Royal Bank of Scotland call centre theft

This isn't the first, and certainly won't be the last, example of security breaches from staff.

There's been a lot of recent focus on the risks of external attack and how biometrics can help deal with this but the internal threat has been neglected. I've posted on the external attack on Barclays ("Security, Call Centres and Fraud"), when fraudsters stole the identity of their chairman for a credit card application, and there's been some good posts on Finextra (see "Biometrics - what's that all about then?" by Dave Griffiths and "Who's in your Wallet?" by Jarvis Kandik both last month).

In fact, inside threats are perhaps as serious as the risk of external attack. In 2006 HSBC lost £233,000 after it's Indian call centre suffered inside attack (here for the BBC report). Last year the BBC also reported how HSBC and HBoS had been targeted by an organised gang which both penetrated the banks and laundered the proceeds of their crimes.

An internal threat is nothing new - fraud from dishonest employees is something that banks have had to deal with almost from the start of banking. What is new is the level of the threat and its organisation. As an example, Strathclyde Police (who cover the west of Scotland where many call centres are located) believe that organised gangs have infiltrated perhaps one in ten of the call centres there (full report here).

In the end, as I've argued with biometrics, the criminals will be beaten by process, not technology point solutions. If the defences against external attack are strong, then criminals will seek to get on the inside. The correct response is not to strengthen the exterior with biometrics (though I'm not sure biometrics do strengthen it), but instead to make sure that staff are vetted, exceptions or unusual activity is identified and monitored and good management is in place.

Process is not terribly exciting, but it will be the element that determines whether technology defeats criminals or not.