Corporate SA is losing an estimated R150 billion annually to insider fraud, according to Steven Powell head of forensics at law firm Edward Nathan Sonnenbergs.
Speaking during the recently ended Identity Indaba in Fourways, Powell said the majority of the fraud cases are perpetrated through the abuse of IT passwords.
“Insider fraud is now one of the major risks faced by SA. A dozen or so local cases during 2009/10 saw insiders steal almost R1 billion in EFT fraud alone”, he said.
He added that EFT fraud has assumed near-epidemic proportions over the past year. “In most of the cases we have examined, the EFT fraud was committed over many months and even years before the fraudster became greedy or careless, which resulted in detection.
Powell said the majority of cases examined found that finance staff had shared their passwords with fellow team members. “This means that any one of the two or three employees empowered to process transactions is able to transact while the other colleague is out of office."
“Once an insider knows the user login code and passwords of a suitably authorised colleague, they can modify existing supplier's bank details or create new vendors. Having made the changes - which, on the face of it, appear legitimate - the insider can divert hundreds of thousands of rands to their destinations of choice as payments are processed.”
PriceWaterhouse Coopers, in its 2009 Global Economic Crime Survey said: “Economic crime is pervasive, persistent and pernicious. No organisation is immune from the threat of fraud”. The survey found 62% of economic crimes in SA businesses were committed by insiders.
On the other hand, Ernst & Young in the 2009 Global Information Security Study said authorised users and employees pose the greatest security threat to an organisation.
The 2010 SAPS crime statistics show that a total of 84 842 white-collar crime cases were reported between April and March 2009/10, marking a 56% increase from 2006.
The weakest link
Mark Eardley head of marketing at SuperVision Biometric Systems says: “The sheer number of passwords amplifies the problem. The average 'knowledge worker' may have to use six or more passwords in the course of a normal Windows log-on, data encryption, remote access, WiFi access, e-mail, Web-based applications or portals and back-office applications”.
Eardley says Imperva, a security company, made an assessment of the way users select passwords and analysed the strength of passwords as an IT security measure and identified the most common passwords and their numbers of users.
The report found out that the password '123456' was the most used with a total of 290 731 users. The other popular passwords among users, the investigation also found out, were '12345', 'Password', 'iloveyou' and 'abc123'.
According to Imperva's CTO, Amichai Shulman, "Employees using the same passwords on Facebook as they also use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like 123456. The problem has changed very little over the past 20 years. It's time for everyone to take password security seriously; it's an important first step in data security.”
Password cracking
Richard Boyd of the Georgia Tech Research Institute says the growing use of graphics cards as surrogate supercomputers could spell trouble for users of short passwords. He adds that the graphics cards will soon make it trivial to crack short passwords. A password of seven characters or less will soon be "hopelessly inadequate".
Charlie Stewart of SuperVision considers fingerprint sign-on as being a way to secure IT systems: “We have been replacing cards, passwords and PINs with biometrics for several years within physical access control systems. In a wide diversity of workplaces, fingerprint biometrics is an accepted part of security and payroll management solutions.
“SA is a world-leader in its applications of biometrics for workplace security: some 50 000 fingerprint readers now control physical access for some 2 million employees across SA.”
EFT fraud cases reported 2009/2010
Blue IQ: CEO linked to R450 000 in fraudulent payments, claims password stolen. September 2009. Auditors find that the CEO's password was used to make fraudulent EFTs.
Vodacom: R8 million insider fraud, stolen passwords, diverted funds. August 2009. Syndicate stole from clients of First National, Standard, Absa, Nedbank and Capitec. A Vodacom employee intercepted text messages to obtain banking pin numbers and passwords. Money diverted to 155 accounts of the syndicate.
Mpumalanga Education Department: R5.5 million stolen via insider password fraud. October 2009. Suspected hackers in Gauteng, with help of login names and passwords from department staff, accessed the Basic Accounting System. Bank details were changed on the system and payments channelled to seven accounts in August and September 2009. Amounts ranged from R864 000 to R989 000.
R769 million stolen: KwaZulu-Natal probes insider fraud. April 2010. Government investigates 25 insider fraud cases involving R768 827 043 in the 2009/10 financial year, according to finance MEC Ina Cronje.
Teazers: insider diverted R162 000 to personal account. June 2010.Financial manager arrested on charges of fraud to the tune of R162 000. Allegedly channelled funds from Teazers into his own account.
Social Security Agency: insiders steal passwords and divert funds to personal accounts. March 2010. Three arrested for social grant fraud in Esikhawini, KZN. "Found in possession of a spyware device that is used to steal user identities and passwords that Sassa officials use to register social grants," said Sassa spokesperson Mbizeni Mdlalose
Department of Environmental Affairs: stolen funds diverted by insiders to private account. March 2010.Three officials in the marine and coastal management branch suspended for allegedly diverting donor funds into a private account.
Omnia Holdings: R23 million stolen by insider. May 2009. Former salaries accountant accused of stealing R23 million over a period of eight years. She alleged used her accounts and those of her family to deposit the stolen funds.
SA Institute of Electrical Engineers: R703 452 stolen by insider. March 2010. Employee stole R703 452 through fraudulent transactions. A forensic audit has been conducted, but has not yet been completed. Another R234 320 has been identified as lost through suspicious transactions
State pension fund: insider syndicate steals R1 million via modified banking details. July 2010. Nine insiders at the Government Employees Pension fund are believed to have colluded with bank employees, lawyers and members of communities to make fraudulent payments into altered bank accounts. Another unauthorised R412 585 was paid to authentic beneficiaries.
Mpumalanga Agriculture Department: R1.9 million stolen by insiders. July 2010. Two former top officials and a clerk have been accused of defrauding the department through allegedly fraudulent payments.
Facts provided by SuperVision Biometric Systems
Share