Insider fraud a growing IT problem: Financial Mail
Insider fraud a growing IT problem: Financial Mail
The Financial Mail looks at insider fraud and the problems with passwords
Thursday, 16 Sep 2010. By Prakash Naidoo
A staggering US$2.6 trillion was lost to businesses and government departments worldwide last year through insider fraud using employee passwords and personal information numbers.
And in the cases reported in SA this year alone, at least R1bn has been lost.
Some experts say that’s only the tip of the iceberg. In a global study carried out by the Association of Certified Fraud Examiners — the largest research project of its kind — it was found that almost 90% of insider cases involved billing, fraudulent payments, payroll, expenses and asset misappropriation. In nearly a quarter of the cases, the employer lost at least $1m.
Because password abuse, identity theft and flaws in the personal identification number (pin) system have been detected, businesses, information security companies and government departments handling sensitive information are now looking outside the standard systems for protection.
One solution for IT-based insider fraud is to replace passwords with a biometric sign-on system. Experts say this option is fast gaining ground. According to Mark Eardley of SuperVision Biometric Systems in SA, most research shows fingerprints are the most stable security mechanism, and are already used by a number of law enforcement agencies around the world. “All the big money and research has focused on fingerprinting, which is the most advanced and widely used biometric system so far,” says Eardley.
SA is among the world leaders in its application of biometrics. Eardley estimates there are more than 50000 fingerprint readers controlling workplace access for some 2m employees across SA — at least 20% of the work force.
There are other forms of biometric protection — voice and face recognition, key-stroke mannerism and palm prints — but these are largely peripheral to fingerprinting. Eardley says some of the technology on the market can even distinguish between a real finger and a latex mould.
Previously, large companies and government departments shied away from biometric security because it lacked software programming which could be used within diverse IT applications. But new software called SuperSign, which Eardley’s company uses, has filled this gap.
SA has achieved one of the largest conversions to the biometric system, when the department of home affairs transferred the information of almost 40m people on the population register onto the system. The last such migration on this scale took place when the Federal Bureau of Investigation in the US transferred more than 8m records and fingerprints from its database onto a biometric system.
Home affairs is now introducing the system in the handling of identity and travel documents and by April this year, more than 3800 department employees had been enrolled on it. The system is also being used in the department of social welfare to control the payment of social and disability grants and reduce fraudulent payouts. The department of agriculture, forestry & fisheries is moving to biometric applications as well.
Gary Jones, MD of Ideco Biometrics Security Solutions, based in the US, says SA is several years ahead of most countries in adopting the system. Jones says that in the US, the use of biometrics was limited mostly to law enforcement agencies and it was only after the September 11 terrorism attacks in New York that the government began exploring its use in other areas of security.
Now, Jones estimates that more than 450 government agencies in over 100 countries — including the FBI, Interpol and the UN — use the biometrics system, which manages more than 2,5bn fingerprints worldwide. It is in use in more than 50% of US state and local systems. Businesses looking to introduce the system at workplaces are usually put off by the initial cost , which depends on the programme or application. “When considering the capital layout, you have to look at the return on investment, which is measurable in the amount you are saving from fraud and insider threat to corporate intellectual property, as well as ‘time in attendance’ of employees,” says Jones. “Biometrics is the best way to sort out these problems.”
Eardley says it costs the equivalent of “a good cup of cappuccino” per employee per day to maintain the system.
One of the world’s top academic researchers to have studied the security of passwords and pins in smart cards is Cambridge University’s Steven Murdoch, whose most recent study uncovered a significant flaw in what is known as the EMV protocol. This is the dominant protocol — which draws its name from Europay, MasterCard and Visa — used by almost 730m bank cards in circulation in Europe and being introduced in the US and Canada this year.
Murdoch’s research found that, despite banks’ insistence to the contrary, stolen bank cards can be used to make fraudulent purchases using the wrong pin.
He says that while biometrics is an important element of information security, it shouldn’t be seen as a panacea. “What it doesn’t solve is the overall system security, of which biometrics is a small aspect,” says Murdoch. While the fingerprint system is effective in showing that a person is physically present, it doesn’t always solve problems of the trustworthiness of the devices used or the fact that the line of communication can be tampered with.
“We have found that a lot of banking fraud is carried out through malicious software in computers and this can also hamper biometrics,” says Murdoch. “The way to improve the system is to make the security simpler.”