The Enemy Within

  The employee was long gone when bogus credit card charges started revealing his alleged crimes. Before he resigned in March 2006, James Wan Shing Kong had developed and managed software and related procedures for three Southern California customer call centers of CareCredit LLC. The Kettering, Ohio-based division of GE Money operates a card-based credit program for health, vision, dental and veterinary expenses not covered by insurance.
  Between February 2006 and January 2007, Kong allegedly used his access to create the card charges, which his former employer reversed. Investigators with the U.S. Department of Justice believe Kong returned to his native Malaysia after he resigned.
  No one knows how many similar payment-data breaches and thefts are perpetrated or assisted by company employees or hired contractors because many incidents go unreported to law enforcement. But investigators and security consultants say they believe a significant percentage of data thefts involve insiders and that more should be done to prevent and respond to the crimes.
  Bryan Sartin, a forensic investigator at Cybertrust, which provides security audits for businesses that handle payment card data, says about 15% of the 170 investigations of data compromises on average the company conducts per year "clearly involve an insider" employee working alone. He adds that a large percentage of data thefts by nonemployees involve some type of help from individuals known to the organization, such as third-party contractors that have access to payment data.
  Oftentimes, breach evidence points to payment-services vendors, Sartin says. "You find the one system in the organization that stored that information. Only at one point was that information ever touched, and it was clearly touched by the vendor," Sartin says.
  Jodi Pratt, principal consultant of Jodi Pratt & Associates, an Aptos, Calif.-based firm that provides security-consulting services for financial institutions, says insider theft is widespread. "There is a surprisingly significant amount of fraud that we know is facilitated by insiders, although it's often very hard to identify who that insider is," she says.
  It may seem like a no-brainer that companies should screen for criminal records and bad credit before hiring employees who will have access to sensitive financial information. But according to a 2006 report by the Association of Certified Fraud Examiners, 87.9% of workers charged with committing occupational fraud or abuse against their employers in a variety of industries never before had been charged or convicted of a crime.
  In some cases, crimes are perpetrated by disgruntled employees.
  In 2002, Roger Duronio, a Paine Webber information-technology manager, allegedly was upset that his annual bonus was about $17,000 less than he had expected. He planted a virus that crashed about 2,000 Paine Webber servers, effectively disabling the work of some 8,000 company brokers across the country.
  David Nussenbaum, now director of fraud and identity-management solutions at Chicago-based consumer credit reporting agency TransUnion, says he signed Duronio in the late 1990s to a year-long contract as a computer systems administrator at a software firm he declines to name. "He was a very soft-spoken gentleman," Nussenbaum says. "A little on the cynical side, but I never had any problems with him."
  Nussenbaum does not recall the screening process at his former employer. "It wouldn't surprise me if it was very lax. Back then, expert Unix programmers were hard to find," he says. "We were desperate for someone to maintain our network, and that may have added to our leniency in terms of screening processes."
  At the end of Duronio's contract, he told Nussenbaum he was going to Wall Street "to make a lot of money," and Nussenbaum did not hear of him again until reading an article about his trial. The trial ended in December with a sentence of 97 months in jail and an order to pay $3.1 million in restitution.
  COMMON CAUSES
  There are many reasons employees become disgruntled enough to commit crimes against their employers. A common source of employee tension is the uncertainty and change caused by mergers, acquisitions and downsizing.
  Sartin says that, of the data-theft cases he has investigated that indicate insider involvement, "there is almost a one-for-one ratio where there has been some type of transition." Besides creating hard feelings, such transitions often create temporary data-security vulnerabilities when two companies are trying to merge their computer networks.
  Company managers always should be on alert for suspicious employee or executive behavior, such as never taking time off or not allowing anyone else access to the information they control, Pratt adds. She recommends employers run thorough background checks of employees and independent contractors with access to sensitive information not just when they are hired but repeatedly as their employment continues.
  Rechecking credit scores can show new financial stresses such as mounting debts or missed payments, Pratt says. Rechecking civil and criminal databases could uncover divorces, finance-related lawsuits, drunk-driving arrests and other indications of trouble.
  A company can use such knowledge to express concern and possibly provide assistance to employees. It also lets employees know that their boss is aware of situations that could make them security threats, information that criminal recruiters also may use as temptation, Pratt adds.
  "There are all sorts of ways for criminals to target those individuals," she says, adding that even employees with no intention of committing crimes can be duped by the wrong person.
  Another source of insider fraud is workers with no criminal records recruited by criminal networks to train for and enter jobs where they will have access to payment data, says Mike Urban, fraud manager of Fair Isaac Corp.'s Card Alert Services unit. "We know that there are criminal gangs that are deliberately targeting organizations along the payments chain," he says.
  One of the best internal fraud detectors is other employees.
  According to the Association of Certified Fraud Examiners, 34.2% of fraudulent actions by insiders are detected because of anonymous tips, more than any other means of discovery. That includes by accident, internal or external audits, internal controls or being notified by police. The percentage is even higher, 48%, for reports to anonymous-tip lines being the reason crimes perpetrated by company owners and executives are discovered, the study found.
  Urban suggests companies hire third parties to provide employees with whistleblower hotlines manned 24 hours a day, seven days a week. "That's important because you never know when someone might feel ready to talk," he says.
  Companies should implement procedures and policies to protect the anonymity of whistleblowers and to protect those accused but not yet proven guilty, Urban adds.
  Another good practice is monitoring networks for suspicious patterns. "For example, if someone at a customer call center did an inordinate number of address changes in a day, that should raise a red flag," Nussenbaum says. Such changes can signal that the employee is changing addresses without customer approval, which could help delay customers finding out about fraudulent charges on their accounts.
  Most network-monitoring software is home-grown, sources tell Cards&Payments. But Urban says Fair Isaac is developing a variation of its consumer payment fraud prevention software to monitor access to and use of computer networks by employees and other insiders. He says the product does not yet have a name or projected release date.
  WHAT TO NOTICE
  Sartin says his breach investigations often uncover obviously suspicious network activities.
  For example, during one month there may be a large number of "trouble tickets," which indicates problems with the network that require outside attention. Or there may be suspicious network connections to an outside location at the same time late at night on multiple nights.
  "It's almost uniform how the unaccounted-for transactions occur at the same time every day," Cybertrust investigator Andrew Valentine says.
  Any unidentified outgoing network connections should make security managers suspicious, especially if they occur at the same wee-hour time each night, Sartin says. Such recurring activities can indicate malicious code programmed into payment systems to deliver data to crooks, Valentine says.
  Companies also should be wary any time employees install and run software that is outside normal company use and keep careful watch on any outgoing traffic on a data network, he says.
  Besides screening their own employees, payment companies and merchants should ask tough questions about vendor employee-screening processes and about each software and hardware component being installed. "For each piece, ask the vendor, 'What are they there for, and what do they do?'" Valentine says.
  Sartin says companies also can protect themselves by complying with industry security rules such as the Payment Card Industry data-security standard. Besides avoiding storage of unencrypted cardholder data and requiring individual network user names and passwords for each employee, companies should conduct quarterly scans of networks for newly installed suspicious programs and security vulnerabilities, he says.
  IN THE OPEN
  Urban suggests companies let employees know about security vulnerabilities, whether they are waiting to be resolved or involve sensitive information that will need to be accessible, so everyone is watchful.
  Nussenbaum agrees. "Some people might wonder why you would want to teach your staff about all the bad things that could be done, but I think there's a way to do it right," he says.
  Whatever methods payment companies use to prevent insider data breaches, they should create and communicate clear security policies, such as what access and sharing activities are considered appropriate or may be suspect for various employees, Urban says.
  Such practices let both honest and scheming insiders know the company is watching its networks and the data they hold. "Show that there are processes and procedures in place and that you are aware of what's going on," Urban says. "It's less likely that criminals will be able to put people in your organization."
  (c) 2007 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
  http://www.cardforum.com http://www.sourcemedia.com