Criminal gangs "placing moles in banks"

Expert claims criminal gangs are infiltrating banks to steal data

Asavin Wattanajantra
2 Oct 2008

The banking industry may be unwittingly hiring moles placed by criminal gangs to steal data.

This claim comes from Peter Wood, First Base Technologies founder and committee member for ISACA (Information Systems and Audit Control Association). He says that the financial community is particularly susceptible to the "trickle" technique, a continuous loss of small amounts of data from individuals in an organisation.

"Some people in the banking community have quietly and anonymously said to me over the past year that they have found employees who have been placed in their company by criminal gangs and operating as moles for that period," says Wood.

The revelation comes as UK payments association APACS revealed that online bank fraud has soared by 185% in the past year.

Wood also reveals how he was asked by an insurance company to find out whether he could get into its building and steal data from the network.

He claims that he and a colleague turned up in the staff car park, examined where employees were having cigarettes and followed them back into the building through the back door.

"My colleague was dressed in a suit without a jacket so he looked like an employee," says Wood. "He proceeded to show me through the building although he'd never been there before."

"We were therefore able to determine where the meeting rooms were, took one over which was empty, plugged in my laptop and sat there for five hours pulling data off the network. We left by the same route and was never challenged once."

Wood claims the physical attack is the easiest route to steal data. But if on-site attack isn't possible, then remote exploits such as email phishing and web drive-by attacks are increasing in popularity.

He says the top three steps an organisation could take tom prevent data theft are rigorous vetting of staff and third parties, an awareness campaign that is designed with a strong focus on informing people rather than policing them, and regular meetings between HR, physical security and IT security.

Read more about: