A New Proactive Responsibility For Bankers in the Face of Cross Border Frauds

Let's face it - no one,, (whether an individual, a government or an organization)  is immune to or safe from a breach, an attack, a scam, a rootkit or a virus / APT or whatever you may call it. 

A crack is a crack is a crack is a crack (calling it a hack is sacrilege) 

And this is a global problem which is growing (exponentially) by the day, by the hour, minute, second and even nanosecond. Everyone has to face the threat, directly or indirectly, and no one ever knows when he/she will fall victim to an attack or an incident, and it really does not matter whether you are hyper intelligent or live inside Fort Knox. 

We do not have to go too far into history to see institutions like OPM, SONY, White House; global security organizations like RSA, The Hacking Team, HB Gary, NSA etc - the list is really big and includes banks etc.

In this global cybersecurity threat and crime maelstrom the Law Enforcement Agencies (LEA), Intelligence and Defense Agencies are first and foremost affected. They have a responsibility to investigate cybercrimes perpetrated across international borders, using sophisticated attack techniques or compromising insiders into malicious acts, voluntarily or involuntarily. Invariably while following cross-border leads, the LEA meets with insurmountable challenges and lengthy procedures (or red-tape even non-cooperation). And, if the request is to an unfriendly nation, the case might as well be closed and filed away!

Example challenges faced by LEA are in (1) following a money trail, (2) getting source IP information, (3) user name and address, etc. 

We will only look at "following the money trail" - in this case the victim may know the name of the bank where the funds were fraudulently transferred. However, when the bank is advised about the same they may not take any action until there is an order for the same in compliance with their locally applicable laws and regulations.  

However it is time for these officials, across the world, to raise a red flag at their end when they receive a communication directly from the victim (or victim country LEA).

Imagine if a bank manager gets a mail from a victim who informs about a fraud which has been perpetrated and where the funds have been transferred to that particular branch of the bank. The branch Manager may not be able to stop the account from operating but he/she can inform the local LEA about the suspect transaction. In addition, he/she can proactively guide the foreign victim and LEA about the quickest procedure to get the legally appropriate instructions for necessary action. 

The only (simple) reason why this bank manager in a foreign country should stand up and raise a red flag on the account, on the account holder and the transaction(s) is .... it can happen to him/her too. 

Yes, there is no guarantee that this bank branch, anyplace in the world, may fall victim to a fraud or a bank client may fall victim - then this manager will be running the same hoops as the victim / LEA who had connected earlier. 

This is not a call to disclose information, neither a call to work against the law or invade the account holder's privacy. It is not an aggressive look into transactions which is done through Risk Management and AML practices. In these changing times, it is an acceptance of responsibility by the banking professionals to set up a simple deterrent control. Criminals will slow down on using accounts in foreign lands once they are aware that ANY transaction can be notified to LEA proactively. 

You are ethical ... and Information Security is a blind alley...!

Ethics is a much used word and we know that EVERYONE in the security is ethical, trustworthy with a high level of integrity and will keep all my corporate secrets deep in his/her heart until death do us part (or if you do not pay my bill!)


Well a number of times I have asked some friends how can they say that they are ethical hackers ! I mean you are certifying your own honesty. Simply speaking, if walk around Mumbai or Gurgaon wearing your white hat for less than half an hour and it will become dirty ... lo and behold you are a gray hat. And, if you accidentally bump your car or cycle into someone you will morph into a black hat :)


Earlier I have been thinking about individuals because you do not mistrust security majors. And then this happens.... 

Trustwave admits issuing man-in-the-middle digital certificate; Mozilla debates punishmenthttp://www.computerworld.com/s/article/9224082/Trustwave_admits_issuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment

The evolution of the internet, technology and mankind are a fact. Also that concepts of privacy, democracy, freedom, human rights, commerce, economics, crime, war et al are being re-written. Symantec keeps quiet for five years after being hacked, the Arab spring helped overthrow despots, wikileaks has shaken the most powerful nation so badly that they want to get to him anyhow, state or non-state players are not distinguishable.


So who can we trust ? And how is trust proven ? Can the company we trust trust the thousands of persons who contributed to the millions of lines of code or that small widget that was embedded in my cellphone, or pacemaker !


Sinister thoughts in a dark world where we are all walking blind and talk like we know it all. I mean I feel clueless / helpless and what-have-you when I read about Symantec, RSA, Microsoft, Verisign, Diginotar (the CA that was hacked),SONY, Heartland, TJ Max, Citibank etc etc - and other bastions of security that were felled.


Then you read about the suspicion that malware or spyware is embedded in hardware coming out of China, or that Apple and others installed tracking software from Carrier IQ. 


What is ethical, what is not; where do we draw the line. In a zillion lines of code how does anyone know if there is that one line that is keeping tabs on you (and maybe the developer company does not know about it too).