How do banks spy on employees? Sex calendar, stealing, and the 2 PCs myth
Hello, this is Kotelov Globals. Today we’ll tell you about the DLP systems in banks, cyber insurance, and database leaks. We’ll also tell you how the data can be stolen inside banks.
This article is based on the Kotelov Digital Finance podcast episode with Dmitry Belyaev, Chief Information Security Manager in one of the Russian banks. We discussed the banking security system on the podcast: how the protection is structured, how people are controlled, and how they become managers. We got a lot of material out of it and we picked out the most important bits to write an article.”
How is security ensured inside the bank? After all, the biggest gaps are often the people.
All the companies where I used to work had their DLP systems in place, and I paid special attention to this matter. We had various cases – with the DLP system set up correctly; it allowed us to discover a lot of interesting things.
💡 For instance, the DLP systems allowed to investigate a fraud that involved the deputy CEO. The CEO was off on a business trip, when a message with a contract arrived from the counterparty. The deputy used the CEO’s seal to sign this contract and sent it back to the counterparty.
When the CEO was back, he was horrified, because the company had paid 3 million for some unnecessary interaction. With the help of the DLP system, we were able to identify which deputy had done this. We conducted an investigation, terminated the deputy’s employment, and in court, we proved that the contract had been signed by an illegitimate party
💡 The DLP system allowed to identify employees who leaked the movements of officials in high positions at organizations to various individuals. The purposes remained unclear, but such employees were fired as well.
There were interesting cases when employees were caught doing interesting things during their working hours:
- one female employee was looking for pills to increase potency during her working hours,
- another female employee was browsing toys in an online sex shop,
- yet another female employee left an app at her workplace – a sex calendar that displayed “today is a good day to have sex”.
Of course, it’s all amusing, but the main purpose of the DLP system is to detect attempts to steal personal data, trade secrets, and banking information.
In addition to the DLP system, I would also mention the RAM system, which is responsible for monitoring privileged users. With its help, we can uncover malicious actions by developers and database administrators who may have tried to transfer code or code fragments to external parties.
By the way, in some cases, the PAM system allowed to identify failures of developers who used insecure passwords when developing software.
When employees join a company, do they know that their computers are being monitored?
There are two policies for organizations to choose from.
- Open. An employee signs an employment contract, which stipulates that they are obliged to carry out work activities during working hours, and therefore their actions are permanently recorded.
- Closed. There are no internal, regulatory documents on such monitoring. Users are not informed. This is usually done at the very beginning, at the pilot stage, in order to identify rats in the company.
Another case is also associated with the DLP: an employee wanted to steal information from the organization, but he knew about the DLP system in place, and tried to bypass it.
💡 How he did this: He created a presentation → inserted lots of text and images into it → archived the information → and hid this archive behind one image.
The anomaly was caused by the size of the presentation. And when we locked editing for the presentation, we started investigating why it was so large.
Step by step, we discovered that it was due to the actions of a less-than-honest employee.
Cyber insurance: truth or myth? Working in a field where any mistake is almost impossible to reclaim
Cyber insurance is well developed abroad: even in small companies, let alone major ones.
This is less in demand in small and medium-sized businesses, and I have never met any SMB organization using this service.
| SMB stands for small and medium businesses
Is it true that bank employees have two PCs: one for browsing the web and the other for internal network?
An ordinary employee doesn’t need this. This doubles hardware and protection costs. Perhaps huge companies do this, but very few of them. Two PCs means losing a lot of business processes and time.
In most cases, the access policy is elaborated, and a matrix of access roles is created that clearly state which information systems certain employees can access. Access within the system is granted depending on the position and role.
Are most hacks initiated through social engineering?
My stats claim there are 60%+ of such attacks.
What do security professionals read to improve their skills? Is it Security Lab, Exploit Inform or something else?
I read Security Lab, Antimalware, and various Telegram channels.
Why are conferences for security professionals required if everything can be found online?
Networking is very important for people in this profession, and so does sharing experience. Articles, posts, and videos help learn new information in the field, but a dialogue with a specialist for exchanging cases is more efficient.
Are there any people in your field that you follow?
I try to take inspiration from Alexey Lukatsky and Pavel Lucik.
Actually, Pavel Lucik is a well-known figure – he’s the director of the business development department at CryptoPro. We used to work together at an integrator. He’s a highly respectable person and a true professional – I try to emulate him.
At what stage should a startup care about security?
It’s better to think about security at the very beginning. For example, you conduct a custdev, and your hypothesis is confirmed; you speak to investors, and they like your solution. When your solution is out and people start buying it, it can be easily hacked, and your startup will fail.
Why can the bank security service use leaked databases, but the cashier from the supermarket can’t?
Well, technically, there’s nothing stopping supermarket cashier from using leaked databases. Maybe she’s also participating in hackathons?
Security team members use these data for analysis. For example, to find information about a candidate or a business partner, or to uncover secrets.
I have met people who are not security professionals but regularly search for leaked databases in order to spy on their neighbor John Doe.
There was an interesting case when they learned from a leaked Yandex.Eat database that one employee did not cook at home and always ordered delivery. He spent RUB 400,000 in six months for Yandex.Eat — this certainly brings to some conclusions.
How do databases leak in banks?
Question: how do scammers call with the knowledge which credit cards a person owns, what debit cards they own, as well as their balance?
Many banks are guilty of their databases leaking sooner or later: some were hacked, the others’ employees took advantage of their position – even despite the role model and properly built protection. This is a common case, provided that we use services such as Gemotest, Yandex.Eat, Delivery Club, etc.
This is because we leave our personal details there, and there are some services that collect data from various leaked databases published online.
The number of such databases rocketed after February 24, 2022. This data is aggregated in a single solution like a Telegram bot, and you can make inquiries about any person.
💡 For example, I will soon be speaking at a conference on Synth and tell in detail how I made inquiries about a person who just called me.
I found out that he was from Vladikavkaz, then lived in Moscow, rented a flat and worked for several operators, then bought a flat and took out a mortgage in one of the banks. I even knew the position and department, which clients were assigned to him. In other words, in theory, you could find out about the income of certain people if you put pressure on him.
|Synth is an open-source data tool.
Do banks leak data to other banks?
Question: “I applied for a mortgage at Sberbank and immediately started receiving calls from a variety of banks offering to open a bank account for private entrepreneurs. This is about the database leak. How does it work?
There is a practice when banks conclude an agreement. When you visit certain websites, you need to read the user agreement: you provide your consent to data processing and collection of cookies, and then such data is sold.
For example, there was a case in 2021 when a network of data centers in the EU collected data from various websites, and then it was hacked. In simple words, we all use the Internet in browsers, and when we visit certain websites, various beacons collect information about us and our device, and this information is sold or can be intercepted.
So, if you don’t understand why you get calls from 50 other banks after submitting documents for a mortgage, then most likely you did not read the agreement attentively enough.