This is a classic case of trusted insider threat – as reported by yesterday’s morning paper – “Israel Today”: ( i assume that this has been under investigation for a while so the actual event may have happened over a year ago…).
The arrest sheet in the Tel Aviv district court depicts collusion between an information security employee and outsiders.
An employee in the information security department of the First International Bank in Tel Aviv has been charged as an accessory in a theft of over 100,000 shekels from bank customers. The employee, Dan Tirspolski exploited access to confidential information to identify foreign resident customers of bank and their online user names and passwords. The foreign residents, not being physically present in Israel – use the Internet to occasionally access their account. He then transferred this information to accomplices outside the bank who used their Internet access to withdraw money from the accounts.
The case reveals a direct link between data loss, fraud and money theft. The trusted insider did not exploit a vulnerability of weak passwords – in cases like this, trusted insiders are insider threats that exploit a minimum of two vulnerabilities in the bank’s software applications – both vulnerabilities are a violation of the principle of separation of duties:
- One application may disclose clear text versions of the username password relating to a particular account number
- Another application may disclose account details such as the address and the fact that the bank customer is a foreign resident and not physically present in Israel – enabling the crime where a malicious insider collaborated with malicious outsiders.
Read more about data breaches and the consequences for managers who ignore data security.
