Banks to blacklist rogue workers in fraud fight

Database could help banks avoid hiring financial services employees sacked for leaking consumer data or knowingly causing losses.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
2 min read
Major U.S. financial institutions are working to set up a new defense against insider fraud: a database of employees who are known to be scam risks.

Banks and similar organizations already run reference and background checks on new employees, but an extra security measure is needed, according to BITS, a consortium of 100 of the largest U.S. financial institutions, including JPMorgan Chase and Wachovia. The new database, announced Wednesday, will list information on employees at financial institutions who were fired because they compromised customer data or knowingly caused financial losses, the group said.

"There is a phenomenon of people being able to literally walk down the street to another financial institution and get hired," said Cheryl Charles, a senior director at BITS. In one case, the same scammer was hired by three institutions, she said. "This new database is going to help prevent that kind of thing."

Reports of insiders attacking financial services systems are on the increase. In a 2004 Deloitte survey of IT security in the industry, 35 percent of companies said they had come under an attack from an internal source. That's up from 14 percent in 2003.

That trend has been reflected in high-profile security breaches at banks. In one example in April, police in Hackensack, N.J., arrested nine individuals who were allegedly involved in selling the personal information of just under 700,000 people. Eight of the suspects were bank employees, and Bank of America and Wachovia were among the big companies that had to notify customers that their account information had been stolen.

The compilation of information on insider risks is meant to help prevent such breaches, Charles said.

"Unfortunately, there is not a good way today to track who these people are. So we're putting them in a database--of course, consistent with the law and making sure nobody's privacy is violated," she said. The database is currently under development and should be ready by mid-2006, BITS said.

The blacklist is one of the ways financial institutions are fighting fraud. Banks are also increasingly protecting their online services and putting up shields against phishing attacks.

The Federal Financial Institutions Examination Council recommended earlier this month that banks introduce multiple-factor authentication by the end of 2006.