24 October 2006

Know Your Domain: Alias Fraud Gains Millions...

The latest Alias Fraud is a "Rogue Wave" heading towards the bow of a financial broker near you. Even in companies like E*Trade who have been advocating the use of the RSA SecureID for their clients, the losses continue. $18 Million stolen.

``Internet crimes that result in the theft of personal and financial data from consumers continue to be a significant and global problem,'' FBI spokesman Paul Bresson said. ``We work closely with our foreign law-enforcement counterparts to pursue these cases with all applicable laws.''

Bresson declined to comment on the FBI investigation. John Heine, a spokesman for the SEC, and NASD's Herb Perone also declined to comment.

Some of the losses were straight theft. In his presentation, Walsh of the SEC explained how criminals use personal information such as Social Security numbers to break into accounts. Once in control, they loot the accounts by selling securities and wiring out the proceeds far from the U.S.

`Pump and Dump'

The online version of the ``pump-and-dump'' fraud sets off few security alerts at brokerage firms because no money is withdrawn from the compromised accounts, Walsh explained.

``This is an increasingly popular variation,'' he said in Phoenix. ``If you are looking for a single `hot topic' in the world of identity theft, this is it.''

In ``alias fraud,'' a thief opens an account in an individual's name, then uses it for illegal trading or money- laundering. Because the victim's name is on the account, he or she appears responsible for the crimes.

Two-factor authentication is not a new topic to these organizations. The FFIEC has been providing guidance and now a December 31 deadline for addressing this issue. Back in August this Operational Risk Blog discussed this very topic:

One way to solve the issue is to find a company who has taken all of these technology hurdles and has found a viable solution for FFIEC compliance. See Boulder, Colorado based Authenticol to add to your short list.

The answer for the banks and financial services companies are out there. What is more difficult to address are the processes and the enterprise architecture to accomplish the goal of reduced operational risks. Whether these be external fraud by foreign transnational crime syndicates or the stealth employee walking out the door with a 2GB Jump Drive on their keyring with proprietary client information. Do you really believe that all of these hackers are just getting lucky that the trojans and key loggers they have propagated end up on the home desktop of E*Trade consumers?

"Insider Information" comes in all kinds of forms. Whether it be the stolen client information or the loose lips of a person with access to vital M & A information.

The bulk of the money allegedly made in the case by two former Goldman Sachs employees resulted from tips from an analyst with information about Wall Street deals and a grand jury member who knew about a probe of accounting fraud accusations against Bristol-Myers Squibb Co. and several of its executives, the government has said.

The case came to the attention of authorities when regulators noticed unusually high trading volume before a merger announcement and discovered that a 63-year-old retired seamstress in Croatia -- the aunt of one of the defendants -- had made more than $2 million.

The plot involving Schuster, however, showed the lengths to which those involved in the insider trading plot would go to gain an edge in the market.

In the words of one very respected and experienced investigator we recently had the company of speaking with, his wisdom is this. "Know Your Domain". In a recent survey by the Privacy Rights Clearinghouse and the National Association for Information Destruction Inc.:

Percentage of business executives who do not know what their companies do to ensure the destruction of information on obsolete computers = 77%

No comments:

Post a Comment