Blog article
See all stories »

Insider Identity Theft Can Be Most Damaging

Earlier this week, an IT employee was indicted for stealing the identities of 150 of his coworkers at Bank of New York Mellon, to the tune of 1.1 million bucks. He bilked almost $140,000 a year over an eight year period by compromising the online bank accounts of numerous employees and wiring money to fraudulent accounts outside the bank.

This is a classic case of the fox watching the hen house. This guy was an insider terrorist, looking his colleagues straight in the eye and lying to them. I rank him with pedophiles and serial killers.

As much as 70% of all identity theft is committed by someone with inside access to organizations such as corporations, banks, or government agencies, or by someone who has an existing relationship with the victim. People with access to sensitive personal data are most likely to commit identity theft. For many, it’s just too easy not to.

An identity thief begins by acquiring a target’s personal identifying information: name, Social Security number, birth date and address, account information etc. If the thief has regular access to a database, this data is right there for the taking. Many credit applications and online accounts request current and previous addresses. So the thief fills out the victim’s current address as “previous” and plugs in a new address, usually a P.O. box or the thief’s own address, where the new credit card or statement will be sent. I’m amazed that a lender or credit card company can be careless enough to send a new credit card to a relatively anonymous P.O. box. The lender just checks the victim’s credit and, since everything matches, no red flags pop up. The card is issued, the account is opened and the fun begins.

In the Bank of New York Mellon case, investigators found dozens of bank and credit statements in the names of the victims at the thief’s home address.

Think for a moment about your house or apartment, and how you might break in if you lost your keys. If a burglar knew what you know about where you hide and store your stuff, how much damage could he do? Insiders pose the same problem. They know the ins and outs of all systems in place, and can wreak havoc on your operation as long as they are employed, and sometimes even after they are let go.

The problems begin when we are forced to trust people with complete access in order to allow them to perform their required duties. Ultimately, this is a people problem and needs to be addressed as such.

It is human nature to trust each other. We are raised to be civil towards one another and to respect those in authoritative positions. It takes a significant amount of trust in your fellow human beings to drive down the street while cars are heading toward you, separated only by a thin painted line. Without trust, we couldn’t get out of bed in the morning.

To protect your business and your data, limit sources as much as possible. Minimize the personnel with access to essential systems. Supervise the supervisors. Even your good apples can eventually go bad, so limit access, even for those who are in a trusted position. And require checks and balances, with multiple layers of authorization. If one person is always watching over another person’s shoulder, bad apples can’t hide or execute scams. Perform due diligence. In the information age, our lives are an open book. Background checks from information brokers are crucial. Failing to do background checks increases your liability. Someone who has been previously convicted of a crime just might do it again. And if a breach of trust does occur, prosecute the guilty. Make an example that other’s won’t forget. Public hangings are a strong deterrent.

Get a credit freeze. Go to and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.

And invest in identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. 

It is human nature to trust each other. We are raised to be civil towards one another and to respect those in authoritative positions. It takes a significant amount of trust in your fellow human being to drive down the street while cars are heading toward you only separated by a thin painted line. Without trust we wouldn’t get out of bed in the morning.


Comments: (2)

Stephen Wilson
Stephen Wilson - Lockstep Consulting - Sydney 11 November, 2009, 02:42Be the first to give this comment the thumbs up 0 likes

Robert, I don't think it's useful to label thieves, even grand larcenists, as "terrorists".  And comparing this guy to pedophiles and serial killers is disproportionate, and frankly insulting to the victims of these immeasurably more serious crimes.

Having said that, I commend you for highlighting the criticality of inside jobs in the identity crime wave.  The lesson has to be that audits and policy-based responses are of very limited use, because insiders can so easily evade them. 

Why don't we put proper security around online identifiers?  Why do we resist so energetically investing in decent preventative online security?  Imagine running a bank where the main mechanisms to protect the cash was personnel processes and audits.  Duh! We all know that insiders cannot resist multi-million dollar temptations ("it's good to trust; it's better not to"), so we put all manner of proper physical controls around cash. 

We must do the same with identity data. 

As you say Robert, the fun begins when the identity thief obtains a target’s name and address, SSN, birth date and account information.  They get away with ID fraud because it's insanely easy to replay identity data to create new accounts.  You're right that the rules around address matching should certainly be tighter, but the stark underlying problem would still remain: identity data should not be replayable

Asymmetric cryptography, digital signatures and secure chip devices for protecting personal identifiers offer the best way to imbue original identity data with a pedigree. These are standardised building blocks, now almost ubiquitous in the personal computing and e-commerce technology stacks. Digitally signed data cannot be replayed; it's useless to theives.  Banks, merchants and governments should use this technology.  And then, on the Internet, you really could tell if I was a dog!

Stephen Wilson, Lockstep.

Keith Appleyard
Keith Appleyard - available for hire - Bromley 11 November, 2009, 13:10Be the first to give this comment the thumbs up 0 likes

What is particularly disturbing in this case is the length of time, from 1st November 2001 to 30th April, 2009, that the crimes were allegedly underway - almost 8 years – as he is described as a 27 year old now, it means he started out when he was 19 years – so what access rights did he enjoy under what level of supervision?


Now hiring