Slashdot Mirror
Over Half a Million Bank Accounts Breached
Gone Phishing writes "CNN is reporting that about 676,000 bank accounts in at least four banks (Bank of America, Wachovia, Commerce Bancorp, and PNC Financial Services) have had personal information "illegally sold". Over 60,000 customers have been notified so far."
Oftentimes, I'll complain about Slashdot dupes. Why can't this be one of those times?
Isn't there a US equivalent of the Data Protection Act?
h ttp://www.opsi.gov.uk/acts/acts1998/19980029.htm
http://www.opsi.gov.uk/acts/acts1998/19980029.htm
A few holes, especially principle eight, but overall it does what it's supposed to.
Deleted
I'm sure the answer will be higher fees though, so in the long run the banks will be fine.
Fortunately, my account should be safe. I got a email from Bank of America telling me about their problem, and I filled out their form to resecure my account. Such at great company to take care of their customers like that!
Good thing i've opted out of having my bank share information with other parties. Opting out of information sharing is a wise thing for everyone to do.
This is why I switched to a local credit union a few years ago. Seems like the bigger the bank, the bigger the security breach. Worse... they nickel-and-dime you on everything else.
I'm glad to know that about 1 in 10 people were notified
I have a feeling that most people's social security numbers have been harvested by people who shouldn't have them
Some people believe 1-1=3 and for the sake of being politically correct, we should respect their differences
"The case has led to criminal charges against nine people, including seven bank employees and alleged ring leader Orazio Lembo, who operated DRL Associates, a company that advertised as a skip-and-trace collection agency."
-----BEGIN PGP SIGNATURE-----
12345
-----END PGP SIGNATURE-----
Customer account numbers and balances were allegedly sold to a man who then sold the information to collection agencies, the Hackensack police department said in a statement. Reuters reports that the information has not been found to have been used in any identity theft schemes.
/snip/
The case has led to criminal charges against nine people, including seven bank employees and alleged ring leader Orazio Lembo, who operated DRL Associates, a company that advertised as a skip-and-trace collection agency.
Hmmm... working for a bank and a "collection agency". Sounds like a conflict of interest banks might want to look out for and possibly stipulate that working for a collection agency is not permitted while working for a financial institution.
The data-theft ring may have perpetrated the nation's largest ever banking security breach, a Hackensack, N.J., police statement quoted a Treasury Department representative as saying.
I only hope that Hackensack don't lack the knack to track this crack attack.
So, the people at the banks will face charges, as will the Lembo, the "mastermind".
But, what about the 40 collection agencies and law firms? Will they face civil charges? Criminal charges? Both? Surely they knew they were up to no good, and they were the ones funding the information theft in the first place -- all so that they could illegally harass debtors.
Will the Feds follow the money?
Support a few technologists in Washington.
...do the police intend to track down the information to and "reclaim" it from the collection agencies, advertisers, etc.?
If an individual or group intentionally leaked or sold this information it is most certainly a crime. Laws are a punishment, not a absolute way to prevent crimes. If the perpetrator is convinced they can get away with this and profit from it, then they are not going to be worried about the fine print of the numerous laws they are breaking.
Bank of America (up $0.10 to $46.67, Research), the nation's No. 2 bank, has notified 60,000 customers of the problem. Wachovia (Research) has notified 48,000 customers.
Some people believe 1-1=3 and for the sake of being politically correct, we should respect their differences
Based on forensic examination of Lembo's computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks," the police statement said.
It doesn't matter what laws you enact. If you RTFA, you'll see that this was an inside job done by corrupt upper-level employees. Setting aside security-Utopia for a second, at some point you have to trust your own employees, especially "upper level" ones. When that trust turns out to be misplaced, there's not a lot one can do to prevent malfeasance.
I'm a big tall mofo.
There are several thousand smaller banks in the United States and many smaller banks have lower fees than those giants and a customer actually means something to those banks.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
(Those from the UK may recall the curious scandal of "Phantom Withdrawls" from ATM machines, where mysterious, large withdrawls were taking place, even though nobody was apparently present to make those withdrawls. It was unimaginably difficult to prove the vitim was a victim, and even then it was next to impossible to get the bank to repay the money.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
/me scans article ... wachovia, pennsylvania ... shit.
Wachovia says that they sent out letters to everyone they know to be affected. My mail service is spotty at times, so I gave them a call. 1-800-WACHOVIA (1-800-922-4684). Just keep pressing 0 till you get an operator. Their customer service workers were able to tell me over the phone if my account was compromised. It's not. w00t! Took them about five minutes, but I think everyone should double check.
Luckily, I don't use banks. I keep all my money in a thermos under a combination lock. I then tether the combination to a string in a mylor bag and swallow it tying it off on a rigged bicuspid that will send a charge to the bag signaling an incendiary device which will destroy the note unless the tooth is first properly removed. But the bicuspid is fake -- threaded backwards with a one-way screw head. Of course, an anal probe might easily by-pass the oral security, but I recently had my sphincter sewn shut and I only consume nutrient drinks which, by chance, I keep in the thermos....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
My bank offers:
1. Higher interest rates
2. Interest-bearing checking accounts
3. No fees ever
4. Free online billpay
5. ATM fee refunds (since they don't have their own ATMs)
6. Postage paid envelopes for deposits
7. 24/7 Customer Service with almost 0 hold time
8. No BS
I switched to an internet bank a long time ago and I'll never look back. But I'm not going to tell you what the bank is because I don't want it to turn into a "big bank". Go find your own.
[figz@figz figz]$ kill -9 `ps -ef | awk '$1=="figz" { print $2 }'`
Everyone involved in this should be in jail Now! Ten years apiece is a good start.
And I don't mean Club Fed either.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Holders of mass amounts of critical info need to learn that if they lose it, or mismanage it, that they will be held liable for hundred of millions of dollars in civil penalties, and years in prison for the most egregious cases of negligence.
It has two purposes - the first purpose is to have financial institutions adopt measures to protect consumer data. The second purpose is to add a great deal of paperwork and extra compliance steps that bank staff must accomplish without adding any extra safety to the information.
I believe that in health care, HIPPA or HIPAA (which ever one it was!) accomplished much the same thing.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
How much are these guys getting?
Like, can I sell my personal information before someone else does?
This is similar to the Choicepoint breach where account information was sold to an illegitimate company posing as a real customer. The main difference here is that there were "inside guys" who knew the selling of the data was to a bogus firm. What I find most interesting is that the main clients that the perpetrator (Orazio Lembo) sold to were.. wait for it... law firms and collection agencies! Talk about a vicious hive of scum and villiany.
I say it will only get worse because the Sarbanes-Oxley Act is coming into effect which requires companies to put into place access controls to monitor/audit who has access to what information (among other things). The SOX, in conjunction with the Gramm-Leach-Bliley Act are forcing corporations to get their financial house in order in such a way that this type of malfeasance is getting much harder to hide. Expect to see more of the same for quite some time.
While I think it's nice that these laws are having their desired effect I still envy those wacky europeans and their data protection laws.
Amoeba
Do not taunt Happy-Fun Ball
I have an account with Wachovia. About 6 months ago, I started putting rather significant sums in it. Enough that were the account to get robbed, I'd be seriously upset. What concerned me at the time was that I had used my check card for online transactions, though.
The thought that someone could wipe me out financially by cracking an online system got me worried enough that I opened a checking account at a local bank where I now keep a majority of my funds. I move enough into the Wachovia account for paying bills and stuff that are connected to it, but there's never enough in there to completely wipe me out anymore.
And obviously, with the new bank, I won't be using the check card online. It looks like mine wasn't affected and it doesn't look like the account info was being used for robbery, I still feel more secure with the new account.
Companies are required to put "technical and organisational measures" in place to protect data.
# sch1ptI
If you can read legalese. The principles:
http://www.opsi.gov.uk/acts/acts1998/80029--l.htm
Course, I'm not entirely sure how big the teeth are.
Deleted
Customer Protection
Guard yourself against fraud and identity theft. Wachovia provides the highest levels of protection and stands ready to assist you should you become a victim.
Irony, anyone?
Lol, I can corroborate that BofA is feeding you a load of crap. These types don't admit anything they don't ABSOLUTELY have too.
Free Mac Mini Yeah, it's
Actually, a lot of UK companies don't realise this yet either.
But the DPA requires:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Deleted
Feds said that was part of Phase 2.
"Lomia said the law firms that allegedly sought Lembo's services are part of "phase two" of the investigation."
Some states allow citizens to block use of their credit report. Thus, even if someone steals your SSN, your birth certificate, and your drivers license, they're unable to obtain any new credit in your name, because no one is going to give credit without first getting a credit report.
Sure, it doesn't solve all problems with ID theft, but it certainly helps.
If someone says he and his monkey have nothing to hide, they almost certainly do.
Then, you have those logs checked by another person, not at that location. Was there a legitimate reason for the access (withdrawl/deposit)? Was that access initiated by the customer?
The people monitoring the logs will not have access to the personal information of the accounts.
Now, if the logs are checked on a random basis (Joe is NOT the only person who checks all of Seattle's logs) then that activity is much easier to spot.The key is to build a system where individuals are NOT allowed unchecked access to personal information.
The reason we don't have systems like that is because there isn't any financial incentive to implement them.
The US does NOT have the same privacy laws that other countries have so this kind of activity is MUCH easier to get away with.
I don't like Bush's policies either, but let's not just make things up, ok? First, not all class action suits are "forced" to federal court, only very large suits.
Second, they're moved to federal court not because federal courts are more business-friendly, but because of procedural differences in state court vs federal court. State courts tend to be more relaxed in due process procedures, and award ridiculous damages that are confiscated by private law firms. The ease with which a class action suit can be won in a small jurisdiction for enormous rewards has caused capitalistic law firms to seek out groups of marginally damaged people and organize them for a suit. This has caused a tenfold increase in class action lawsuits over the last decade.
Meanwhile, plaintiffs from multiple states with complaints against the same defendant could not organize on a federal level and file in federal court, due to procedural restrictions that prevented class action suits from being moved out of state. Thus you had the dangerous situation of one state's courts determining a case that would have national prescedent ramifications, and this seriously violates the principles of federalism. For a guy who bitched in his post about removing checks and balances, you're also complaining about legislation that was intended to prevent one state from determining national policy via state courts that are cherry-picked by millionaire attorneys.
The legislation in question removed some of the roadblocks to moving large cases with multistate plaintiffs to federal court by granting original jurisdiction of a case to the District Courts instead of the state courts for large suits in which there are multistate plaintiffs.
You then characaterize all this in your tired anti-Bush ranting as some pro-business move that Bush enacted for his cronies. First, that's not how a bill becomes a law, and you ought to know that by now. Presidents do not sponsor legislation in committee, nor vote on them in congress. They sign them.
There are a shitload of legitimate things to criticize President Bush about, but I'm tired of this hate-filled ranting that's misinformed. It's really hard to push for social evolution and progress when most of the people on your side are ignorant and more concerned with politics than anything else.
Oops, I forgot our legislature is too busy removing checks and balances (Senate) and debating corrupt members (House) to get anything else done.
I'm not sure what you're talking about here, so I can't really respond to you. The only major battle I know of in the Senate is over appelate court nominations, and I haven't read anything yet about changes to how nominations are handled.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
I use a "big bank", but as far as I can tell, they make no money off me.
Everything I do with them is "free" - free checking, atm use, etc.
Whenever I have excess money in the bank, it gets swept into an online bank account that pays decent interest, or I send it off to my brokerage account where I gamble it away on bad stock picks ;-)
I buy my checks from random cheapo check printers.
As far as I can tell, I get the benefit of the big bank (lots of atms, grocery store locations, etc) and if anything should happen to my account, security-wise, it's their problem, not mine.
This issue is a bit more complicated than you think.
that I should start responding to all those "Wachovia Bank Confidential Information" emails?
A while back I got a call at around 4:30 P.M. from a credit card company requesting that I verify I had applied for a Home Depot card via one of those "just sign the line below" forms. I hadn't, so I immediately began the tedious process of requesting credit reports and contacting my bank to check up on unusual activity.
Later, at about 7:00 P.M. the same night, I got an pre-recorded call requesting that I call an 800 number and reference a specific "case code". I wrote down the telephone number and the code, and the next day spent a few minutes on Google shagging down the number. Turns out it was for a law firm in Utah that specialises in handling collection cases (unfortunately, I cannot remember their name). I remember thinking, a) "I don't owe anyone any money" and b) "how in the hell did they get my number?".
Now, I guess I know.
The story ended well for me - there were attempts to steal my identity, but they were all apparently stopped. I never did call the collection firm, so I have no idea what they may have wanted to chat about - seems to me if it was important, they would have used a human instead of a tape. The links I followed from Google were mostly to blogs and forum entries relating to how other folks had recieved similar calls from this agency, and upon returning them had been informed by the collection agency that they owed some form of money to an bank/credit card company they were representing. The kicker was that they also tried to add an additional fee (some as high as $275 US), payable to the collection agency alone. Other links mentioned how this same company had been banned from business in a lot of states for trying to add this extra fee, and, in essence, refusing to clear the original debt until their extra fee had been paid.
I'm not tense. I'm just terribly, terribly, alert.
One would hope that this type of thing wouldn't happen with a bank that serves the armed forces.
In a sane world yes. However in a sane world one would also hope that our armed forces could act as prison guards without torturing and humiliating their wards.
My old bank fired me for reporting that all daily loan applications including first and last names, social security for borrower and co-borrower and full addresses were wide open on an unsecured windows fileshare with everyone/full control access. All 50,000+ bank employees plus contractors with any windows domain login had full access to view all daily loan applications. These poor people weren't even our customers yet. I knew my manager would do nothing about it, so I started with a standard IT helpdesk call. At least then my report would be logged. Nothing happened. I then tried several other channels and after a few days, I found the "dept in charge of keeping us off CNN". They immediately secured it and were very thankful of my report. Since I had also noticed many other unsecure servers in my time there like daily intra-bank mortgage trade activity and others, I proceeded to report over 15 servers to this group. They fixed everything I reported and were thankful. They advised me not to scan their network because that would be considered hacking, but if I came across unsecured servers over the course of my normal work, I should report it. All was fine until some other managers got back to my manager asking who was the busy-body in his department causing them this extra security work? At bonus review time, my manager all of a sudden gave me poor ratings, disqualifying me from my $6000 bonus. He had given me an out-of-cycle raise just 5 months earlier for good performance. Go figure. After no raise and no bonus, I was pretty ticked and started escalating the issue with his manager and the nice security group. No response. I then put in for a transfer. My manager then writes me up for a written performance issue, listing security as one of the issues, and made my transfer ineligible for 90 more days. I continued to escalate but a few weeks later, he fired me for not addressing the "performance" issues. I've thought about finding a lawyer, but I'm much happier with my new employer now and try to just let it go. Ray
You would trust any email with a link to go log in to your account? Man, I'm amazed you have any money left to check on!
--grendel drago
Laws do not persuade just because they threaten. --Seneca
Quis custodiet ipsos custodes? -- aparently a blind drunkard that's easily bribed.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Nope. It shouldn't be that hard to have every employee's access to every account logged.
I worked at a large financial institution (life insurance, in a branch of a bank. Hell what I'm saying is 100% accurate so let me say that I'm talking about RBC Insurance - Life, whose offices are in Mississauga, Ontario) a while back, and had full access to hundreds of thousands of customer's data, including specially separated "high net worth" clients. I looked around and realized that on any of the developer PCs (where the user was admin. Actually these morons set DOMAIN\Users as admins, which meant that there was no PC to PC security and any hack could occur by co-opting a coworker) a USB key or PDA could siphon off everything.
Realizes how insanely loose the controls were, I proposed initiative after initiative to tighten up the system, and to add some sort of read logging, but I learned firsthand that financial institutions, presuming this one was par for the course, are 95% politics, and 5% actual concern about customers. The only way any sort of checks and balances were going to be implemented is if it properly gave a handjob to every useless mid-level manager planning their next Machiavellian maneuver (and successfully ensured that I didn't look good out of it, as a shop like RBC is configured in such a way that only the mediocre persist. If you look good, the next time a management churn occurs some clueless twit will purge the clueful). It really was eye opening, and the status quo was maintained and everyone acted like nothing was wrong.
Of course you really have to work in a place like that to fully appreciate how terribly incompetent such organizations are, and to maek it more fun they churn their management around with no logic or thought. Remarkable stuff.
Bank of America has separate computer systems for BoA East and BoA West. I too opened my account in CA, but filled out a credit card form with my family's MI address. The result: I had both a checking and credit card account with "BoA", but couldn't see the two in the same online account manager. -e;
The reason we don't have systems like that is because there isn't any financial incentive to implement them.
The reason we don't have this is because, in the USA, the crooks are writing our laws.
Avoid Missing Ball for High Score
The way I see it, many of the companies that collect personal information, (banks, radioshack, etc) see little or no value in the information they are protecting, it's only their value of reselling it (e.g., like a pawn shop). As a old tired example, why does radioshack need a phone number when you buy a battery?
IMHO, the goal should be to make economics work for us. The cost of them collecting and securing it should balance the value the get from selling it. Then if the expected return on investment is zero, why would they even bother to collect it? It's just because right now it costs them little to collect it and they can resell it for more is why they do it right now.
One way to get this to assign big penalties to losing control of the info so that the expected cost is high. Another way is to just bill them up front (e.g., tax companies for collecting the information). I'm guessing that in the end, some combination of things would be optimal.
Another thing to look at is to licence people (not companies) to handle information. For example, it takes a registered notary public (not a flunky that the bank assigns) to witness signatures on major business transactions. Why can a company assign some skript kitty to process social security numbers? Why should a bank VP have any access at all? Getting notary public certification is trivial for anyone with a 1/2 a brain, but they make it very clear that your butt is on the line, not the company's butt, so most of them take it pretty seriously. Something about a few hours studying for a test and a name on a license and some personal responsibility makes most folks take their jobs less like a joke (although you occasionally get the rougue CPA or notary, it isn't very common)... Maybe it's time for a certified public information collection certificate or something like that...
Anyhow, that's just food for thought...
Allegedly the affected customers have been notified by their banks. This leads to a question I have - with phishing being so common, when anyone receieves an e-mail from their bank, do they believe it's really from their bank anymore? Especially when it says it's about an alleged comprimise of their account?
One of the wost things about spammers is that they generate a "boy who cried wolf" problem for people sending legitimate e-mails.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
No, nor did they promise the bank president wouldn't take all of my money to buy coke, hookers, and a ticket to Fiji.
In the law there are such things as due dilligence, and negligence. Some of these organizations need to get hit with a massive lawsuit in order for the message to be sent loud and clear.
Normally, the break ins involve Windows (in fact, Windows has some 40% of https space, Yet, has more than 95 % fo the thefts). But here windows is only 1 out of the 4. Solaris accounts for the other 3.
That assumes that they really are on the these sites. With the big break-in that occured with Visa/MC/Discover about 1-2 years ago, it took awhile, but they found a Nebraska clearing house running windows had been broken into, not the CC sites.
I prefer the "u" in honour as it seems to be missing these days.
Have you ever considered blowing the whistle on their lax security? Really -- contact some media outlets, try to contact large stockholders etc. It's the best thing you could do for the people whose data is held there. You'd be doing a service to society at large.
ERROR 144 - REBOOT ?
It's plain old fraud and the onus should be on the merchants and lenders who fail to verify the identity of the person they are extending credit to.
But no, this is too costly, so they try to put it back on the person who's information is used in the fraud.
It's NOT RIGHT! If someone else borrows money in your name, it's the lenders problem, not yours. Your identity was not stolen. You are still you. The lender is at fault because he failed to exercise due diligence in a climate where fraud is rampant.
Just think about it for a minute. You are NOT the victim of identity theft. You are still you and the other guy screwed some third party. Why should it cost you any money or any time... Instead, the idiots who carelessly or out of greed failed to verify that it was indeed you and not someone else requesting a credit report and credit should pay.
There's a simple solution too.
The credit reporting companies need to stop selling information to anyone other than the person who owns the information. Mainly you if it's your information. You want a loan, you request the information. Hell, if it takes a photo ID and a visit with a rep from the reporting company, then that's what it takes... But it's their problem to solve, NOT yours.
Wells Fargo has *THE* worst security of all the large financial institutions.
Last year, I received a notice that my personal info was on a system of theirs that was compromised. I called the customer support number given and inquired about what happened. Turns out, a laptop at a billing facility (yeah, i know...a laptop) was stolen along with a few others in a physical security breach.
On that laptop was the personal info (SS numbers, addys, everything) of 300,000 account holders. Yes, that's right...300,000! Worse part is that this same scenario has occurred 3 times in the last 2 years!
Wells Fargo's CSO and CISO should be flipping friggin' burgers instead of providing security as they are
setting the standard for how bad you really can be.
Hey Wells Fargo asshats, ever heard of getting some kind of policy and compliance audits going?
No, the point was that laws and typical awards vary from state to state. It used to be that you could just pick a state: if a company does business in five states and screws people in all five of them, you could pick any one of the five. If one of the five is friendly to plaintiffs, you'd pick that one. That doesn't mean that all states are plaintiff-friendly.
You could say that the old way was unfair, but I think if you do business in a state you should be subject to its laws. It's certainly more fair than all these companies incorporated in Delaware, where they have no customers but lots of friendly courts.
Also, it makes no sense to claim that the President can't be responsible for a law. I don't know how hard he pushed this particular bill, but he's the most powerful person in the country and the leader of the majority party. His support makes a huge difference in whether a bill gets passed, as he or any member of Congress will tell you.
-- . . ramblin' . . .
The people who stole this info were insiders, high-level employees of the bank. They committed the theft, they're responsible. The bank employed them, and was responsible for their actions. Just like if their security guards stole the money you deposited from a vault, before computers, they're responsible. Unless they found that the employees had breached the security protocols in some unpredictable way, not that the protocols were inadequate. Like relying purely on unaccountable trust of single employees without witnesses, as apparently in this case.
When we put our money in the bank, we reasonably expect they won't leave the door unlocked. When they do, or trust someone with a key, they are responsible. It's not each customer's responsibility to audit their security: that's what we have the Treasury, many other government organizations, and professional integrity to rely on. When a bank enables damages by allowing cracks in that security apparatus, they've got to pay the cost.
--
make install -not war