Shostack + Friends Blog Archive

 

The FDIC's Cyber Fraud Report

The FDIC’s Division of Supervision and Consumer Protection didn’t release a report titled “Cyber Fraud and Financial Crime” on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in “Banks: Losses From Computer Intrusions Up in 2007” and “The FDIC Computer Intrusion Report.”

One of the great things about having the full report is that we don’t need to rely on Brian to interpret it for us. I love having data, and hate how rare it is for people who work in information security to have anything but summaries.

I found a couple of things interesting. At first they seem un-related:

  • The largest category is mortgage fraud, costing roughly $600MM in the 2nd quarter of 2007, and up 15% from Q1.
  • The second largest is check fraud. Check fraud is up, according to the FDIC (page 9) because the “Check21” [link to http://www.federalreserve.gov/paymentsystems/truncation/ no longer works] program which sends images (rather than physical checks) is not sensitive enough to show watermarks or alteration detection by chemicals in the paper.

Both are really about risk tradeoffs, and it seems that with the rise in employment as a short term deal, the organizations become more focused on the short-term. [Updated: clarified that sentence a little.]

An example is the “zippy” memo, where JPMorgan Chase employees traded information about how to fool the computer into approving loans. (See “How to Get an “Iffy” loan approved at JPM Chase,” or “Chase mortgage memo pushes ‘Cheats & Tricks.’” [link to http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/120658650589950.xml&coll=7 no longer works] Chase fired at least one person for distributing it.)

The advice included:

  1. Lump all of an applicant’s compensation as the applicant’s base income, rather than breaking out commissions, bonuses and tips.
  2. Do not disclose use of gifts for down payments.
  3. If all else fails, simply inflate the applicant’s income. “Inch it up $500 to see if you can get the findings you want. Do the same for assets.

Now, any security professional worth their salt can come up, post-facto, with fixes for each of these behaviors that prevent or detect them. But the real problem is that the commission isn’t paid over the life of the loan, it’s paid up front. Of course people are going to find ways to get the loans approved, and not worry about what happens next. Your community banker didn’t actually get bonuses over the life of the loan, but did expect to be with the bank when a problem happened.

As long as (as Martin Wolff says) “no industry has a comparable talent for privatising gains and socialising losses,” we should expect to be unpleasantly surprised by reading about bank fraud. (A bit more context on the Wolff quote can be found in this excerpt [link to http://paul.kedrosky.com/archives/2008/01/15/are_banks_bad_f.html no longer works].)