Albert Gonzalez gets 20 years for the identity thefts he perpetrated with accomplices. They are being convicted of what is being branded as the biggest cybercrime identify theft targeting credit card data thus far. The attacks occurred over a 17 month period from 2005 - 2006, and saw the team break into the networks of a number of US retailers.
There is a lot to learn from this case; the attack was classic security process failure with the attackers able to war drive and break in through weaknesses in the wireless infrastructure; lack of internal monitoring and controls, and so on. These are facts and issues that will be picked over for some time.
Technical interest aside, the motivation of the tech guys who helped write some of the software is what interests me. Three of them have recently been sentenced; Stephen Watt gets 2 years , Christopher Scott gets 7 years, and Humza Zaman gets 4 years. It turns out that Watt and Zuman both had highly paid jobs, and a promising future in front of them. Zuman, in particular, is of interest as he worked for Barclays bank as a network security manager, and sent Gonzalez ATM system logs . Watt was a programmer at Morgan Stanley, yet is doesn't appear that he revealed or stole anything from that organisation. These facts are very interesting, as Zuman is represents the classic insider threat. In this instance he got caught, but only because this was such a high-level case.
There's some salacious stuff in the press at the moment about the motivation of these individuals, and the reasons why they would involve themselves, and it is pretty hard to tell whether this is the absolute truth, or whether it has been overblown to a certain degree. However, the factors that motivate well paid, intelligent and successful people to commit such crimes are of interest to the internal risk teams. Drugs and sex form a large part of the allegations, yet from preliminary reading, it seems that these were merely the results of their success, and the motivation was linked to comradeship, a sense of being, and identity.
I went to a financial crime conference in December of 2009, and the head of risk of a large bank gave an overview of the internal monitoring and controls the bank implements to detect the probability that an employee might steal. Risk indicators include changes in personality, addiction, changes in personal relationships, and so on. It would be interesting to understand whether strong social links such as these (the members were part of a local chapter of 2600) are included in this analysis. Large banks, such as Barclays and Morgan Stanley do conduct this type of analysis on their employees, and it's likely better internal monitoring, of both technical (by TJX and the businesses attacked) and human (by the banks) resources probably could have averted these crimes.
No comments:
Post a Comment