= Subscriber content; or subscribe now to access all American Banker content.

Bank of America Gets Hit Twice by Access Abusers

ATMs and data are compromised in separate attacks stemming from unauthorized internal use by both the bank and vendor staff

Bank Technology News  |  May, 2011

Bank of America early this week was working to recover from two insider data breaches: an employee theft of bank customer data and a multi-ATM heist perpetrated by a Diebold employee. These are two more pieces of evidence of the both the danger and the difficulty of stopping insider crime.

In the first breach, a former employee was arrested in California and charged with crimes connected to stealing customer data and selling it to crooks. The literal cost of the crime, about $10 million, was not substantial—but consumer fears over lost data and ID crime is a major problem for all banks as mobile and web transactions become commonplace. The suspect’s name has not been released, since the court case is still under seal.

The stolen data included names, addresses, social security numbers, driver’s license numbers, birth dates, email addresses, mother’s maiden names, PINs and account balances have all been stolen and used in crimes victimizing BofA consumers. One victim told the Los Angeles Times crooks used information to order new checks in his name and also ordered money transfers.

The bank has been notifying customers, but has not revealed details of the case, other than it involves a now former staffer who gave customer data to people outside of the bank. BofA did not say how the suspect allegedly breached its database, nor has it said how many consumers were victimized.  

Eloise Hale, a Bank of America spokesperson, on Tuesday apologized for the incident, and said the bank has a wide range of protections in place to prevent insider fraud, including background checks during hiring processes and monitoring employee access to personal data.

“We have clear policies about the improper use of customer data and when a compromise or fraud does occur, we have a strong refund policy for unauthorized transactions,” says Hale, who would not provide specifics on BofA’s employee data access policies and controls, citing security concerns.

In the second incident, Samuel Kioskli, a former Diebold employee, was charged with stealing $200,000 from seven Bank of America ATMs. He was accused of using his Diebold work cardkey to steal money from machines in the Bay Area.

Mike Jacobsen, a Diebold spokesman, says the company’s IT network enables it to know exactly where and when an ATM is accessed by maintenance staffers. In this case, the staffer, whose employment was terminated shortly after the incident, was identified by Diebold, who then notified customers and authorities.

“In our industry you run the risk of activity of this nature,” he says, adding that no “fake cash” was dispensed by ATMs as a result of the crime (the suspect reportedly tried to replace stolen cash with counterfeit money). “The key is to have processes and the right kind of technology in place to allow you to react quickly.”

The incidents shed light on how hard it is for banks to fight insider crime—Aite estimates it can take up to 18 months to ID an internal fraud operation—and inside fraud techniques skirt most AML and other fraud IT protections. The siloed nature of banks also makes it tough to track internal fraud.

Two new options have emerged in recent months: new tech solutions that “fingerprint” personal devices such as mobile phones and USB ports, both of which are frequently used by insiders to obtain internal data. Other strategies include the melding of social network analysis, historical versioning and web-driven profiling of how users engage the bank and outside contacts.

In an interview with BTN this spring, Gartner security specialist Avivah Litan told BTN this new approach is “powerful,” bringing unstructured and structured data to produce a full picture of a user’s activity.

Detica and SAS offer versions of social network analysis aimed specifically at banks, and IBM offers an enterprise identity insight product that can be used as part of fraud prevention.

Actimize, Norcom and other firms also offer link and activity analysis technology which can be used to track a user's external activity and online relationships.