Barclays Bank apparently fell victim to an internal computer fraudster who helped an international gang trick young job seekers into opening bank accounts subsequently used to launder money to Canada, said a security expert at the bank.
Patrick Romain, head of solutions in Barclays Information Security Group, discussed the insider fraud at the annual meeting of the English chapter of the Internet Society, held in London on 29 September.
When subsequently approached by Computer Weekly for further information, Patrick Romain claimed the insider fraud scenario was a hypothetical example.
But he told the Internet Society meeting he had considered the situation when preparing his talk: "I went back to an incident I was dealing with this year - end of last year, beginning of this year," he told delegates.
"Somebody internally was working with an external person who was opening Barclays accounts... in Africa, in Europe and wherever we were doing business, frankly," Romain told the meeting at the Sheraton Park Lane Hotel in London.
"They were hiring young kids. They would put out an advertisement saying, 'New start-up company needs young professionals.' This young kid would come and they would say, 'Open a Barclays account, and my business is going to transfer you money'," said Romain.
He said it was "classic money laundering".
"So then the person was transferring money to Canada, where I don't do business," he said.
"They started communicating with e-mail and SMS. And this person was travelling around the globe, communicating internally... and they were doing business across the globe."
Romain spoke about the "incredibly complex" operation Barclays had to mount to catch the crooks. He remarked on the long list of laws the bank had to follow and the worldwide network of fraud investigators it had to employ in each jurisdiction.
He said the bank had to learn the idiosyncrasies of "wiretap statutes, criminal lawyers and prosecutors" and other laws in Canada, Europe, South Africa, the US and many other countries.
"No government goes out to create a haven for computer criminals, but by not focusing on those laws you may inadvertently do that," Romain told Computer Weekly.
"Until all countries have laws on the books and move together to prosecute what are often borderless crimes, there is going to be a weak spot," he said.
Hackers bribing banks
Romain also told the Internet Society that banks were worried about a new sort of threat he called a "power threat" which involves crooks bribing bank employees.
"You can imagine [someone] coming to one of our clients or one of our executives and saying, 'I know a little bit more about you than you think. This may get you into trouble with your company or with your family. You may want to let me know your encryption codes. You may want to let me have your information'," said Romain.
"These are real threats that are starting to occur," he said. "It's important to understand that power threat is coming on."
When Computer Weekly approached Romain for further comment after the conference, he denied that he had made any reference to any real security incidents. He had only used hypothetical examples, he said.
He was reluctant to discuss the measures Barclays was taking to protect its systems, for fear of exposing potential openings to hackers.
Barclays had been rewriting its software applications so they used encryption when communicating with one another. He told the Internet Society how he had been telling Barclays business managers they had to go through with it, even when they were put off by the cost and inconvenience of doing so. He said later, however, that this did not represent a concerted plan to rewrite applications.
"When we do a risk analysis on our internet-facing applications, we think about issues such as application-to-application encryption," he said.
"Part of that is if it's capable [of application-to-application encryption]. In some cases, were it isn't capable, there are decisions that need to be made about other mitigating controls that can be used, whether it's okay to permit the application to continue in the way it is, or if it's reasonable to rewrite the application," said Romain.