Insider Fraud: Customer’s money accounting over $19 million!!

Citi bank was in deep trouble after the fraud took place. Federal authorities were investigating the fraud. In response to FBI investigations, they arrested Gary Foster, who has worked in Citi treasury finance department. It was found that Foster was allegedly embezzling more than $19 million from Citi and its customers. It was second public blow for Citi within two months. Initially customers account was compromised by hackers. Many people expressed their views upon Citi to take necessitate action and ensure it doesn’t happen in future.

Can you believe the reason behind it??

How Trusted Employees Steal Millions and Why It’s So hard for Banks to Stop Them”

It was found that the reason behind it was poor internal controls. Most banks have done poor job in keeping up with internal threats. One cause might be banks have reduced spending on internal controls and fraud detection because of very tight budgets. It was a reprise of internal fraud happened in Bank of America and BofA. In the latter case employee had been accused not of embezzlement, but of leaking customer names, addresses, Social Security numbers, phone numbers, bank account numbers, driver’s license numbers, birth dates, e-mail addresses, family names, PINs and account balances to a ring of criminals. In the former case with Bank of America customer accountholder information was compromised.

Employee who committed, was clever!!

It was a classic case of insider fraud. Many banks monitor their employees to detect various types of fraud and Citi did not have that kind of monitoring in place. According to the complaint filed by the U.S. Attorney, Foster(the former Citi bank employee) transferred money from various Citigroup accounts to Citigroup cash accounts and then used ACH rails to fraudulently wire funds to his personal account at a different bank. He was either very clever or was leading a double life that only caught up with him after leaving his post at Citi. Between July 2010 and December 2010, Foster had allegedly moved $900,000 from Citigroup’s interest expense account and $14.4 million from the bank’s debt adjustment account to the cash account. From there, in eight separate wire transfers, he had funds routed to an outside, personal account.

In this case, the activity was outside his normal activities. Usually for ACH and Wire transactions a higher officer need to authorize the transaction .Foster was working in finance department and was not an officer. Transaction monitoring such as anomaly detection called for in the new FFIEC guidance, would have picked up the fraud very early. Historically, the ACH and wire channels have not had sophisticated fraud-detection capabilities. That knowledge offers opportunity for inside jobs. They take advantage of the trust of their co-workers, management and the company. Even though transaction monitoring is not in place some behavioral triggers should have clued executives at Citi.


Covert hard drive fragmentation embeds a spy’s secrets

GOOD news for spies. There is now a way to hide data on a hard drive without using encryption. Instead of using a cipher to scramble text, the method involves manipulating the location of data fragments.

The inventors say their method makes it possible to encode a 20-megabyte message on a 160-gigabyte portable hard drive. It hides data so well that its existence would be “unreasonably complex” to detect, they say.

Encryption should sometimes be avoided, says Hassan Khan at the University of Southern California in Los Angeles, because the gobbledegook it creates is a dead giveaway: it shows someone might have something to hide. That could spell disaster for someone trying to smuggle information out of a repressive country.

So “steganography”, hiding data in plain sight, is coming to the fore. Normally, data intended to be secret is added to the pixels in digital images, or used to change the transmission timing of internet packets. But these techniques are well known and easily detected, says Khan. So, with colleagues at the National University of Science and Technology in Islamabad, Pakistan, he has developed an alternative.

Their technique exploits the way hard drives store file data in numerous small chunks, called clusters. The operating system stores these clusters all over the disc, wherever there is free space between fragments of other files.

Khan and his colleagues have written software that ensures clusters of a file, rather than being positioned at the whim of the disc drive controller chip, as is usually the case, are positioned according to a code. All the person at the other end needs to know is which file’s cluster positions have been encoded.

The code depends on whether sequential clusters in a file are situated adjacent to each other on the hard disc or not. If they are adjacent, this corresponds to a binary 1 in the secret message. If sequential clusters are stored in different places on the disc, this encodes a binary 0 (Computers and Security, DOI: 10.1016/j.cose.2010.10.005). The recipient then uses the same software to tell them the file’s cluster positions, and hence the message. The researchers intend to make their software open source.

“An investigator can’t tell the cluster fragmentation pattern is intentional- it looks like what you’d get after addition and deletion of files over time,” says Khan. Tests show the technique works, as long as none of the files on the hard disc are modified before handover.

“The real strength of this technique is that even a completely full drive can still have secret data added to it – simply by rearranging the clusters,” adds Khan.

Others are impressed with the technique but see limitations.

“This type of steganography could be used by spies, police or informants – but the risk is that it requires direct contact to physically exchange the USB device containing the secret data,” says Wojciech Mazurcyk, a steganographer at Warsaw University of Technology in Poland. “So it lacks the flexibility of internet steganography. Once you embed the secret data on the disk it is not easy to modify it.”

But won’t making the covert hard disk software open source – as the group plans – encourage its use by criminals and terror groups?

“It’s how security vulnerability disclosure works,” says Khan. “We have identified that this is possible. Now security agencies can devise techniques to detect it.” He adds that his team have had no issues with either US or Pakistani security agencies over their development of this secret medium – despite current political tensions between the two nations.

“The use of steganographic techniques like this is likely to increase,” says Fred Piper, director of information security at Royal Holloway, University of London. “Eavesdroppers can learn much from the fact that somebody is encrypting a message.”

How Did That Towel End Up in My Suitcase?

Hotel guests may want to think twice now before walking off with that bathrobe. Linen Technology Tracking, a company in Miami, has patented a washable RFID chip that can be sewn into towels, robes and bed sheets, allowing hotels to keep track of their linens.

So far, three hotels — in Honolulu, Miami and Manhattan — are using the chip, said Linen Technology Tracking’s executive vice president, William Serbin. He said the hotels did not want their names used.

Mr. Serbin added that rising cotton prices were a motivation: “A bath towel that might have cost $5 last year could cost $8 or $9 now. High-end hotels want to watch those assets.”

The Honolulu property, which introduced the technology last summer, has reduced theft of its pool towels from 4,000 a month to just 750, saving more than $16,000 a month, Mr. Serbin said.

But the technology isn’t just about foiling thieves. The tags let properties monitor their linens in real time, so that at any given moment they know when they need to order more. With inconsistent room occupancy, some hotels have been buying new linens less frequently, Mr. Serbin said.

Controls and Governance for Cloud Computing

Of late, cloud computing has grown from being a promising business concept to one of the fastest growing segments of the IT industry. Companies have recognised that by simply tapping into the cloud they can gain fast access to best-of-breed business applications or drastically boost their infrastructure resources, all at negligible cost. But as more and more information on individuals and companies is placed in the cloud, concerns are beginning to grow about just how safe an environment it is. However, Cloud Computing is fraught with security risks and more and more concerns are being raised on the risks involved.

Continue reading “Controls and Governance for Cloud Computing”

Understanding PCI DSS compliance requirements

Payment Card Industry Security Standards Council (PCI SSC) has prescribed PCI Data Security Standards  (PCI DSS) for keeping payment cardholder data secure.  PCI DSS applies to any business that stores, processes, or transmits cardholder data. In practice, this means PCI applies to all merchants that accept card payments, as well as to the member financial institutions and service providers that process the associated transactions. Matrix of the compliance requirements prescribed by PCI SSC is given in the table below. Before studying the table, it would be helpful to understand the terms cardholder data, merchant, service provider, acquirer, application scanning vendor and qualified security assessor. Continue reading “Understanding PCI DSS compliance requirements”