Banks’ Big Security Threats? Tellers With Too Much Data

With all the talk about cybersecurity, technology investments and what threats banks must worry about, there’s one key aspect that may be being overlooked.

Humans, and the potential big threats that bank tellers — with quick access to cash and sensitive account information — have on the financial services security equation. As profiled in The New York Times, this subset of bank employees have the potential to wreak havoc on a bank’s security.

As banks focus on preventing hackers, The Times’ article focuses on what role tellers and bank managers have in the overall ecosystem. And with staffs getting slimmer, and more focus on digitizing the overall banking experience, it’s making one thing very evident: less value is being placed on those once-trusted people standing behind the counter and assisting customers.

This has lead prosecutors, government officials and security experts warning about the potential threat those people pose to banks, particularly as the individuals’ skill sets get lower, pay gets cut and less credible people fill the positions. Diminishing their importance, those officials say, could pose criminal threats to banks.

A letter Attorney General Eric Schneiderman sent to the big banks, like JPMC, BoA and Wells Fargo, last summer addressed this very issue. He wrote about how new tellers had “unlimited access to financial institution customers’ account data.”

That means potential increases in practices such as wire fraud theft, making fake debit cards, withdrawing money from ATMs, or selling off personal financial information to make an extra few bucks. Officials have pointed to things like direct deposits of government-related funds being one particular problem.

Prosecutors suggest that the rich and elderly are particularly at risk for being targeted. The Times cites a case from White Plains, New York, last year in which a teller was sentenced for participating in an ID theft ring that skimmed $850,000 from bank accounts. And there have been a number of cases just like it since.

“It’s a rampant problem,” Brenda Fischer, chief of the Cybercrime and Identity Theft Bureau for the Manhattan district attorney’s office, told The Times, which noted that her office brings in close to a case a month against a teller.

Prosecutors suggest evaluating which employees get access to what financial details, saying that many low-level employees have too much access to customers’ personal financial information. That was the case when two ex-JPMC bankers took $400,000 from accounts using fake ATM cards opened in people’s names — some of whom had even passed away.

For over two years, those employees are accused of maintaining personal access to 15 high-balance accounts in elderly citizens’ names, using forged documents to create ATM cards which accomplices used to withdraw about $400,000 in total. Although the accounts in question were dormant — prosecutors believe that the majority, if not the entirety, of them belonged to deceased citizens. They continued to receive deposits from the Social Security Administration (and hence were targeted by the alleged fraudsters) as a result of outdated reporting.

This may come back to security controls at banks, which some experts in the security space believe have started to lag. While customers are monitored heavily for suspicious activity, following laws passed after Sept. 11, those same security checkpoints aren’t necessarily enacted for bank employees.

“The banks are still too trusting of the individuals they employ,” Kevin Streff, managing partner at Secure Banking Solutions, a security consulting firm, told The Times.

“There is a reluctance to provide real oversight, rigor or even security training, because it costs time and money,” he noted in the interview.

And once that personal information gets breached — even internally by bank employees — and possibly sold on the Dark Web, there’s no pulling it back.

“All of your personal information is suddenly in the wild,” Fischer said.