Criminal infiltration of financial institutions: a penetration test case study
| DOI | https://doi.org/10.1108/13685201011010218 |
| Date | 05 January 2010 |
| Published date | 05 January 2010 |
| Pages | 55-65 |
| Author | Jerry Hart |
| Subject Matter | Accounting & finance |
Criminal infiltration of financial
institutions: a penetration
test case study
Jerry Hart
i2 Ltd, Cambridge, UK
Abstract
Purpose – The purpose of this paper is to discuss the findings of a security research project
commissioned by a financial institution to identify security breaches that could facilitate illicit access
to confidential information.
Design/methodology/approach – Using penetration and social engineering techniques to generate
opportunities to steal confidential data, the project simulates a possible criminal attack.
Findings – The findings expose a vulnerability to attack by professional criminals or others
prepared to use kidnap, blackmail and intimidation.
Social implications – They also raise challenging questions about reconciling the human rights of
both employees and clients, and the needs and responsibilities of financial institutions as employers,
service providers and custodians of confidential information.
Originality/value – The paper is unique as it tackles the phenomenon of social networking sites
from the risk perspective of any employer that needs to safeguard its assets by managing internal
threats and protecting against criminal infiltration.
Keywords Financial institutions, Crimes, Datasecurity, Human rights, Social networks
Paper type Case study
Introduction
This case study is extracted from a series of projects the author undertook in late
2005, while working as a private security consultant specialising in testing the
integrity of security procedures, policy and strategy for both public and private sector
organisations. The client for this particular study was a private bank that specialised
managing the personal finances of high net-worth individuals. Based in the capital city
of a European country, its customers included celebritie s, politicians, sports
personalities and numerous high-profile business people engaged in interna tional
commerce. For reasons of confidentiality, the bank’s name and those of its empl oyees
are totally anonymized in this paper, as is their location.
The paper will begin by explaining the rationale for the project. This will explain its
mission and aims and provide an overview of the necessary constraints. It will go on to
outline the methodology, which consisted almost entirely of desktop research – the
remoteness of which is a significant factor for those seeking to understand the nature of
the threats the project explored. It will then present the research findings, which raise
some important and challenging questions about a delicate triangular balance – if such
The current issue and full text archive of this journal is available at
www.emeraldinsight.com/1368-5201.htm
This paper was presented at the 27th Cambridge International Symposium on Economic Crime
in a session entitled “Terrorist infiltration of financial institutions”. While this paper focussed on
criminal infiltration, the tactics and techniques discussed could be used regardless of the
motivation of the offenders.
Infiltration
of financial
institutions
55
Journal of Money Laundering Control
Vol. 13 No. 1, 2010
pp. 55-65
qEmerald Group Publishing Limited
1368-5201
DOI 10.1108/13685201011010218
To continue reading
Request your trial