Financial Activities TroubleGP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-03-01T05:00:00Z, Holly Gilbert Stowell<p>​The insider fraud that took place at Wells Fargo is still being investigated, but experts say the scam that involved the creation of 2 million unauthorized customer accounts is unprecedented. Beginning as early as 2011, thousands of Wells Fargo employees created bank accounts for existing customers without authorization, and generated millions of dollars in fees that profited the company along the way. </p><p>“Wells Fargo employees secretly opened unauthorized accounts to hit sales targets and receive bonuses,” said Richard Cordray, director of the Consumer Financial Protection Bureau (CFPB) in a statement. </p><p>The CFPB went onto say that workers even created fake PIN numbers and phony email addresses to fraudulently create the accounts. The bank will pay $185 million in fines to the bureau and $5 million to customers for their losses.</p><p>During a U.S. Congressional hearing in which then-Wells Fargo Chairman and CEO John Stumpf testified before lawmakers, U.S. Rep. Maxine Waters (D-CA) called the event “some of the most egregious fraud we have seen since the foreclosure crisis.”</p><p>Stumpf stepped down in October 2016 as leader of Wells Fargo, and forfeited $41 million in stock awards and part of his 2016 salary and bonus. Since the scandal was uncovered, the bank has fired at least 5,300 employees.</p><p>While the ethics scandal at Wells Fargo garnered international attention, insider fraud and theft by employees has become increasingly prevalent at financial institutions. In 2014, New York Attorney General Eric T. Schneiderman announced the arrest of an identity theft ring that had siphoned $850,000 from a bank’s customer accounts with the help of several tellers at banks in New York City and surrounding counties. </p><p>In 2015, two private bankers with J.P. Morgan Chase were indicted for funneling $400,000 from Social Security accounts of 15 people, some of whom were deceased, according to court documents from the Brooklyn District Attorney’s office. </p><p>Schneiderman later sent a letter to several large banks, including J.P. Morgan Chase, Bank of America, and Wells Fargo, urging the financial institutions to rein in their employees’ access to customer data. The Wall Street Journal first reported on the letter, which it obtained in June 2015. Schneiderman said that teller theft was the number three cause of data breaches in the state of New York, just behind poor cybersecurity and lost or stolen equipment. </p><p>Schneiderman concluded that “much of the wrongdoing could have been caught if the banks had noticed and shared red flags; for example, an employee accessing an unusually large number of accounts or looking up accounts without dealing with those customers,” according to the article. ​</p><h4>Access to Information</h4><p>Experts say that an increase in theft and fraud has been accompanied by an evolution in the banker’s role. The traditional role of the teller who sits behind a desk counting dollar bills has progressed with the proliferation of the Internet and other digital tools. </p><p>“Technology now handles so many of the traditional teller transactions, like checking your balance or moving your money,” says Dr. Kevin Streff, associate professor and director of the Center for Information Assurance at Dakota State University. “Those kinds of transactions that used to be handled by people are now handled by automation for a large part, so the teller’s responsibility then moves up to the next level of service to the customer.” </p><p>Such transactions include changing personally identifiable information details on accounts, all available to tellers with the click of a button. </p><p>“Technology in general makes it so much easier to get the information that we’re talking about; there’s no question that’s increased the risk for internal theft cases,” says Kevin Smith, CPP, former senior vice president and corporate security director at Chevy Chase Bank and member of the ASIS International Banking and Financial Services Council. </p><p>But with the proliferation of ATMs and online banking services, this increased access to information is coupled with a diminished demand for tellers. They don’t garner the largest salaries—on average, tellers make about $13 an hour, or $27,000 a year, according to 2015 statistics from the U.S. Bureau of Labor. Experts say these low wages, combined with tempting sales-goal incentives, can create a formula for theft and fraud. </p><p><strong>Theft.</strong> Streff notes that the black market for customer records, credit card information, and other sensitive data is based on supply and demand, and the current supply is high. Therefore, employees will be tempted to steal more records to make the most money. </p><p>“It’s still very motivating to get 1,000 payment cards from a bank, and even if you can only get $25 a card, that’s still $25,000,” he says.</p><p>And there are plenty of bad actors waiting on the other side of the Web to help them carry out the crime. “The bad guy externally has the skill, the insider has the access privileges and the rights and trust, and that together creates the perfect storm to be able to complete that cybercrime,” Streff explains.</p><p>He recounts such a situation investigated by his firm Secure Banking Solutions, a cybersecurity company focused exclusively on the banking sector. </p><p>“We saw a situation at a Midwestern bank where a couple of tellers were printing about eight customer records each per day for about a year, and then they were putting them in their bags or purses and walking out the door,” Streff says. “So eight customer records a day is about $200 a day—there’s a nice little augmentation to their salary.”  </p><p>During his long tenure as a security director and vice president at banks across the country, Smith says he dealt with a similar situation during a merger and acquisition. </p><p>“The criminals were focused on the fact that the employees would no longer have allegiance to the company” that was being acquired, he says. “We apprehended one of our employees working at a call center that was selling customer information in the parking lot to someone that had approached them and said, ‘I’ll give you $50 for every name, address, telephone number, and date of birth that you can give me.’” </p><p><strong>Incentives.</strong> Scamming customers with help from the outside is just one of many risks faced by financial institutions. Corporate culture can become the catalyst for bad behavior as well. </p><p>During the U.S. House Congressional Services Committee hearing on Wells Fargo, lawmakers criticized the sales incentives that offered rewards to employees who opened a certain number of accounts. CNN Money reported in September 2016 that Wells Fargo employees had complained about the “pressure cooker environment” created by these “wildly unrealistic” sales goals. </p><p>Stumpf testified before the committee that sales goals were being eliminated companywide in January 2017 as a result of the scandal. </p><p>While this practice had become toxic at Wells Fargo, other banks rely heavily on the motivation behind such goals. </p><p>“The reality is that many companies, particularly smaller companies, survive on those sales goals,” says Smith, adding that common practice is to reward not only tellers, but managers and senior executives when their employees reach those goals. </p><p>This practice can lead to fraudulent behavior when employees are pressured to meet goals or face negative repercussions for not doing so. “When you dangle the guillotine over someone’s head and say ‘If you don’t do this, this thing is going to happen to you.’ Well come on, leadership gets exactly what they deserve,” says Clint Hilbert, owner of Corporate Protection Technologies, LLC. “They’re actually promoting that behavior.” </p><p>Hilbert says that a series of checks and balances within the company will help prevent fraud from occurring. </p><p>“The checks and balances have to be built in from the time you’re pursuing a market to the time you’re reinvesting your profits,” he says. “All of those stages in between have to have checks and balances that can be independently surveyed.” </p><p>Smith echoes the concern regarding a competitive sales environment, and notes that management can often become a part of the problem. </p><p>“Hypothetically, I think what happens in those situations is people are incented to sell, sell, sell,” he says. “And if the person monitoring that activity is also gaining from the sell, sell, sell, they’re disincentivized from identifying any problems.” </p><p>Having an independent third party or group outside the management chain to audit sales activity ensures that banks aren’t engaging in fraudulent behavior.​</p><h4>Management </h4><p>Experts say that engaging employees and giving them a sense of buy-in at the company is a first step to keeping them from becoming an insider threat, and treating whistleblowers with fairness and exercising transparency can help leadership build trust. </p><p><strong>Whistleblowers.</strong> Since the Wells Fargo scandal came to light, employees have come forward saying that they were fired or punished for blowing the whistle on the fraudulent activity taking place. </p><p>In a November 2016 letter to new Wells Fargo President and CEO Timothy Sloan, U.S. Senators Elizabeth Warren (D-MA), Robert Menendez (D-NJ), and Ron Wyden (D-OR) inquired about the firing of certain employees, writing that “the bank may have done so to retaliate against whistleblowers.” </p><p>Former employees told NPR News that they received bad marks on their U5 forms—a system set up and operated by the Financial Industry Regulatory Authority—after pointing out the fraudulent behavior. Those forms are essentially used as a permanent record of their employment history as a banker. Wells Fargo says it is investigating those claims.  </p><p>Hilbert says that anyone who raises a red flag about company practices should be treated with fairness, whether they are right or wrong. </p><p>“The first time you publicly fry a whistleblower, you no longer have ownership by the employees,” Hilbert says. “Even if the whistleblower is 100 percent wrong, there has to be transparency because that’s where you’re going to lose trust.” </p><p>Rather than creating a culture where managers are pitted against employees, Hilbert says, creating mutual respect will fuel the two-way relationship. He adds that employees essentially should respect the company more than they respect their coworkers who engage in bad behavior so that they report any incidents. </p><p> “You have to be transparent, you have to be honest, and you have to communicate—therein lies the basis of every relationship,” he says. “That trust today is such an important factor for the C-suite to embrace.”</p><p><strong>Hiring and training.</strong> Increasing levels of responsibility for tellers ought to be supplemented with more security training and better hiring practices, Smith says. And security compliance and training programs should be ongoing to keep employees engaged with banking best practices. </p><p>“Those types of training programs on ethics in the workplace really have to be an integral part of the program coming through the door, and they have to be emphasized on a regular basis,” he notes.  </p><p>For many bank workers, it may be their first job, meaning they haven’t had exposure to security or compliance training in the past. </p><p>“These tellers and call center employees can be right out of high school,” Smith says. “It’s an entry-level position, and you really need to drive that point home about ethics in the workplace because they’ve never had that training before.” </p><p>Hiring people with the right background is critical for employees that will be handling sensitive customer information. Banks can take advantage of access to law enforcement to conduct background checks. </p><p>“In the financial services industry, background investigations are critical,” Smith says. Under Federal Deposit Insurance Corporation (FDIC) rule number 19, banks can get permission to go directly to the FBI for such background screening. </p><p>Smith adds that under these regulations, banks are also prohibited from hiring someone who has been convicted of a theft or a breach of trust offense. </p><p><strong>Monitoring.</strong> Supervisors need to be the first line of defense when it comes to ensuring their employees aren’t engaging in bad behavior, Smith says. He explains that several technological tools are available to help produce reports using data from employee transactions. Using those reports, supervisors “ought to identify what the typical pattern is for their employees…and develop a report that would alert to out-of-pattern activity.”  </p><p>A worker accessing unusual amounts of customer information could be a tipoff to fraudulent behavior. “Let’s say typical daily activity for a teller is servicing about 50 accounts,” Smith says. “If you find that they’re looking at 300 accounts, that’s out-of-pattern activity and should be investigated.” </p><p>Streff adds that while technology is a great tool, creating awareness within the company is invaluable. “Certainly you want controls in place that lock things down, you want sensors to identify anomalous behavior, but you want to create an awareness in your workforce to be a protection as well,” he says.  </p><p>And employees at all levels can be the best tools for fighting insider threats, Hilbert says. “If you have 100 employees, you have 200 eyes,” he notes. “And if you can motivate those employees to do your camera work for you, you’ve got the best camera system that money can buy.”  ​ ​</p>

Financial Activities Trouble to Bank On Under Control’s-Responsive-Banking-Concept-Enhances-ATM-Security-and-Service.aspx2014-12-02T05:00:00ZDiebold’s Responsive Banking Concept Enhances ATM Security and Service Releases 'Culture of Compliance' Guidance for Financial Institution Leaders Releases 'Culture of Compliance' Guidance for Financial Institution Leaders on a Security Upgrade, Money Laundering Are Top Threats Facing the Financial Industry in 2014 Money, Real Crime Economics to Fight Terrorists Discusses Efforts to Prevent Fraudulent Transactions Warns Data Brokers Digital Armor Announces Partnership with NASDAQ 10 Performing Security Industry Stocks for February 10 Performing Security Industry Stocks for January on Security 10 Performing Security Industry Stocks for December Combats Fraud with IronKey Financing, Money Laundering, and Tax Evasion 10 Performing Security Industry Stocks for October

 You May Also Like... SSH Facts<p>​Tatu Ylonen is the inventor of Secure Shell (SSH), a software package that enables secure system administration and file transfers over insecure networks. He is the CEO and founder of SSH Communications Security, and author of the Internet Engineering Task Force standards on SSH protocol.</p><p><strong>1. Creation. </strong>After discovering a password sniffer had been used on his Finnish university’s network, Ylonen created SSH in 1995 to allow him to securely login remotely to his company over the Internet. SSH is used to manage networks, encrypted file transfers, and secure machine-to-machine automation. SSH is now used by almost every data center in the world and more than half of the world’s Web servers are managed using SSH.</p><p><strong>2. Keys.</strong> SSH works by giving users cryptographic keys, which function like usernames and passwords. These SSH keys grant access to systems and are typically used by system administrators. They also enable automation, which allows cloud services to function. A systems administrator can create a new SSH key in less than a minute, and many organizations have keys that were created once and never used again. For instance, a recent audit of a major financial institution’s systems found that of the thousands of SSH keys that had access to its data, 90 percent were not being actively used.</p><p><strong>3. Risk. </strong>Hackers can use compromised SSH keys to gain access to servers, spreading an attack throughout the server infrastructure from one data center to another. If a Fortune 500 company’s information systems—including servers and disaster recovery data centers—went down, the organization would not function. In the worst-case scenario, the servers would be severely damaged.</p><p><strong>4. Management. </strong>In protecting physical spaces, security experts decide who has access to what parts of the facility and then put in place systems and processes to grant and revoke that access. The same approach needs to be taken to SSH key management; security starts by controlling who is given access to corporate data and systems. Security should go through the company’s systems and find out what SSH keys are still valid, revoke those that are no longer needed, and create a process for issuing and revoking new keys.</p><p><strong>5. Regulation. </strong>The U.S. National Institute of Standards and Technology (NIST) published a paper by Ylonen and others on SSH key management in 2015. Since then, the PCI Security Standards Council has addressed SSH key management in its newest regulations and NIST has done the same for federal agencies. Ylonen predicts that in five years, key management will become a major focus for almost all industry verticals.</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465’s-Responsive-Banking-Concept-Enhances-ATM-Security-and-Service.aspxDiebold’s Responsive Banking Concept Enhances ATM Security and Service<p>​</p><p>Diebold has fielded an array of new technologies and capabilities in what the company describes as a branch transformation solution. The solution, unveiled at last month's Money 20/20 conference in Las Vegas, consists of an ATM that weaves innovations in security, design, technology, user experience research, and feedback from financial institutions. Diebold describes the result as four distinct "experience zones" designed to blur the lines between face-to-face, online, and mobile banking. Security technologies such as IP video, privacy glass, and directional audio are key factors in the solution.</p><p>Customers are initially greeted with video tower walls designed to attract passersby with dynamic content management. The kiosks use near-field communication, proximity sensors, and motion detection to securely identify customers. Cardless transactions are authenticated by smart phones that then become the primary user interface for the banking transaction. Those without smart phones can still use 19-inch touch monitors that protect sensitive information with a privacy filter that limits visibility of sensitive information. A smaller secondary touch screen on a lower work service provides an even greater degree of privacy and accommodates customers with accessibility requirements. </p><p>Customers unfamiliar with the service or who have more complex transactions are able to bring up additional assistance in the form of and "intelligent" avatar that uses natural language recognition to interact with the customer and handle more advanced tasks. Customers are also able to connect through two-way video with remote financial advisors who can provide the personal consulting previously only available in a branch location. </p><p>The responsive banking concept is intended for high-traffic areas such as transportation hubs, shopping centers, and retail locations. Another use case in the financial sector is branch lobbies, affording customers more accustomed to banking in a branch with an opportunity to have bank staff assist as needed and facilitate the transition. </p><p>"All of our customers are engaged in branch transformation projects aimed at transforming their branch networks to be more cost effective while better promoting their products and services," says Devon Watson, Vice President of New Business & Solution Incubation for Diebold. For such in-lobby uses, Diebold offers a app that from which bank staff to monitor operations such as cash levels and assist customers whose transactions are taking longer than average. </p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Review: Workplace Safety<p>Butterworth-Heinema​nn;; 180 pages; $49.95.</p><p>The threat of workplace violence is a continuous issue affecting the well-being of the American workforce. Horrific reports and images of violent acts in the workplace appear far too often in the media, disrupting the safety, well-being, and productivity of the general public. </p><p>In an attempt to help businesses and organizations deter or deflect these violent acts, Randall W. Ferris and Daniel Murphy authored <em>Workplace Safety: Establishing an Effective Violence Prevention Program. </em>This is a well-intended book designed to help organizations with the development of policies and practices to prevent violence in the workplace. The book offers information on applicable topics, including relevant definitions, justifications for workplace violence procedures, explanations of various types of violence, environmental causes, and possible motives behind the attacks, as well as details for creating and implementing methods to prevent violent incidents. The authors draw from the guidelines presented in the Occupational Safety and Health Administration’s standards for the prevention of workplace violence as their primary source of creditable information.</p><p>The book reads more like a how-to manual than a professional publication. The chapters are consistently formatted with a motivational quote, chapter contents, an abstract, and applicable key words. The chapters include various personal experiences from the authors, fictitious scenarios, and bulleted or numerical lists pertaining to the chapter’s content. Further diluting the professionalism is the use of common or slang terms in text that is often brash or casual. </p><p>There is value here for some audiences. For organizations that have not developed procedures to deter or respond to violent incidents in the workplace and those that do not understand the concept of these issues, this could be a helpful guide. Those working in human resources or facility management and individuals who are new to security management can gain some useful information. Also, managers desiring to completely redesign or reevaluate their workplace violence policies might use this book as a starting point. However, it should be viewed as a supplemental publication and not a primary source. Workplace Safety: Establishing an Effective Violence Prevention Program will not impress the educated or experienced reader or introduce new concepts that have not been previously explored. </p><p><em><strong>Reviewer: Joseph Jaksa, Ph.D., CPP, </strong>is an associate professor of criminal justice at Michigan’s Saginaw Valley State University. He is a member of ASIS International and the Saginaw Valley Chapter of ASIS.  </em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465