Tellers are overlooked as threat to data safety

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.toledoblade.com/business/2016/02/14/Tellers-are-overlooked-as-threat-to-data-safety.html

Bank robbers used to burst into banks brandishing guns and bearing notes
demanding cash to the teller behind the window. Today, the thieves may be
on the other side of the counter.

As concerns over identity theft and foreign cyberattacks rise, customers
are largely in the dark about a growing threat just around the corner: bank
tellers and managers with instant access not only to their critical
personal information but also to their cash.

Though much of the focus on bank fraud has been on sophisticated hackers,
it is the person behind the window who should worry depositors, according
to prosecutors, government officials, and security experts.

Tellers and those who oversaw them once played a respected role, carefully
counting out bills and peering at signatures. But ATMs, direct deposits,
and electronic banking have diminished tellers’ importance to the point
that their work is now low-paid.

Rich and elderly bank customers are particularly at risk, prosecutors say,
when tellers and other retail-branch employees tap into accounts to wire
funds without authorization, make fake debit cards to withdraw money from
ATMs, and sell off personal data to other criminals. Accounts with high
balances and direct deposits of government funds, such as Social Security
payments, are especially coveted.

“It’s a rampant problem,” said Brenda Fischer, chief of the Cybercrime and
Identity Theft Bureau for the Manhattan district attorney’s office.

That office and other prosecutors have brought a string of cases against
tellers and other employees who typicall interact with customers at retail
branches. The Manhattan prosecutor’s office estimates it brings at least
one case against a teller per month.

Last year, a teller in White Plains, N.Y., was sentenced for her role in an
identity theft ring that pilfered $850,000 from bank accounts. A former
teller at a Capital One branch in Maryland was sentenced in 2014 for
gaining access to seven accounts and passing customer information to a
co-conspirator who drew checks on the accounts.

Nationally, last year, cases included a former Pennsylvania teller
sentenced for withdrawing money from accounts; a former Manhattan teller
sentenced for using information to receive tax refunds that he routed to
himself; a former Connecticut teller who took cell-phone photos of account
information to cash fake checks, and a former Virginia credit-union teller
who took out loans from the union in customers’ names. Her acts led to the
institution’s collapse.

Bringing charges against tellers and low-level managers can be challenging,
prosecutors say, because of banks’ lax security controls and gaps in
regulation.

One Chicago-area teller jumped from Washington Mutual to LaSalle Bank to
Fifth Third before he was caught, withdrawing more than $2 million along
with his co-conspirators. They rerouted customers’ addresses to mailboxes
they controlled, made driver’s licenses in customers’ names to open credit
cards, and formed fake businesses so they could buy credit-card terminals
to approve the fake charges they had rung up.

Despite the sums at stake, executing the crimes can be easy, prosecutors
say. Tellers and employees at retail branches, who can gain access to a
customer’s information with a few taps of a keyboard, are at the centers of
the schemes. Last year, for instance, federal prosecutors say Peter
Persaud, an employee at a Chase branch in Brooklyn, sold customer
information to an informer for $2,500 per customer. Mr. Persaud has pleaded
not guilty; the case is continuing.

In other cases, thieves bribe the low-paid tellers to hand over personal
data to drain money from accounts and make debit cards, checks, and credit
cards in customers’ names.

According to the Bureau of Labor Statistics, the median annual income for
tellers in 2014 was $25,760, a salary that prosecutors say does not match
the high-risk nature of their jobs and can leave the teller vulnerable to
bribes.

Under laws passed in the aftermath of the Sept. 11, 2001, attacks, banks
are required to vet their customers and closely monitor accounts to detect
any suspicious activity.

But when it comes to tellers, prosecutors say, sometimes, little more than
a basic criminal-background check is performed.

More than money is at stake. Social Security numbers and addresses can be
trafficked on the black market, where thieves sell vast collections to the
highest bidders.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.