By Andrew Hurst, European Banking Correspondent
Banks are pouring money into building formidable defenses against
computer hackers but are only just waking up to what may be a bigger
threat -- the physical theft of client information by criminals in the
"You can have a fortress-like security system, but if you are not
terribly discriminating with consultants and temporary employees, that
is a terrible vulnerability," said Carmen Oveissi Field, a New
York-based consultant on computer crime.
"If people can get physical access (to a bank's systems), the game is
over," said Oveissi Field, managing director of Daylight Forensic &
Advisory, a security consultancy.
Banks, especially in Europe and the United States, are investing vast
sums to make computer systems impregnable and have been warning
customers of the dangers of being duped into giving away confidential
information about their accounts.
Under one of the most widely used methods known as "phishing," a spoof
e-mail is sent out, leading recipients to a bogus bank Web site where
they may be fooled into keying in account usernames and passwords.
The information can then be used by criminals to ransack bank accounts
over the Internet.
Many banks have placed written warnings about phishing on their
electronic banking Web sites and are encouraging clients to forward
suspicious e-mails to them so they can then identify the phony Web
sites and have them closed down.
"It's like hosing down spray paint from vandalized walls," said Ken
Allan, an information technology expert based in Ernst and Young's
If phishing attacks go unchecked, they could undermine public
confidence in Internet banking, which is far less costly than branch
banking, and drive customers back to their local branches for even the
most simple banking operations.
DATA "WALKING OUT OF THE DOOR"
"Surveys show customer concerns about security are one of the biggest
obstacles to increased Internet use by the general public," said Chris
Potter, a partner at PWC in London who advises financial institutions
on technical risks.
Banks should be far more active in informing their customers against
the dangers of Internet crime, said Oveissi Field.
Warnings on bank Web sites are "the moral equivalent of sending your
grandmother down a dark alley with instructions on how not to get
mugged," she said.
While banks are confident they can deal with phishing attacks by
constantly warning customers of the dangers, they are now getting
increasingly concerned about the physical theft of confidential client
data by insiders or impostors.
"Identity theft can happen through hacking into a bank system or
internally with someone walking out of the door, and that worries me
more than phishing," said a security officer at a major European bank
who asked not to be identified.
Widespread outsourcing of data management and other services has
exposed some weaknesses and made it harder to prevent identity theft
"There are lots of weak links," said Oveissi Field. Back-up tapes are
being sent to offsite storage sites or being mailed and getting into
the wrong hands or are lost through carelessness."
In what many regard as the biggest wake-up call in recent memory for
financial institutions, thieves disguised as cleaning staff last year
narrowly failed to steal the equivalent of more than $400 million from
the London branch of Sumitomo Mitsui.
They installed programs to record keystrokes on computers that were
used to handle international wire transfers of money.
After analyzing user identifications and passwords recorded by the
keylogging programs, they used the information to make a huge money
transfer to an Israeli bank but were foiled at the last minute when
police were tipped off.
"What banks worry about is that they may have a combination of
weaknesses such as staff vetting and physical security, which when put
together can let a sophisticated attacker get at their real crown
jewels," said Potter.
Banks are starting to respond to the threat by combining teams working
on physical and information technology security, which have
traditionally been separate functions, said Potter.
Copyright 2006 Reuters Limited.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
For more news and headlines, please go to: