Identity Theft: Banks challenged by inside jobs
Workers a threat to consumers, experts say
BY PAUL NOWELL
THE ASSOCIATED PRESS
CHARLOTTE, N.C. -- When two of the nation's largest banks were forced to notify thousands of customers that their financial records might have been stolen, there wasn't a hacker, a missing laptop or a lost box of backup computer tapes to blame.
This time, police believe, customers of Wachovia Corp. and Bank of America Corp. were the victims of bank employees, workers whose jobs at the Charlotte, N.C.-based banks granted them access to information valuable enough to sell for $10 an account.
Security experts believe it's that battle against insiders -- the theft of Social Security numbers and other sensitive data by those with the authority to access it -- that will consume banks and other financial institutions as they fight a recent run of security breaches that doesn't appear to be waning.
"We've got a nasty problem, and it keeps getting worse over the past couple of months," said Peter Neumann, a security expert with SRI International in Menlo Park, Calif. "Insiders have always been a concern, it's just that (institutions) are finally admitting it."
Security experts such as Neumann believe inside jobs have the potential to be far more damaging to consumers than accidental losses of data, or attacks by hackers similar to one disclosed June 17 at Atlanta-based CardSystems Solutions Inc., which exposed 40 million credit and debit card accounts.
And the protections banks use to thwart hackers -- firewalls and encryption, for example -- have no ability to stop ill-intentioned employees who have authorized access to secure information.
The insider case at Bank of America, Wachovia and two other banks could prove to be far worse for consumers, said Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc., an information technology research firm.
"It may not be bigger, but that stuff is a lot more dangerous," Litan said.
Among the steps banks can take to fight insider ID theft is to individually limit each employee's access to customer information, Litan said. Such a system specifies exactly what customer information each employee can see, touch and update.
Another way to police insider theft is "the intimidation factor," said Jim Stickley, chief technology officer at TraceSecurity. While some workers might complain that their rights are being infringed by aggressive monitoring of their work activities, he said they need to understand "they are dealing with extremely confidential information that can wreck a lot of peoples' lives."
But in the end, even the experts said protecting sensitive information from insiders comes down to basic human honesty.
"If someone wants to do it, they are going to do it," Stickley said.
It only makes sense to protect our identity and credit rating by subscribing to the Identity Theft Shield.