If dead men tell no tales, that makes identity theft of deceased account holders all the harder for card issuers to combat, particularly when the perpetrators are bank insiders.
In the case of JPMorgan Chase, two private bankers were indicted Monday for allegedly using ATM cards they issued to steal as much as $400,000 from 15 accounts over the course of about a year. Most of the accounts reportedly were dormant accounts belonging to dead people who were still receiving Social Security deposits because of a reporting error; presumably, if the account holders were alive, they would have spotted the withdrawals and reported them to the bank.
The incident illustrates the vexing problem of bank staff abusing their knowledge and access to perpetrate identity theft, a challenge that stresses internal compliance and culture more than technology, and accounts for 20% of all data security incidents, according to Verizon's 2015 Data Breach report.
"Given the myriad ways internal fraud can take place, it is impossible for banks to monitor every employee and every activity that takes place," said Shirley Inscoe, a senior analyst and data security and fraud expert at Aite Group.
Law enforcement authorities claim Dion Allison and Jonathan Francis, who worked at a JPMorgan Chase branch in Brooklyn, searched the bank's database for accounts with high balances, but limited or no transactions — mostly direct deposits from Social Security. The two men allegedly created ATM cards for the accounts and forged power of attorney documents to circumvent daily ATM withdrawal limits by going directly to tellers.
Along with two accomplices, identified by law enforcement as Gregory Desrameaux and Kerry Phillips, the alleged conspirators made fraudulent withdrawals in 2012 and 2013. The alleged accomplices were not Chase employees, and Allison and Francis are no longer Chase employees.
"The only surprising part of this story is how long they were successful with this fraud," Inscoe said. "It sounds as though most of the accounts they stole money from where inactive except for monthly Social Security deposits. Most banks monitor withdrawals from dormant accounts to ensure that any activity that takes place is authorized because they are so vulnerable to employee fraud."
The Social Security Administration did not return a request for comment.
"We have been working closely with the authorities and the Social Security Administration since notifying them about this incident. We will continue to do so to ensure that the funds are reimbursed to our customers or their estates or returned to the government as appropriate," said Lauren Ryan, a JPMorgan Chase spokesperson, in an email.
For institutions that issue ATM, debit or other types of cards, it's vital to have layered employee controls in place as a way to combat staff from abusing cross-departmental access, said Stu Sjouwerman, founder and CEO of KnowBe4, a company that hosts an integrated security awareness training and simulated phishing platform. KnowBe4 specializes in what it calls the "human element" of security, which can include things like corporate culture, standards and rules.
"You do stuff like check the firewalls each month to make sure nothing untoward has happened, or having software in place that regularly checks the accounts of people that have high balances but not a lot of activity on them to see if that quickly changes," Sjouwerman said. "And obviously each employee needs to be given a minimum amount of access that allows them to do their job."
Access abuse has long been a problem for financial institutions and retailers. Another factor is resource deficits that allow some internal fraud to fall below the radar.
"One executive at a top five bank told me once that he didn't want to see any alerts on employees that didn't total $5,000 per month because his staffing didn't enable review of lower amounts," Inscoe said. "In effect, employees could steal at will as long as they stayed under that monthly limit."