Bank Tellers, With Access to Accounts, Pose a Rising Security Risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nytimes.com/2016/02/02/nyregion/bank-tellers-with-access-to-accounts-pose-a-rising-security-risk.html?_r=0

Bank robbers used to burst into banks brandishing guns and bearing notes
demanding cash to the teller behind the window. Today, the thieves may be
on the other side of the counter.

As concerns over identity theft and foreign cyberattacks rise, customers
are largely in the dark about a growing threat just around the corner: bank
tellers and managers with instant access not only to their critical
personal information, but also to their cash.

Though much of the focus on bank fraud has been on sophisticated hackers,
it is the more prosaic figure of the teller behind the window who should
worry depositors, according to prosecutors, government officials and
security experts.

Tellers and those who oversaw them once played a sober, respected role in
towns small and large, carefully counting out bills and peering at
signatures. But A.T.M.s, direct deposits and electronic banking have
diminished tellers’ importance, to the point that their work is now low
paid and, prosecutors say, occasionally criminal.

Rich and elderly bank customers are particularly at risk, prosecutors say,
when tellers and other retail-branch employees tap into accounts to wire
funds without authorization, make fake debit cards to withdraw money from
A.T.M.s and sell off personal information to other criminals. Accounts with
high balances and those with direct deposits of government funds,
likeSocial Security payments, are especially coveted.

“It’s a rampant problem,” said Brenda Fischer, chief of the Cybercrime and
Identity Theft Bureau for the Manhattan district attorney’s office.

That office and other prosecutors have recently brought a string of cases
against tellers and other employees whose jobs typically involved
interacting with customers at retail branches. The pace of the crimes — the
Manhattan prosecutor’s office estimates it brings at least one case against
a teller per month — speaks to the scope of the problem.

Last year, a teller in White Plains was sentenced for her role in an
identity theft ring that pilfered $850,000 from bank accounts. Wiretaps
revealedthat the defendants spoke in code about potential bank targets,
referring to TD Bank as “touchdown” and JPMorgan Chase as “Yase.” A former
teller at a Capital One branch in Maryland was sentenced in 2014 for
gaining access to seven accounts and passing customer information to a
co-conspirator who drew checks on the accounts.

Across the country last year, cases included a former Pennsylvania teller
sentenced for withdrawing money from accounts; a former Manhattan teller
sentenced for using information to receive tax refunds that he routed to
himself; a former Connecticut teller who took cellphone photos of account
information, and used that to cash fraudulent checks; and a formerVirginia
credit-union teller who took out loans from the union in customers’ names.
The money she stole ultimately led to the credit union’s collapse.

Other lower-level employees who work at bank branches may have too much
access to customer information, prosecutors say: In December, prosecutors
in Brooklyn obtained indictments against two bankers who worked at retail
locations of JPMorgan Chase in the borough, saying they withdrew roughly
$400,000 from accounts through fake A.T.M. cards and in-person withdrawals.

Advertisement

Continue reading the main story

Bringing charges against tellers and low-level managers can be challenging,
prosecutors say, because of banks’ lax security controls and gaps in
regulation.

One Chicago-area teller jumped from Washington Mutual to LaSalle Bank to
Fifth Third before he was caught, withdrawing over $2 million along with
his co-conspirators. The crew rerouted customers’ addresses to mailboxes
they controlled, created driver’s drivers’ licenses in customers’ names to
open credit cards, and even created fake businesses so they could buy
credit-card terminals — then approve the fake charges they had rung up.

Despite the sums at stake, executing the crimes can be easy, prosecutors
say. Many of the tools that criminals need, like a card printer, are just a
mouse click away, available for purchase for a couple of hundred dollars on
the Internet. And videos that detail the mechanics of the scams circulate
online in a kind of underworld collection of Do-It-Yourself segments.

Tellers and employees at retail branches, who can gain access to a
customer’s information with a few taps of a keyboard, are at the centers of
the schemes. Last year, for instance, Peter Persaud, an employee at a Chase
branch in Brooklyn, sold customer information to an informer for $2,500 per
customer, according to federal prosecutors.

Mr. Persaud has pleaded not guilty; the case is continuing.

In other cases, the tellers are just the conduit. Thieves are bribing them
to hand over personal data that thieves use to drain money from accounts
and make debit cards, checks and credit cards in customers’ names.

Tellers, who are paid modest salaries, can be particularly vulnerable to
bribes, security experts say. According to the Bureau of Labor Statistics,
the median annual income for tellers in 2014 was $25,760, a salary that
prosecutors say does not match the high-risk nature of their jobs.

One thief, for instance, offered tellers an array of perks, including
jaunts on private planes, limousine rides, manicures and one-on-one
meetings with famous athletes, in exchange for customer information,
according to a 2011 indictment from prosecutors in Charlotte, N.C. Four
years later, the same man ran into trouble again when federal prosecutors
indicted him over accusations that he used confidential information from
Wells Fargo customers to withdraw roughly $100,000 from accounts.

Despite their importance, tellers and many low-level bank employees are not
subjected to rigorous background checks.

Under laws passed in the aftermath of the Sept. 11 attacks, banks are
required to thoroughly vet their customers and closely monitor accounts to
detect any suspicious activity. The same level of scrutiny does not always
apply to the tellers, according to prosecutors. Sometimes, little more than
a basic criminal-background check is performed,

Many banks simply close a fraud investigation once a teller resigns,
allowing the former employee to move on to another bank, security experts
say.

To keep their illicit activities undetected, the tellers, prosecutors say,
often keep unauthorized withdrawals below $10,000, the threshold that sets
off another layer of review under banking laws. Especially in accounts with
large balances, the thefts can go unnoticed for years.

Advertisement

Continue reading the main story

Advertisement

Continue reading the main story

State laws intended to prevent identity theft have not kept pace with the
sophistication and scale of the crimes, a lag that can hamstring
prosecutors.

Under New York law, for example, prosecutors cannot bring charges against
criminals for the total amount of money stolen from multiple banks, which
would result in more serious charges and sentences. Instead, they are
required to treat each bank as an individual victim.

More than money is at stake. Personal identification information — Social
Security numbers and addresses — can be trafficked on the black market,
where thieves sell vast collections of data to the highest bidders.

“All of your personal information is suddenly in the wild,” Ms. Fischer
said.

Controls at banks have sorely lagged, security consultants say.

Kevin Streff, managing partner at Secure Banking Solutions, a security
consulting firm, said the sluggish controls came, in part, from banks’
outdated view that tellers handled only low-risk transactions. “The banks
are still too trusting of the individuals they employ,” Mr. Streff said,
adding that banks tend to err on the side of giving tellers too much access.

Doug Johnson, senior vice president for payments and cyber security policy
at the American Bankers Association, said that banks, recognizing the
thefts can cause “substantial reputational risk and strain relationships
with customers, are committed to guarding against these attacks by sharing
information about problematic tellers and instituting more monitoring of
accounts.” Mr. Johnson said some banks were restricting the amount of
information tellers could get into.

This summer, New York’s attorney general sent a letter to some of the
biggest banks, including JPMorgan Chase, Bank of America and Wells Fargo,
urging them to reduce tellers’ access to crucial customer information. New
tellers usually had “unlimited access to financial institution customers’
account data,” the attorney general, Eric T. Schneiderman, wrote.

Despite the warnings, progress has been slow. “There is a reluctance to
provide real oversight, rigor or even security training because it costs
time and money,” Mr. Streff said.

For now, banks generally address the issue by reimbursing customers for any
losses.

Even when banks put in controls, employees may find ways around them. In a
January 2015 conversation recorded by the Federal Bureau of Investigation,
Peter Persaud, the Chase employee at a Brooklyn branch, discussed his
methods. If Chase questioned the withdrawals, his name might surface as
they looked at who had reviewed the accounts, he said, so he would “see if
I can get somebody else that could look up” names, too. two weeks later, he
said that he had to be careful about whose accounts he reviewed: “I got to
have a reason to be in that account,” he said, adding an expletive.

Mr. Persaud was suspended from Chase in February 2015, he told the
informer, adding, “I can’t get nothing while I’m suspended.” However, in
March, Mr. Persaud called the informer again. He said he had been
reinstated and would sell the information in four Chase accounts for
roughly $16,000.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.