Slashdot Mirror
Over Half a Million Bank Accounts Breached
Gone Phishing writes "CNN is reporting that about 676,000 bank accounts in at least four banks (Bank of America, Wachovia, Commerce Bancorp, and PNC Financial Services) have had personal information "illegally sold". Over 60,000 customers have been notified so far."
This is why I switched to a local credit union a few years ago. Seems like the bigger the bank, the bigger the security breach. Worse... they nickel-and-dime you on everything else.
Customer account numbers and balances were allegedly sold to a man who then sold the information to collection agencies, the Hackensack police department said in a statement. Reuters reports that the information has not been found to have been used in any identity theft schemes.
/snip/
The case has led to criminal charges against nine people, including seven bank employees and alleged ring leader Orazio Lembo, who operated DRL Associates, a company that advertised as a skip-and-trace collection agency.
Hmmm... working for a bank and a "collection agency". Sounds like a conflict of interest banks might want to look out for and possibly stipulate that working for a collection agency is not permitted while working for a financial institution.
The closest the US has is the DCMA, which prohibits the reverse-engineering of encrypted data for the purpose of copying it, which essentially makes it a crime to steal encrypted personal data, but I've yet to hear of anyone actually prosecuted this way and it is extremely unlikely to ever happen.
Largely because commercial companies often don't encrypt personal data for customers.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...do the police intend to track down the information to and "reclaim" it from the collection agencies, advertisers, etc.?
My bank offers:
1. Higher interest rates
2. Interest-bearing checking accounts
3. No fees ever
4. Free online billpay
5. ATM fee refunds (since they don't have their own ATMs)
6. Postage paid envelopes for deposits
7. 24/7 Customer Service with almost 0 hold time
8. No BS
I switched to an internet bank a long time ago and I'll never look back. But I'm not going to tell you what the bank is because I don't want it to turn into a "big bank". Go find your own.
[figz@figz figz]$ kill -9 `ps -ef | awk '$1=="figz" { print $2 }'`
Everyone involved in this should be in jail Now! Ten years apiece is a good start.
And I don't mean Club Fed either.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Probably because the larger banks have more of a presence in the towns people live in. I hate getting charged a fee to get to money that is mine from ATM's. Here there are Bank of America machines everywhere. No atm fees, no having to request atm fees reversed.
I've NEVER paid a fee with my BoA account. I don't know how so many people have problems. Free bill pay, free online banking, free bank transfers, overdraft protection, free checking. Hell I even get free checks, not that I write checks anymore though. Only thing I don't like is the horrible interest rate, but thats why I've got a ING account in addition to my BoA accounts.
I've noticed with the small banks (and yes I've looked into them) the online banking sucks, bill pay is a pain in the ass to use and the tellers aren't too bright.
A while back I got a call at around 4:30 P.M. from a credit card company requesting that I verify I had applied for a Home Depot card via one of those "just sign the line below" forms. I hadn't, so I immediately began the tedious process of requesting credit reports and contacting my bank to check up on unusual activity.
Later, at about 7:00 P.M. the same night, I got an pre-recorded call requesting that I call an 800 number and reference a specific "case code". I wrote down the telephone number and the code, and the next day spent a few minutes on Google shagging down the number. Turns out it was for a law firm in Utah that specialises in handling collection cases (unfortunately, I cannot remember their name). I remember thinking, a) "I don't owe anyone any money" and b) "how in the hell did they get my number?".
Now, I guess I know.
The story ended well for me - there were attempts to steal my identity, but they were all apparently stopped. I never did call the collection firm, so I have no idea what they may have wanted to chat about - seems to me if it was important, they would have used a human instead of a tape. The links I followed from Google were mostly to blogs and forum entries relating to how other folks had recieved similar calls from this agency, and upon returning them had been informed by the collection agency that they owed some form of money to an bank/credit card company they were representing. The kicker was that they also tried to add an additional fee (some as high as $275 US), payable to the collection agency alone. Other links mentioned how this same company had been banned from business in a lot of states for trying to add this extra fee, and, in essence, refusing to clear the original debt until their extra fee had been paid.
I'm not tense. I'm just terribly, terribly, alert.
Exactly. It's in place. Everybody who has had data stolen should sue their banks. A bank that I just got a mortgage through sold my information, even though I explicity told them not to. Hence, I'm suing them. It's very simple, actually.
I don't respond to AC's.
My old bank fired me for reporting that all daily loan applications including first and last names, social security for borrower and co-borrower and full addresses were wide open on an unsecured windows fileshare with everyone/full control access. All 50,000+ bank employees plus contractors with any windows domain login had full access to view all daily loan applications. These poor people weren't even our customers yet. I knew my manager would do nothing about it, so I started with a standard IT helpdesk call. At least then my report would be logged. Nothing happened. I then tried several other channels and after a few days, I found the "dept in charge of keeping us off CNN". They immediately secured it and were very thankful of my report. Since I had also noticed many other unsecure servers in my time there like daily intra-bank mortgage trade activity and others, I proceeded to report over 15 servers to this group. They fixed everything I reported and were thankful. They advised me not to scan their network because that would be considered hacking, but if I came across unsecured servers over the course of my normal work, I should report it. All was fine until some other managers got back to my manager asking who was the busy-body in his department causing them this extra security work? At bonus review time, my manager all of a sudden gave me poor ratings, disqualifying me from my $6000 bonus. He had given me an out-of-cycle raise just 5 months earlier for good performance. Go figure. After no raise and no bonus, I was pretty ticked and started escalating the issue with his manager and the nice security group. No response. I then put in for a transfer. My manager then writes me up for a written performance issue, listing security as one of the issues, and made my transfer ineligible for 90 more days. I continued to escalate but a few weeks later, he fired me for not addressing the "performance" issues. I've thought about finding a lawyer, but I'm much happier with my new employer now and try to just let it go. Ray
Nope. It shouldn't be that hard to have every employee's access to every account logged.
I worked at a large financial institution (life insurance, in a branch of a bank. Hell what I'm saying is 100% accurate so let me say that I'm talking about RBC Insurance - Life, whose offices are in Mississauga, Ontario) a while back, and had full access to hundreds of thousands of customer's data, including specially separated "high net worth" clients. I looked around and realized that on any of the developer PCs (where the user was admin. Actually these morons set DOMAIN\Users as admins, which meant that there was no PC to PC security and any hack could occur by co-opting a coworker) a USB key or PDA could siphon off everything.
Realizes how insanely loose the controls were, I proposed initiative after initiative to tighten up the system, and to add some sort of read logging, but I learned firsthand that financial institutions, presuming this one was par for the course, are 95% politics, and 5% actual concern about customers. The only way any sort of checks and balances were going to be implemented is if it properly gave a handjob to every useless mid-level manager planning their next Machiavellian maneuver (and successfully ensured that I didn't look good out of it, as a shop like RBC is configured in such a way that only the mediocre persist. If you look good, the next time a management churn occurs some clueless twit will purge the clueful). It really was eye opening, and the status quo was maintained and everyone acted like nothing was wrong.
Of course you really have to work in a place like that to fully appreciate how terribly incompetent such organizations are, and to maek it more fun they churn their management around with no logic or thought. Remarkable stuff.
The reason we don't have systems like that is because there isn't any financial incentive to implement them.
The reason we don't have this is because, in the USA, the crooks are writing our laws.
Avoid Missing Ball for High Score
The way I see it, many of the companies that collect personal information, (banks, radioshack, etc) see little or no value in the information they are protecting, it's only their value of reselling it (e.g., like a pawn shop). As a old tired example, why does radioshack need a phone number when you buy a battery?
IMHO, the goal should be to make economics work for us. The cost of them collecting and securing it should balance the value the get from selling it. Then if the expected return on investment is zero, why would they even bother to collect it? It's just because right now it costs them little to collect it and they can resell it for more is why they do it right now.
One way to get this to assign big penalties to losing control of the info so that the expected cost is high. Another way is to just bill them up front (e.g., tax companies for collecting the information). I'm guessing that in the end, some combination of things would be optimal.
Another thing to look at is to licence people (not companies) to handle information. For example, it takes a registered notary public (not a flunky that the bank assigns) to witness signatures on major business transactions. Why can a company assign some skript kitty to process social security numbers? Why should a bank VP have any access at all? Getting notary public certification is trivial for anyone with a 1/2 a brain, but they make it very clear that your butt is on the line, not the company's butt, so most of them take it pretty seriously. Something about a few hours studying for a test and a name on a license and some personal responsibility makes most folks take their jobs less like a joke (although you occasionally get the rougue CPA or notary, it isn't very common)... Maybe it's time for a certified public information collection certificate or something like that...
Anyhow, that's just food for thought...
I can't understand the "Group Think" that is going on. The same people who want to unleash the FBI on kiddies who download mp3's seem to never hold businesses accountable for anything.
We are so ripe for authoritarian rule. We want to leave control of our lives to others, and all we expect of security is to punish someone who doesn't cross every t and dot every i when they report on the failures.
The fact that Wachovia has my money and social security number and can demand many things of me without proof (such as fees and late charges), means that conversely, they should be responsible and compensate me for any damages resulting from their failure to live up to this trust. I think I need to pull my money out this week.
I thoroughly expect the news service to retract and fire anyone who reported this, but might have gotten the date wrong.
>>"ad space available -- low rates!!!"