real estate developers and motor vehicle and agricultural equipment dealers have largely been found by the Reserve Bank of India to be involved in frauds in retail loans.

The central bank, in its report on trend and progr ess of banking in India for 2008-09, said there has be en a steady rise in frauds reported in the retail loan segment, with increase in retail loans portfolio of banks in recent years.

Banks have been asked to provide to the Indian Ba nks’ Association the na mes of unscrupulous intermediaries who aid the perpetration of frauds, jeopardising the interests of banks.

Banks are required to forward names of tainted intermediaries, including professionals involved in frauds, to IBA after satisfying themselves of the involvement of the third parties concerned and after providing them with an opportunity of being heard.

The RBI is also in the process of introducing a monitoring mechanism for identification of outlier ban ks, where there is high concentration of frauds. The level of risk residing in a bank would be determined after taking into account recoveries made, punitive action taken against staff involved and other steps taken by the bank with regards to the fraud.

The Reserve Bank of India is also in the process of framing guideli nes to ensure that the incidences of frauds are facto red in while carrying out supervisory review and evaluation process in the banks for the purpose of assessing the fraud risk in specific and operational risk in general.

RBI has decided to cover the fraud risk from now on during its quarterly discussions with banks. The RBI is also carrying out modifications in parameters for systems and controls comp onent of Camels (capital, asset, management, earnings, liquidity and systems) rating framework, which would reflect the status of a bank as an outlier or not ba sed on incidences of frauds and the strength/we akness es of banks’ associated systems and controls.

Based on the paramete rs, banks would be categori sed as outlier banks, RBI sa id. Once they are categor ised as outliers, the relevant information with regard to those banks would be taken up for any regulatory response.

Source:- www.mydigitalfc.com ; By Rajendra Magan Palande

Credit cards or misery cards?

2009-10-24T12:28:00.001+11:00

In keeping with the spread of sophisticated life styles in the west, the credit cards phenomenon has invaded India and most people have gotten so used to it that they can not live with out it. However, unlike in the west, the dice here in India is totally loaded against the user as the Reserve Bank of India is able to do very little in securing the user, says SS Kumar.

The following are the ways in which card issuing banks try to fleece the card holder:

Late fee

This is charged randomly because of a funny rule claimed by the banks that the deadline interpreted by them is the date by which they are able to realize the funds in their account. So against a deadline of say, 27th of a month, even if you drop the cheque in to their collection box by 23rd, you could still be penalized if this bank is unable to encash this cheque before the quoted deadline. The question one might ask is, if you have dropped a cheque payment 3-4 days in advance, what control do you have on the subsequent events or delays?

One of the reputed banks was regularly playing this game with me till I caught them. I dropped two cheques with same deadline payment into the same collection box on the same day, and at the same time, for two separate banks. The second one, a bit more professionally run, acknowledges receipt of my cheque payment in time, with thanks, through sms, whereas the other one, based in Chennai wants to make a fast buck, comes back claiming a late fee, as usual. They sheepishly reversed the charges when I escalated the matter to RBI.

RBI must immediately issue a directive that when a payment deadline is mentioned as 27th of a month, the deadline should apply to the physical act of dropping your cheque into the collection box and not to the date, the bank realizes the payment, because no one controls the declaration of public holidays in the intervening period.

The quantum of late fee itself is questionable. A few years back it was just around Rs 200 or 250, today, most banks quote around Rs 650. As an extension of their greediness, they let you buy consumer durables under a specially created EMI scheme. They use this neat opportunity to not only claim late fee for a particular card, VISA or MC and separately, once more, for these so called special schemes under these cards. So you can be charged late fee more than once on the same card, because of sub sections under it.

Disputed claims

Many of the banks issuing card related monthly statements assume that the card holder does not go through the statements minutely and feel they can get away with several erroneous billings.

Here the banks have another funny rule. Even if you feel some entries in the statement have nothing to do with you, they insist that you pay the full amount first and then wait for the next two months for reversals to take place.

If the discrepancy is of the order of Rs 100 or 200, it does not pinch, but often the erroneous charge is in the order of Rs 6000 - 8000 or even more. The card holder is simply forced to watch his funds in the hands of the bank, that too earning zero interest, whereas in the reverse situation, the bank immediately gleefully charges you around 4 per cent interest per month.

Every where, outside India, say in US or Canada, the user is not required to pay the disputed amounts and can pay deducting the amounts that look questionable. RBI is blissfully unaware of this rule, and this ignorance on RBI's part encourages banks in India to rough ride on or fleece the hapless customer still further.

Biggest fraud through sale of policies on phone

The biggest frauds perpetrated by card issuing banks are through the so called sale of insurance and medical cover policies over the phone. There have been countless victims of this well rehearsed fraud that takes place with absolute regularity. It operates like this.

A lady comes on line, uninvited, starts blabbering on the unique benefits of some insurance or medical cover policy that they are marketing. You express your indignation over this sudden invasion of your precious time. To get them off your back, you tell them to send all the details through post and once you are convinced, you will get back to them. If you thought, you put a lid on the matter firmly, you are sadly mistaken. You do this because you want to get a full grab of the details including what is really in fine print.

It comes your next month's statement and surprise of surprises, she has already billed you for this medical cover even before receiving your approval. You confront her, trying to control your rage at this sacrilege, and she tells you coolly, "when we spoke on the phone, you never emphatically said no to my scheme; so we presumed you said yes and according proceeded ahead by billing you."

Now, nothing can be done, you will have to pay the entire first year's premium ! "Oh, we have a recording of our entire discussion and we can play it back for you if you like", is the last punch line. This fraud is being played on people day in day out and the pity is that the RBI is fully aware of this large scale fraud and has not done a thing about it, till date. If it comes to a real showdown in a court of law, where is the guarantee that the bank would not have doctored the recorded conversation to edit out your objections during the same telecon?

Selling policies on the phone is an accepted practice in the west but there the underlying theme is utmost honesty because the buyer can sue them in case of malpractice. Here the banks indulge in their day light robbery along the above lines because the local laws are so weak. It is high time either the RBI or the Finance Ministry or the Supreme Court woke up to the large scale fraud. There have been several hapless victims of this fraud. The government should ban this altogether and disallow the banks to charge card holders until they have a written approval from the customer.

Cross check your monthly statements

Many people assume that since the monthly card statement comes neatly printed on a ready format each month, the entries must be correct. For god's sake and your sake, please double check them. I did precisely that and found that this reputed bank was trying to fob me with an excess charge of Rs 75,000, not Rs 75 or 750, exactly, Rs 75,000!When I reported this to RBI, overnight, this bank revised downward the total outstanding against my name by this whopping amount. Remind yourself that such social parasites exist everywhere, they have no particular dress code and more often than not, they are white collared workers in such banks. When confronted by me with the facts, this bank promised to look through the matter The bottom line, I would have easily allowed myself to be fleeced if I had not been seriously reviewing their statements and become poorer by Rs 75, 000 overnight, had I not decided to confront them with equal aggression and crudeness.

Why do the banks charge exorbitant interest rates in India?

Thanks to some recent initiatives of RBI, when you apply for a personal loan, the banks have seemingly removed all the extra loadings on the sanctioned loan in terms of processing fee, one time fee etc. and they no longer talk of penalty on loans that are pre-closed.

The general interest rates in India have nose dived from a high of 15-20 per cent earlier down to around 10 per cent now. In spite of this, MNC banks charge over 40 per cent, for credit card spends, despite RBI's rumoured directive to them to charge no more than 3.1 per cent a month. There is absolutely no uniformity in these charges and some banks, like Deutsche Bank charge over 42 per cent per annum. In the US and Canada and other western countries, the rates hardly exceed 15 or 16 per cent per annum.

Why should RBI permit such a large difference in interest rates? After all the source of funds (seed capital) of these MNC banks is the west when they start their operations in India and this is obtained at a much lower insignificant rates of interest, say 2 or 3 per cent per annum, which is the ongoing bank rate for personal loans. It is high time RBI seriously looked at these vast interest differentials.

Life time membership fee fraud

Initially, when these banks brought their cards into India, the standard practice was to charge membership fee every year. Since new entrant banks were desperate to make a breakthrough, some of them waived off this annual fee for using the card. To get even, the established banks played a new trick. They came up with a scheme of a one time life membership charge for say VISA or MasterCard. If you heaved a sigh of relief after having paid this one time life time fee, you were again in for a major surprise.

Six months later, the same bank introduces a new version of the VISA or MasterCard and again debits you with a new lifetime membership fee.

The simple logic one understands is something similar to the life time tax you pay for your car. Once you have paid the life time tax for your car, you are not required to pay for it again, just because you put a new coat of paint on it or just change the worn out tyres.

So, why should this be any different in the case of lifetime membership of credit cards?

I raised this issue with RBI long time back and a response is still forthcoming.

Bottom line

It is very obvious that RBI has been totally unequal to the dubious machinations of the MNC banks in India so far and has a lot more homework to do to bring in some discipline in the working of these banks.

Unless there is a quick induction of checks and balances these banks will continue to merrily fleece the average Indian card holder. Perhaps, the finance ministry under a veteran like Pranab Mukherjee can take the quick initiative and push these reforms through RBI.

SS Kumar is CMD of ASTRAL Systems (India).

7 myths about Swiss bank accounts busted

2009-10-24T12:23:00.001+11:00

You are watching a movie and in that a well-dressed gentleman, arrives in an expensive car and alights in front of a building whose doors are flanked with mercenary-looking guards. The gentleman walks inside and is met by a distinguished-looking elderly gentleman, to whom a series of numbers are rattled off. The man is then ushered into a vault-like facility. Welcome to the stereotypical depiction of a Swiss bank.

When you think about Swiss bank accounts, words like mysterious, secret, guarded, rich and out-of-league come to a person's mind. What many don't know is that Swiss banks are just like any bank in the world. Here are some myths which need to be shattered about Swiss bank and bank accounts.

Swiss banks only service the filthy rich

Nothing is further than the truth. Majority of a Swiss bank's clients are not major manufacturers, movie stars or heirs of businesses, but everyday people like you and me. You can open a Swiss bank account with a deposit of only 5,000 Swiss francs. Swiss banks even offer accounts with no minimum balance.

No interest on money invested

Absolutely wrong! Just like any other bank, Swiss banks also have a variety of investment options such as mutual funds, stocks, bonds, commodity and derivatives investment etc. Swiss bankers are among the best finance managers in the world, so it comes as no surprise that they manage over 35 p[er cent of offshore holdings. Moreover, owing to a very consistent financial stability in Switzerland [ Images ], your money is much better handled here.

Swiss banks are financial havens for criminals

Nothing can beat this rumour. However, for people who are unaware, Swiss bank accounts have very stringent policies on who invests money in the bank. The vast majority of Swiss bank account holders are honest people who want to keep their savings in a country renowned for its stability. Swiss banks are extremely cautious regarding politicians who wish to open an account and they systematically refuse to accept any money that is of dubious origin.

Numbered accounts guarantee anonymity

There is nothing like anonymity in Swiss banking terminologies. On the other hand, there are very strict rules over client-banker confidentiality which ensures that the number of fraudulent transactions that can happen with your account are negligible. However, the identity details of numbered accounts are accessible, albeit only to the bank manager and a few select people.

Swiss bank accounts can only be opened in person

Just like any other international bank, Swiss bank accounts can be opened through correspondence as long as you comply with their opening procedures and provide the bank with the necessary documents. Moreover, all other banking facilities such as telephone banking, Internet banking, bank transfers and credit cards are available in the kitty of a Swiss bank's services.

Swiss bank accounts are very expensive to maintain

This is not true. Most of the Swiss bank accounts don't charge a cent in annual fees. Even if you would like additional services such as retained correspondence or numbered banking relations, the annual fees are very reasonable.

But why would anyone want to open a Swiss bank account if it is like any other?

Source: BankBazaar.com

Arrest of Hedge Fund Chief Unsettles the Industry

2009-10-19T22:37:00.002+11:00

For years, whenever anyone asked Raj Rajaratnam about the success of his hedge fund, the Galleon Group, he chalked it up to being hungrier than everyone else.

“It is pride, and I want to win,” Mr. Rajaratnam said in “The New Investment Superstars,” a book by Lois Peltz published in 2001. “After awhile, money is not the motivation. I want to win every time. Taking calculated risks gets my adrenaline pumping.”

Now prosecutors are claiming that Mr. Rajaratnam, 52, crossed the line into criminal activity.

At dawn on Friday, Mr. Rajaratnam was arrested at his expensive Manhattan home, charged with running the biggest insider trading scheme involving a hedge fund. He and five others are accused by the Justice Department and the Securities and Exchange Commission of relying on a vast network of company insiders and consultants to make more than $20 million in profit from 2006 to 2009.

Mr. Rajaratnam’s lawyer has said his client is innocent. He is free on $100 million bail and is expected to be in the office Monday to address Galleon employees.

In 2007, Mr. Rajaratnam’s name arose in connection with an inquiry into fund-raising for the Tamil Tigers, the Sri Lankan rebel group that was defeated in May after a quarter-century of violence.

News of Mr. Rajaratnam’s arrest has also shaken the secretive hedge fund world, in which intelligence on companies is often shared among Wall Street analysts, traders and other investors.

“The defendants operated in a cozy world of ‘you scratch my back, I’ll scratch your back,’ ” Preet Bharara, the United States attorney for the Southern District of New York, said on Friday. He added that the case should be a “wake-up call” for hedge fund managers who even think about insider trading.

Hedge funds often use lobbyists, investigators and other connected people to dig for information about a company or industry.

Most of the information is obtained legally. But the government’s use of wiretapping and confidential witnesses in the Galleon case raises questions about when investors can act on nonpublic information. The case also signals a new zeal by authorities to clamp down on Wall Street crime after failing to detect the $68 billion Ponzi scheme by Bernard L. Madoff.

At the center of this purported insider trading ring is Mr. Rajaratnam, who rose from a technology analyst to become a hedge fund billionaire.

Mr. Rajaratnam always remained close to his homeland, Sri Lanka, which was riven by fighting between its government and the Tamil Tigers, formally known as the Liberation Tigers of Tamil Eelam. The hedge fund manager often reached into his wallet for causes related to the country. When the island was struck by a tsunami in 2004 — he had been there at the time, but was inland — he organized a charity to raise money to rebuild homes.

In 2004, he also helped raise $120,000 to buy dogs to detect land mines littered throughout Sri Lanka.

Yet his giving was not without controversy. In 2005 and 2006, the charity he created, Tsunami Relief, gave $1.5 million to the Tamil Rehabilitation Organization, a group officially dedicated to helping victims of the fighting. But prosecutors have since charged the Tamil charity with aiding the rebel group, and its nonprofit status has been suspended.

A criminal complaint filed in Brooklyn federal court in 2007 described an “Individual B” who donated $2 million to the terrorist group in 2000 and 2004. People briefed on the matter confirmed a report by The Wall Street Journal that Individual B was Mr. Rajaratnam, who was never charged. Several defendants in that case have pleaded guilty to raising money for the Tigers.

A lawyer for Mr. Rajaratnam, James Walden of Gibson, Dunn & Crutcher, said in a statement that his client was not a Tiger supporter and that the money had been spent on “rebuilding thousands of homes for Tamils, Sinhalese and Muslims without discrimination.”

Within the hedge fund industry, Mr. Rajaratnam was long known for his expansive contacts within the technology sector.

People close to the company describe the pressure within Galleon as intense, with Mr. Rajaratnam demanding long hours and highly detailed research reports.

By the time he was arrested, Mr. Rajaratnam had cemented his position as a member of New York’s financial elite. Forbes estimated his net worth this year at $1.3 billion, earning him a spot on its list of richest people in the world. He donated more than $30,000 to Barack Obama, Hillary Rodham Clinton and the Democratic Party in 2008.

And he sat on multiple charity boards, including those of the Harlem Children’s Zone and the American India Foundation.

Mr. Rajaratnam built his fortune from the ground up: born in Sri Lanka, he was sent away for schooling, including at the Wharton School at the University of Pennsylvania. He became a technology analyst at the investment bank Needham & Company, rising through the ranks to become president. In 1992, he began a hedge fund for Needham clients, many of whom were technology executives themselves.

Mr. Rajaratnam left the firm in 1997, but took the fund and called it Galleon, after the Spanish empire’s ships used to ferry gold and spices from the New World.

Several of Galleon’s employees had an engineering background, like him. Many outside analysts envied the extensive research reports their counterparts at Galleon produced, culled from regulatory filings, checkups on supply chains and sources within the companies they covered. At its peak, the firm managed $7 billion in assets, but that figure has since fallen to about $3.7 billion.

The firm made no secret that its investors included technology executives. Among them was Anil Kumar, a McKinsey director who did consulting work for Advanced Micro Devices and was charged in the scheme. Another defendant, Rajiv Goel, is an Intel executive who is accused of leaking information about the chip maker’s earnings and an investment in Clearwire.

Prosecutors also say that a Galleon executive on the board of PeopleSupport, an outsourcing company, regularly tipped off Mr. Rajaratnam about merger negotiations with a subsidiary of Essar Group of India. Regulatory filings by PeopleSupport last year identified the director as Krish Panu, a former technology executive. He was not charged on Friday.

Galleon has previously been accused of wrongdoing by regulators. In 2005, it paid more than $2 million to settle an S.E.C. lawsuit claiming it had conducted an illegal form of short-selling.

Bracing for a New World

2009-10-15T23:35:00.001+11:00

In a declining economy, Indian enterprises are waking up to a new world where Mobility, Virtualization and Cloud Computing technologies present new challenges and the employee is now the weakest link in the information security ecosystem

In October last year, Rajendrasinh Makwana, an IT contractor who worked in Fannie Mae (a US government-owned firm), was indicted for planting a logic bomb designed to wipe out data from the firm’s 4,000 servers. Makwana planted the logic bomb in the form of a malicious script embedded within a legitimate code. Had the malicious script managed to execute, it would have resulted in the company being shut down for a week. The reason for Makwana’s action—the company had fired him for a scripting error he made earlier. Angered, Makwana planted the malicious script on the day he was fired.

Makwana’s case is not an isolated one. For companies that feel the heat of the economic slowdown and decide to lay off staff, the ‘trusted’ employee could suddenly become a more potent threat than an external hacker.

This fact is supported by a 2008 FICCI-PwC report, in which a majority of the organizations surveyed believed that employees or former employees are a major source of security threats. Almost 47 percent of the organizations believed that employees were responsible for security incidents and 25 percent attributed them to former employees. Only 39 percent of the companies attributed negative security events to external hackers.

Virtual Threats
With the rise in virtualized environments, CIOs face a new level of complexity, as virtualization introduces another layer that needs to be secured. For example, when a hypervisor is compromised, all the virtual machines that run on the hypervisor will also be compromised.

“With modern virtualization technology, virtual machines can be easily cloned and installed on a different physical machine. The ability to go back to ‘snapshots’ of past images can inadvertently wreak havoc with the patch management process,” says Sunil Rawlani, Executive VP and Head, IT, HDFC Standard Life Insurance. Analysts also believe that a compromise of a single virtualized machine can infect all other virtual machines on a physical server.

While organizations have given employees laptops and smartphones as a means to improve their productivity, this also presents immense risks, as these devices carry critical business information. However, what is shocking is that the data on most of these devices is not encrypted. This can be a security disaster waiting to happen. Additionally, unlike IT assets which are managed by an IT asset management system, a mobile device management policy is still not in place for most organizations.

Wireless security is another weak area, and this has been proved by the increasing number of attacks on wireless networks. A survey by Deloitte Research in India revealed that around 86 percent of the wireless networks in the cities that were surveyed were vulnerable i.e. having no encryption or a low level of encryption which could be easily compromised. Thirty-seven percent of the networks surveyed were found to have no encryption. While weak encryption is the common culprit for security breaches, other security vulnerabilities in wireless networks are a result of mis-configured access points and outdated access point firmware.

Not so social
Social networking sites, which have become so popular with youngsters, are a nightmare for CIOs—especially when it comes to ensuring security. Agrees Rawlani, “Web 2.0 technologies when combined with our ‘work-from-anywhere’ lifestyle have begun to blur the lines between work and private life. Because of this psychological shift, people may inadvertently share information their employer would have considered sensitive.”

A recent survey on Web 2.0 usage in the workplace by vendor Websense highlights the emerging dangers of using social networking websites. The survey found out that in India, Web 2.0 is already pervasive in the workplace, with more than 70 percent of the organizations surveyed allowing access to wikis, and 40 percent allowing access to social networking websites such as Facebook. However, while more than 70 percent of these companies have URL filtering software, only 39 percent block Instant Messaging (IM) attachments, and only 41 percent of the respondents had a mechanism to detect embedded malicious code on trusted websites. This opens up potential doors for attackers to get a foothold into organizations, especially when you consider the fact that websites allowing user-generated content comprise the majority of the 50 most active distributors of malicious content on the Internet.

To tackle these challenges, anti-malware technologies too have grown in depth and sophistication. For example, Websense’s ThreatSeeker Network gives customers the ability to identify and classify spam posted as comments to forums, blogs or social networking sites. Comment traffic is automatically routed through a spam filtering service and every comment can be analyzed and given a ‘spam’ score. This improves the ability of enterprises to tackle spam on their blogs.

Similarly, RSA Security has a solution called ‘Adaptive Authentication.’ This solution monitors user behavior and assigns a unique risk score to the user’s activity. Whenever high-risk activities are triggered, the solution prompts the user for additional credentials. This solution is already in use in HDFC Bank, and has helped the bank reduce a huge number of phishing attacks.

Cloudy security
As more applications move to the cloud, security-related aspects will be put to the test, as increasing access points compound management challenges. Cloud Computing also highlights perceived issues that CIOs have in terms of data loss or data theft. “The key threats are in terms of the security of data at rest, compliance requirements due to outsourcing of data, recovery of data across the cloud in the event of an issue, and support for investigation of data within the cloud,” says Navin Agrawal, Executive Director, KPMG. Additionally, within the cloud, enterprises need to look at standard issues such as user access, authentication, privacy and the location where the data is stored.

It is also interesting to note that even as enterprises are worried about security issues in the cloud, service providers such as Trend Micro are leveraging the cloud for providing security-based services. For example, research indicates that more than 1,500 unique malware variants are generated every hour. If organizations fail to patch up fast enough, they will be extremely vulnerable to attacks. Trend Micro has responded to this situation by launching a cloud-based service, where the actual scanning is done in the cloud.

The new face of cyber threats
With a huge underground market for stolen credit cards, fraudsters are offering specialized toolkits and services. Thus, even common criminals, who have insufficient knowledge of sophisticated hacking techniques, can easily perpetuate online frauds. For example, in an annual online fraud report, RSA Security expects that underground services such as Centralized Trojan infections (offered via a pay-per-infection model) and All-in-One-Trojan packages (allowing people to purchase Trojan servers with corresponding botnets of infected computers) to grow at a fast pace.

Trojans have also become intelligent enough to launch new sophisticated modes of attack. For example, a study by RSA found out that hackers deployed variants of the Zeus Trojan and used the Jabber IM service to quickly transmit compromised user details. This means that as soon as a user account is compromised, it is quickly relayed in real time through IM to cyber criminals. Other techniques involve using Search Engine Optimization (SEO) methods to promote fake antivirus software. Hackers have also been quick to exploit social media such as Twitter to distribute malicious links. Twitter’s facility of providing anonymity by shortening the URL has also helped hackers to gain direct users to websites hosting malware or Trojans.

As is evident, security can never be a milestone. It is a continuously evolving journey, and enterprises have to constantly be on their guard against attacks that are quickly growing in sophistication and intent.

Source:- www.networkcomputing.in; By Srikanth RP

Job-seekers from North India fake it to make it

2009-10-15T00:28:00.003+11:00

BANGALORE:

Recession does strange things to people. A trend recently observed shows a sharp increase in resume frauds in North India while South India and East India accounted for the lowest number of resume frauds. This uncomfortable fact was brought to light by a report released by a Background Screening and Risk Management consulting company.

The report ‘Background Screening Trends -- A Recession time study’ based on a survey which evaluated about 10,000 cases per month, by AuthBridge Research Services, evaluates the upward trend in resume embellishments as an aftermath of the recent economic meltdown.

North India accounted for:-

47% of the total discrepancies reported in country. Next in line was the Western part of the country with 32 % of discrepancies being reported from there. South and East India combined accounted for the lowest number, the report revealed.

“March saw the highest number of resume embellishments-16%

Interestingly, this was the month when the economy was at its worst,” the report said. The report pointed out that discrepancies related to previous employment were 74% of the total discrepancies of which 59% candidates lied about their tenure, designation, CTC or reporting manager.

According to the report, fake/ forged documents formed 69% of the total education-related discrepancies.

Maximum discrepancies were reported from ITeS, IT and BFSI sectors. Commenting on the report and its findings, Ajay Trehan, Chief Executive Officer, AuthBridge, said, “Job cuts, layoffs and salary cuts have been the key factors during recession instigating candidates to lie in resumes so as to bag the available job at any cost.” “The upward trend in resume frauds show that employers need to scrutinise candidate’s profile even more carefully and watch for fraudulent credentials, such as inflated or fictional employment history or educational degrees so as to secure them from the hazardous repercussions of unsafe hiring,” he added.

Rajeev Yadav, Senior Division Manager - HR, NIIT Technologies said, “While we have seen that there has been increasing number of fraud and other problems, the study has provided with factual data and it is now necessary for companies across the industry who are manpower intensive as well as that handle sensitive information to set up risk management systems in place.” The difference between the information provided by the job applicant and the information dug out by AuthBridge while conducting background checks, also known as discrepancy rate was significantly higher than normal during the peak recession period.

Source: www.expressbuzz.com ; By Jayadevan PK

Gone in nanoseconds: ID fraud too fast to control

2009-10-13T02:11:00.001+11:00

One in five Australians have been victims of identity-related crime and 1.5 million people have had their credit cards illegally copied in the past year.
And so far this year, 188 Australian ATMs have been "compromised" by ATM skimming bandits who used devices to steal customer's PIN details.
Queensland Police have today hosted a National Identity Crime Symposium on the Gold Coast with police, academics and international guests discussing ways to combat identity-related fraud.
Professor Jonathan Rusch, of the United States Department of Justice, told the conference identity fraud was one of the fastest growing crimes in the world.
He said more than 1.2 million Australians have had their bank account details illegally accessed and almost the same number of people had had their personal mail stolen in the past year.
One fifth of the Australian population had been victims of identity fraud and 1.5 million people had their credit cards compromised in the past year, he said.
Professor Rusch said in the United Kingdom, one in six people were victims of identify fraud in 2007 and in the first half of 2009, identity fraud had risen by 74 per cent.
"Card not present" fraud, which included phone and internet purchases, amounted to £328 million last year, he said.
He said the digital age meant people’s personal information was travelling "in nano-seconds through the internet."
"Information flows faster than the ability to control that flow, in some cases the consequences can be catastrophic," he said.
The speed of criminal activity was also fast, he said, with 71 per cent of frauds associated with identity crime occurring in less than one week from the time the data was first stolen.
"Fraudsters are getting more sophisticated and using more attacks of opportunity whereever they can find data exposed," he said.
A recent research into convicted identity thieves found many did not understand the harm they caused their victims.
Professor Rusch said offenders saw it as an "easy, rewarding and relatively risk-free way for them to fund their personal lifestyles."
They also believed it was big corporations and credit card companies which suffered the loss, not individual victims, he said.
Professor Rusch said a particular problem for Australia was ATM skimming, with 188 ATMs in the past year compromised by criminals using skimming devices which can be used to detect ATM users’ PINs.
"Without realising as soon as you dip in your card and enter your PIN, you’ve unwittingly transmitted your information directly to the criminals who are monitoring that ATM," he said.
"They can move very quickly to counterfeit cards and run to other ATMs and start draining money out of your bank account at great speed."
The symposium will continue until Wednesday and include several guest speakers, including academics and private sector experts on identity-related fraud.
Source:- Brisbane Times

$80 MILLION PONZI SCAM - Even Friends Got Fooled

2009-10-05T16:09:00.002+11:00

It sounded like a smart idea: investing in automated teller machines (ATMs) located in high-traffic retail locations around the country. The investors would recoup their money, plus an incredible 20-24 percent return, through the fees charged to the ATM customers. Seemed like a deal too good to pass up.

But investors should have done just that—because it was a fraud…a Ponzi scheme, to be more precise. The $80 million in investor funds raised over time weren’t used to purchase ATMs, they were used to fuel the ruse and line the pockets of the two masterminds behind the scheme.

So says a federal indictment unsealed in the Southern District of New York last week against Vance Moore, II and Walter Netschi, charged with wire fraud and conspiracy after an investigation by the FBI.

The scam. According to the indictment, Netschi and others convincingly sold the scheme to thousands of investors—mainly small private equity/hedge fund investment companies, small businesses, retirees, and even friends. Through his front company, Netschi would “sell” individual ATMs or groups of ATMs placed in areas with a lot of foot traffic—like convenience stores, gas stations, malls, and hotels.

Netschi then allegedly had the investors sign agreements with Moore’s “company” to service, process, and maintain the ATMs.

At first, investors were happy. Moore’s company allegedly sent them not only monthly financial statements listing transaction histories and fees for the ATMs, but it also wired them their share of the profits. (Little did investors know that these profits were coming not from ATM fees but from subsequent investors recruited by Netschi.)

Approximately 4,000 ATMs were supposedly purchased and serviced by Netschi and Moore, but in reality—according to the indictment—about 90 percent of these machines “sold” to investors either didn’t exist or were owned by other companies.

Then, the money to pay investors ran out—like it usually does in Ponzi schemes as they grow larger and larger and are unable to sustain themselves. For months, Netschi and Moore allegedly gave investors various explanations for the non-payments, blaming various banks and software glitches. They even went out and recruited more investors, said the indictment. But they couldn’t raise the funds they needed, and ultimately, an unhappy investor notified authorities.

And turnabout is fair play—last week’s indictment seeks $80 million in forfeiture from the alleged con artists.

How can you avoid being victimized by a Ponzi scheme? Here are a few tips:

Be careful of any investment opportunity that makes exaggerated earnings claims.
Exercise due diligence in selecting investments and the people with whom you invest—in other words, do your homework!
Make sure you fully understand the investment before you hand over your money.
Consult an unbiased third party, like an unconnected broker or licensed financial advisor, before investing.
Don’t be fooled into believing an investment is safe just because someone you know recommended it. So-called “affinity scams” are one of the favorite methods used to lure people into Ponzi schemes

Source: www.fbi.gov - 02/10/09

TECHNIQUES USED BY FRAUDSTERS ON SOCIAL NETWORKING SITES

2009-10-02T11:04:00.001+10:00

TECHNIQUES USED BY FRAUDSTERS ON SOCIAL NETWORKING SITES

Fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Other spam entices users to download an application or view a video. Some spam appears to be sent from users' "friends", giving the perception of being legitimate. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected.

Another technique used by fraudsters involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software. Other malicious software gives the fraudsters access to your profile and personal information. These programs will automatically send messages to your "friends" list, instructing them to download the new application too.

Infected users are often unknowingly spreading additional malware by having infected Web sites posted on their Webpage without their knowledge. Friends are then more apt to click on these sites since they appear to be endorsed by their contacts.

Tips on avoiding these tactics:

Adjust Web site privacy settings. Some networking sites have provided useful options to assist in adjusting these settings to help protect your identity.
Be selective of your friends. Once selected, your "friends" can access any information marked as "viewable by all friends."
You can select those who have "limited" access to your profile. This is for those whom you do not wish to give full friend status to or with whom you feel uncomfortable sharing personal information.
Disable options and then open them one by one such as texting and photo sharing capabilities. Users should consider how they want to use the social networking site. If it is only to keep in touch with people then perhaps it would be better to turn off the extra options which will not be used.
Be careful what you click on. Just because someone posts a link or video to their "wall" does not mean it is safe.

Those interested in becoming a user of a social networking site and/or current users are recommended to familiarize themselves with the site's policies and procedures before encountering such a problem.

Each social networking site may have different procedures on how to handle a hijacked or infected account; therefore, you may want to reference their help or FAQ page for instructions.

Source:- Internet Crime Complaint Center (IC3)

RBI for info pool to fix frauds

2009-10-01T00:14:00.002+10:00

Mumbai :

In a bid to tackle rising frauds in the banking system, the Reserve Bank of India (RBI) has asked banks to build up a data or information pool of large-value frauds and analyse them periodically. This may act as a knowledge repository for policy responses.

The central bank has also said that in the matter of fraud investigation, banks may take immediate steps to identify staff with proper aptitude and provide necessary training to them in forensic audit so that only such skilled staff is deployed for investigation of large-value frauds.

It has been observed that the trend is more disquieting in retail segment, especially in housing and mortgage loans, credit card dues and internet banking.

Moreover, it is a matter of concern that instances of frauds in the traditional areas of banking such as cash credit, export finance, guarantees, and letters of credit remain unabated, the RBI said.

Banks are also advised to initiate necessary action at their end at the earliest.

“Banks may, with the approval of their respective boards, frame internal policy for fraud risk management and fraud investigation functions, based on the governance standard relating to the ownership of the function and accountability for malfunctioning of the fraud risk management process in their banks,” the RBI said.

Given the thin line of difference between serious wrongdoings and frauds, the bank should immediately put in place an adequately enabled and efficient ‘internal oversight framework’ that can prevent the wrongdoings and take punitive measures against the wrongdoers, the RBI said.

The Board for Financial Supervision (BFS) has felt the chief executive officers (CEOs) of the banks must provide singular focus on the “Fraud Prevention & Management Function” to enable effective investigation and prompt accurate reporting to appropriate regulatory and law enforcement authorities, including the Reserve Bank.

The board has also observed that in terms of higher governance standards, the fraud risk management and fraud investigation function must be owned by the bank’s CEO, its audit committee of the board and the special committee of the board, at least in respect of high value frauds.

Accordingly, they should own responsibility for systemic failure of controls or absence of key controls or severe weaknesses in existing controls which facilitate exceptionally large-value frauds and sharp rises in frauds in specific business segments leading to large losses for the bank.

Source: www. financialexpress.com

ICAI wings clipped over Satyam scam

2009-09-30T18:46:00.003+10:00

The finance committee will now clear spending on infrastructure

Sangeeta Singh

New Delhi: The fraud perpetrated by Satyam Computer Services Ltd’s founder B. Ramalinga Raju has claimed some collateral damage: the apex body of accountants in the country, and its current president Uttam Prakash Agarwal.

The government has, in recent weeks, tightened its control over the Institute of Chartered Accountants of India (Icai) diluting Agarwal’s own powers in the process.

The move comes ahead of crucial elections to the body founded in 1949 and which regulates the functioning of at least 150,000 chartered accountants who sign off on the financial statements of companies—a sort of first line of defence against any financial misconduct by management or promoters.

Some of the government’s actions are seen by two people, an Icai council member and an official at the ministry of corporate affairs (MCA), as a reaction to Agarwal’s handling of the Satyam scandal, an allegation Agarwal denies.

Icai’s council is the institute’s core decision-making unit.

One of the charges against Agarwal is that he has been “soft” on S. Gopalakrishnan, a partner at Price Waterhouse, which audited Satyam’s books, and now in jail as his role in the Satyam scandal is investigated. “The allegation that I have gone slow on Gopalakrishnan or produced a weak report is absolute rubbish,” Agarwal said.

investigated. “The allegation that I have gone slow on Gopalakrishnan or produced a weak report is absolute rubbish,” Agarwal said.

The most significant rule change, approved by Icai’s finance committee last week, requires all financial issues at Icai to be now cleared consensually by members of the panel, which has three government nominees. Previously, the president of Icai, the fourth member of the committee, used to take these decisions on his own without too much interference by government nominees. The fifth member of the panel is the body’s vice- president. “It has been decided that while (the) finance committee will not dig into expenditure that has been made in the past, in future, all finance-related matters of Icai will come to the finance committee; spending on infrastructure such as on Icai buildings across the country and events will also need to be cleared by the committee,” said a person familiar with the decision made by the finance committee who did not want to be identified.

This person also added that only a deviation of 20% from the proposed expenditure would be tolerated. Mint couldn’t independently ascertain whether there have been any significant infrastructural investments made by Icai in recent years and whether the projects concerned, if any, cost more than initial estimates.

The committee’s decision comes in the wake of an email sent by a government nominee on Icai’s council and Supreme Court lawyer O.P. Vaish to Agarwal on 18 August that suggested discussing the issue related to financial decisions and others at an Icai council meeting the following day. Mint has reviewed the mail, but couldn’t ascertain the status of the other points raised by Vaish.

Vaish himself couldn’t be reached for comment.

The finance committee controls the institute’s purse strings and oversees its expenditure. The audit committee is in charge of Icai’s reporting process and also recommends the appointment and removal of statutory auditors for companies.

There are eight government nominees in Icai’s council, besides 32 chartered accountants from across India who are elected to the council every three years. The government nominees include Krishna Kant, retired chief commissioner of customs and central excise; R. Sekar, commissioner of customs; K.P. Sasidharan, director general (commercial), office of CAG (Comptroller and Auditor General of India); Renuka Kumar, joint secretary, MCA; and Vaish. Sekar, Kant and Sasidharan are included in the reconstituted finance committee and the last named has been made chairman of the audit committee.

Happenings at Icai are related to the Satyam scandal that blew into the open after the company’s founder-chairman B. Ramalinga Raju confessed in January to having fudged the company’s books over the years by at least Rs7,136 crore.

“One of the key questions we sought to address after the Satyam scandal was ‘Who will regulate the regulator?’” said a second person familiar with the developments at Icai, who too did not want to be identified.

Meanwhile, Agarwal said at a Friday meeting of Icai’s council that MCA director Jaikant Singh had written a letter to the effect that Icai’s president, vice-president and council members should steer clear of all policy decisions and press statements under a code of conduct ahead of the institute’s elections due in December. Such powers have been vested with T. Karthikeyan, Icai’s secretary.

“This is unprecedented and shows lack of faith in the president by the ministry (in Agarwal),” said the Icai council member mentioned in the first instance, and who spoke on condition of anonymity.

In press statements issued immediately after he visited Gopalakrishnan of Price Waterhouse in jail in March, Agarwal had said that “prima facie Gopalakrishnan is not guilty”. Gopalakrishnan has served on the council of Icai.

“It was only last month that Gopalakrishnan was removed from several committees of the council and replaced by government nominees,” said the same council member.

Agarwal, however, would appear to have changed his stance on Gopalakrishnan. On Monday, he said the auditor was prima facie guilty. “The disciplinary committee (of Icai) also found four auditors from Price Waterhouse, Bangalore, S. Gopalakrishnan, Srinivas Talluri, P. Shiva Prasad and C.H. Ravindranath prima facie guilty of professional misconduct,” he told PTI. The council member also found fault with Agarwal’s report on how Icai was handling the issue. This report was submitted to MCA.

The report “is a mere reproduction of the charge sheet filed by CBI (Central Bureau of Investigation) and SFIO (Serious Frauds Investigation Office, part of MCA),” said the member. An MCA official who did not want to be identified declined to comment on the report itself because it is being reviewed, but said, “Agarwal has acted in an immature manner in many ways.” He added that the ministry would prefer to see “matters resolved within (Icai’s) council”.

Under the Chartered Accountants Act, 1949, the ministry has powers to direct the institute. The official claimed that minister of corporate affairs Salman Khursheed, too, was unhappy with the goings-on at Icai and had been giving its functions a miss.

Mint couldn’t independently verify this. Khursheed could not be reached for comment.

Some of Agarwal’s colleagues have also raised charges of financial impropriety against him.

In an open letter, a copy of which has been reviewed by Mint, Sunil Talati, president of Icai in 2007-08, has claimed that there have been large amounts spent unnecessarily.

Agarwal dismissed these allegations. “Since council elections are round the corner, people are trying to defame me,” he said. He added that the government had cleared the institute’s accounts till March without raising any objections. “It is easy to write open letters, but council members should prove where I went wrong.”

Source:- Live Mint

Who uses forensic accountants?

2009-09-29T21:25:00.002+10:00

Who uses forensic accountants?

Forensic accounting specialist financial investigators with financial information for transmission problems in a way that others can easily understand.

While some forensic accountants and forensic accounting specialists are included in the public practice of forensic examination, others work in the private sector for such companies such as banks and insurance companies or government agencies. Occupational fraud by employees in general, theft of property. Embezzlement, fraud is more widespread in the last 30 years. Employees can kick back schemes, identity theft, or conversion of company assets for personal use.

The forensic accountant couples observation of the suspected employees with physical examination of assets, invigilation, inspection of documents and interviews with stakeholders. Experience in this type of commitment enables the forensic accountant to offer suggestions for internal control that the owners could reduce the risk of fraud.

Sometimes, the police took accounting in May by lawyers to ensure the trail of persons suspected of involvement in criminal activities. The information provided by the police accounts may be the most effective way of belief.

The legal control may be even with the bankruptcy court, the financial information if they suspect or if employees (including managers) are suspected of activity.

Opportunities for qualified forensic accounting professionals are in private companies. CEOs must now certify that their budget is the true representation of financial position and earnings of businesses and focus more on internal controls to recognize that in these false otherwise Financials. In addition to these activities, forensic accountants may be asked to determine the amount of damages by victims, witnesses in court as witnesses and experts for the preparation of visual aids and written summaries for use in court.

Source: www.vaccountancy.com