Criminal gangs placing moles in banks to steal data
An ISACA committee member has revealed that it is not just identity fraud which is a problem – the banking industry also has to watch out for its own staff.
The banking industry may be unwittingly hiring moles placed by criminal gangs in order to steal data.
This claim was made by Peter Wood, First Base Technologies founder and committee member for ISACA (Information Systems and Audit Control Association). He said that the financial community was particularly susceptible to the trickle' technique, a continuous loss of small amounts of data from individuals in an organisation.
Wood said: "Some people in the banking community have quietly and anonymously said to me over the past year that they have found employees who have been placed in their company by criminal gangs and operating as moles for that period."
Wood revealed an example where he was asked by an insurance company to find out whether he could get into its building and steal data from the network. He revealed that he and a colleague turned up in the staff car park, examined where staff were having cigarettes and followed them back into the building through the back door.
"My colleague was dressed in a suit without a jacket so he looked like an employee and I was dressed like me so I looked like a security consultant," Wood described. "He proceeded to show me through the building although he'd never been there before."
"We were therefore able to determine where the meeting rooms were, took one over which was empty, plugged in my laptop and sat there for five hours pulling data off the network. We left by the same route and was never challenged once."
Wood said that the "physical" attack was the easiest route to steal data and was the way of the future. But if on-site isn't possible, then remote attacks like email phishing and web drive-by attacks were increasing in popularity.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
He said the top three steps an organisation could take were the good vetting of staff and third parties, an awareness campaign that was intelligently designed with a strong focus to inform people rather than policing them, and regular meetings between HR, physical security, IT security.