In this data theft scenario, the IT support guy is like the butler in a classic murder novel; he did it. Adeniyi Adeyemi was an IT tech at Bank of New York Mellon. He confessed that he stole sensitive information belonging to 2,000 bank employees and that he used that data to steal more than US$1 million from charities. Technically: grand larceny, identity theft, money laundering, scheme to defraud, computer tampering and unlawful possession of personal identification information.

Adeniyi worked as a contract computer technician at the Bank’s Manhattan headquarters, and the data he allegedly stole belonged primarily to co-workers in the bank’s IT department. The police executed a search warrant at Mr. Adeyemi’s apartment on April 30, 2009. There, “investigators found dozens of Bank of New York employees’ credit reports on his computer, along with many other documents containing personal identifying information of more than 150 Bank of New York employees. In a storage locker Mr. Adeyemi rented, the investigative team found notebooks containing hundreds of names, social security numbers, account numbers, and other personal data, along with numerous credit cards in Bank of New York employees’ names. Investigators also recovered $30,000 in cash from Mr. Adeyemi’s apartment. Mr. Adeyemi was arrested in the course of the search warrant execution, and remained in custody ever since.

Adeyemi confessed to have stolen more than $1.1 million over an eight-year period from charities by transferring funds from the charities’ bank accounts into bogus accounts he’d set up using the personal information of his former co-workers, prosecutors say. He “input the charities’ banking details, including account and routing numbers, to set up wire transfers on the E*Trade and Fidelity sites from the charities’ account to his dummy accounts, and withdrew the stolen funds or transferred them to a second layer of dummy accounts,” the district attorney’s office said in its press release.

More than a dozen charities were victimized, including Goodwill Industries of Greater New York, the Jacksonville Humane Society and the International Association of Women Judges, all of which had publicized their bank account details in order to receive donations.

Adeyemi also admitted to stealing money from his former colleagues, taking control of their online bank accounts and then wiring money to his dummy accounts, the district attorney said. Wiring just under $10,000 at a time to avoid hitting the threshold at which all financial institutions must report transactions to the US Treasury, he is accused of stealing more than $128,000 from staff.

He spent the proceeds on U.S. Postal Service money orders, to pay his rent and credit cards, and to purchase goods that were then shipped to Nigeria, prosecutors said.

Interestingly, the fraud is reported to have been detected not by the bank or victims, but by the New York/New Jersey Electronic Crimes Task Force of the United States Secret Service, which began surveillance on Adeyemi after tracing suspicious Internet activity at his apartment. This investigation resulted in the search of his apartment and his arrest. This is probably just half of the story, but how the case exactly came to light is an interesting point.

How about contemporary standards for IT security in banks? Do IT staff really need access to client data at all? How about monitoring what IT staff (and bank staff for that matter) are accessing? Any red flags that should have been raised during his eight year rampage? Not only banks seems to be struggling to keep client data safe. If you look at the ‘ fraud triangle’, ‘opportunity knocked’  in this case.

http://www.businessweek.com/idg/2010-07-02/ny-bank-it-tech-pleads-guilty-to-data-theft-fraud.html

http://www.newyorkcriminallawyerblog.com/2009/10/bank_of_new_york_melon_compute_1.html

http://bit.ly/9dmraH

http://financialcrimeonline.com/archives/802

http://www.finextra.com/news/fullstory.aspx?newsitemid=20672

This week WSJ and FOX reported that Citibank is allegedly a victim of a Russian hackers ring.

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials….The threat was initially detected by U.S. investigators who saw suspicious traffic coming from Internet addresses that had been used by the Russian Business Network, a Russian gang that has sold hacking tools and software for accessing U.S. government systems. The group went silent two years ago, but security experts say its alumni have re-emerged in smaller attack groups.

U.S. banks have generally been loath to disclose computer attacks for fear of scaring off customers. In part this is an outgrowth of an experience Citibank had in 1994, when it revealed that a Russian hacker had stolen more than $10 million from customer accounts. Competitors swooped in to try to steal the bank’s largest depositors. Citibank said at the time that it was able to recover most of the money and that the attack didn’t put customer funds at risk.

The new attack targeting Citibank highlights the growing sophistication and threat posed by overseas criminal networks. “There were a couple of days of struggling,” said one person familiar with the attack. “There were some sophisticated elements that made it hard to block.”

Although the alleged Citibank attack was reported this summer, the actual hack could have taken place as early as in 2008. Any relation to the larger data breaches in Worldpay and Heartland (see earlier posts)? A Citibank spokesman denied that there was a breach of system or any fraud losses and that the FBI was not investigating a multi million dollar cyberfraud related to Citibank.

The Italian police finally caught up with one of Italy’s most wanted hackers. The suspect, Iannelli, allegedly collaborated with Camorra (Naples Mafia) organizations to hack into (“secure”) websites of online businesses. He then exploited the details of credit cards used to pay for purchases to make purchases himself or to switch funds onto payment cards that were then used to withdraw money from bank ATMs. Ianelli was arrested after Italian police pinpointed him in Thailand and Thai authorities kicked him out of the country back to Italy where police was waiting for him.

Will (y)our information be safe in 2010?

http://tinyurl.com/y87hb7n

http://www.foxnews.com/politics/2009/12/22/fbi-probes-hacks-citibank-govt-agency/

http://www.youtube.com/watch?v=gzMS-O7Gl48

The indictment alleges that the group used sophisticated hacking techniques to compromise the data encryption that was used by RBS WorldPay to protect customer data on payroll debit cards. Payroll debit cards are used by various companies to pay their employees. By using a payroll debit card, employees are able to withdraw their regular salaries from an ATM.

“..Once the encryption on the card processing system was compromised, the hacking ring allegedly raised the account limits on compromised accounts, and then provided a network of “cashers” with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from more than 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours.

The hackers then allegedly sought to destroy data stored on the card processing network in order to conceal their hacking activity. The indictment alleges that the “cashers” were allowed to keep 30 to 50 percent of the stolen funds, but transmitted the bulk of those funds back to the hackers and other co-defendants . Upon discovering the unauthorized activity, RBS WorldPay immediately reported the breach.

International cooperation was a significant factor in the resolution of this case. In a joint investigation with U.S. law enforcement authorities, Estonian Central Criminal Police apprehended 4 suspects in Estonia earlier this year. Each is facing related charges in Estonia. One suspect is also in custody in Estonia and is pending extradition to the United States. Federal prosecution of the Estonian defendants has been closely coordinated with the Estonian Office of the Prosecutor General. Furthermore, cooperation between the Hong Kong Police Force and the FBI also led to a parallel investigation in Hong Kong, resulting in the identification and arrest of two individuals who were responsible for withdrawing RBS WorldPay funds from ATMs there. The Netherlands Police Agency National Crime Squad High Tech Crime Unit and the Netherlands National Public Prosecutor’s Office also provided significant assistance…”

“Last November, in just one day, an American credit card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted. Today, almost exactly one year later, the leaders of this attack have been charged. This investigation has broken the back of one of the most sophisticated computer hacking rings in the world. This success would not have been possible without the efforts of the victim, and unprecedented cooperation from various law enforcement agencies worldwide,” said Acting U.S. Attorney Sally Quillian Yates of the Northern District of Georgia.

A similar breach occurred just after the RBS Worldpay breach was communicated within Heartland Payment systems, resulting in the exposure of data over 4 million cards. Suspects were arrested related to this data breach as well. Law enforcement apparently does a better and better job in the digital domain and is improving international cooperation at the same time.

Other than the direct result of criminals cloning cards and stealing money from the original card holder, which banks obviously will take as a loss, the related remediation costs are immense. Think of reissuing cards, fixing data security issues, beefing up other controls and the always difficult to measure costs of reputation loss. How much is the reputation of financial institutions nowadays anyway?

http://www.justice.gov/opa/pr/2009/November/09-crm-1212.html

http://allpaynews.com/content/rbs-worldpay-announces-compromise-data-security-and-outlines-steps-mitigate-risk-0

http://www.v3.co.uk/vnunet/news/2234680/heartland-reveal-massive-credit

http://www.theregister.co.uk/2009/02/16/heartland_card_fraud_arrest/

http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html

http://financialcrimeonline.com/archives/540

Remember the good ol’ days when you received letters in a yellow envelop from exotic African countries (“My name is ***, I am the late son of ***,etc etc)? In this modern age you find these type of messages (or should I say business proposals) in your inbox. Even though the Modus Operandi has been out there for decades, you can still find people who pay thousands (or even millions) of dollars for all sorts of bogus legal fees and certificates in their quest to receive a multi million reward in some elaborate scheme.

Law enforcement agencies increased their internation cooperation and made some great successes. Actually stopping the crime seems to be one step too far. The cooperation with private partners also increased, especially with internet service providers and financial institutions.

So what is new? This week Microsoft signed a Memorandum of Understanding with the Nigerian Economic and Financial Crime Commission. “In Nigeria, Internet scams, identity theft, financial scams and spam are unfortunately still all too prevalent. All of this, along with rampant software policy, undermines Nigeria’s economic development and ability to attract foreign investment”. “People and businesses across Nigeria suffer at the hands of these pirates. Honest resellers lose out on productivity, software companies lose out on revenue and governments lose out on tax revenue, which could be reinvested in the country”. So it is about illegal software and 419 fraud at the same time.

EFCC under the new arrangement will leverage on the MOU for the Advance Fee coalition to finance the development of intelligent application and software that will track scam emails and explore the possibility of shutting down affected webmail addresses following due legal process.

Explore possibility? Due legal process? A great initiative by Microsoft but this choice of words is not really convincing. Understandably you can not just delete email boxes…or can you? Sending thousands of 419 emails out using your hotmail or live.com account should be a Microsoft policy violation; cancel the account.

Alternatively, if the ‘intelligent filters’ determine that an accountholder receives a suspected 419 email or sends them out, why not immediately have Microsoft (or whatever provider) follow up with an automated email, warning the recipient of the email they just received. Sending out such a warning email should not meet the same resistance from lawyers as cancelling an account will. The effect could even be better since we all know that Nigerian scamsters have plenty of email accounts to choose from. Fraudsters will find the weakest link in the chain. If Microsoft is the strongest, they will just ignore Microsoft. Education and awareness of potential victims is a great way to prevent them to fall for it. Perhaps Microsoft will explore the possibility to warn hotmail and live.com users if they receive a 419 type email. Or even explore the possibility to send thousands of emails following up on the original 419 email if it originated from Microsoft based webmail such as hotmail and live.

Private companies can do a lot to combat 419. How about internet cafes and internet providers stopping people from sending spam, banks to apply their transaction filtering to related payments, governments to increase awareness. And how about all internet service providers to filter for these emails like Microsoft does and either warn recipients or cancel accounts if they are involved in sending them out?  In the fight against child pornography the public private partnership seems to be more effective than in the fight against 419. We would not argue that 419 is a more serious problem but with a little more dedication a lot more can be done.

Enough about 419. Last thing: we know that 419 can be funny if you read and hear how the fraudsters play their role and how the victims are stupid enough to endure all these strange emails, phone calls and meetings. Check out some of these links; some of them will make you smile again.

http://www.nigeria419scam.com/

http://www.419eater.com/

http://fraudwar.blogspot.com/2005/10/419-from-other-side-of-fence.html

http://www.ic3.gov/default.aspx

http://www.scamorama.com/

Another Finish guy got a fine worth 8 days of income because he was internetting using his neighbors WiFi connection. The poor guy, a computer programmer by the way, said he had no clue he was using that connection. Piggybacking on the neighbor’s WiFi does not sound like a big deal but is illegal. How does it get detected if you just enjoy the ride? In 2007 a man in Cedar Springs, Mich., was fined $400 for mooching off somebody else’s wi-fi–a police officer spotted him laptop-surfing in a parked car. Apparently that violates Title 18, Part 1, Chapter 47 of the United States Code, which covers anybody who “intentionally accesses a computer without authorization or exceeds authorized access.”  If we see the Cedar Spring case as the  equivalent of a Finnish 8 day fine this man makes $50 a day. It’s (again) all about the money.

http://www.globalmotors.net/finnish-millionaire-gets-111888-euro-speeding-ticket/

http://www.time.com/time/magazine/article/0,9171,1813969,00.html

http://compnetworking.about.com/od/wirelessfaqs/f/legal_free_wifi.htm

http://www.telegraaf.nl/digitaal/3634573/__Boete_voor_surfen_op_netwerk_buren__.html?p=14,2

http://www.nw3c.org/

http://www.usdoj.gov/criminal/cybercrime/index.html

http://www.ic3.gov/default.aspx

http://www.cnn.com/2009/TECH/03/30/internet.crime/index.html