Have we in the technology field, law enforcement and banking oversight really been addressing malware in business banking like a four-year-old?
Continuing our series on FinCEN reporting anomalies, I thought pictures of several state-related data would help to draw the larger picture. There are 22 different FinCEN SAR categories, I pare them down to four or five in most images for an easier growth comparison.
My search for answers would have been helped tremendously had the FDIC and the FinCEN reporting simply come up with a category detailing "account hijacking." Instead, the gray area makes the data significantly harder to unwrap.
Delaware: More corporations than residents?
Delaware is a small state, but the presence it has in the business world is considerably larger than some might realize. Delaware is well-known for its positive, business-friendly corporation laws and is a hub for businesses across the country.
As in my previous article, when analysis showed a massive ninefold spike in Delaware's FinCEN SAR 'Other' category beginning in 2006, it caught my interest.
While the 'Other' category has skyrocketed in Delaware, it should also be noted that the identity theft cases have also increased. As I've stated previously, on massive spikes like this, scalability often comes from software. In this case, my suspicions are that the scalability comes from specialized criminal software known as 'malware' and further hypothesis is that the malware is targeting corporations.
Let's compare Delaware's identity theft cases with California's 10-year statistics:
Identity theft is an important category because my investigative research revealed that in 2004 the FDIC's report listed 'Identity Theft' in their analysis of the computer-based threat found within: Putting an End to Account-Hijacking Identity Theft. An excerpt ties their definition into this research:
The term 'identity theft' is generally defined as the use of personal identifying information to commit some form of fraud. Although the range of consumer frauds and criminal acts coming under that definition is quite broad, this study focuses on the subset of identity theft that is of particular concern to financial institutions insured by the FDIC and to the institutions' customers: unauthorized access to and misuse of existing financial institution asset accounts primarily through phishing and hacking.
This form of identity theft is referred to here as 'account hijacking.'"
Let's look at one more state which, at first glance, seems more likely to be accurate in the Wire Transfer Fraud statistics: Virginia.
From 2007 onward, Wire Transfer Fraud explodes year after year, from 103 cases in 2006 to over 20 times that amount in 2007, a 50 percent increase again in 2008.
What looks like a potential use of 'Other' begins in 2008 when about a thousand extra 'Other' cases show compared to only 600 additional Wire Transfer Fraud reports.
My key conclusion is that all of this bears looking into by another agency. I mentioned the GAO, but even state attorneys general could access the actual SAR write-ups and clarify the threat their state banks may be under-representing.
Personally, I checked the state I do most of my consumer banking out of and it looked more legit than most others. I suggest you do the same and seriously consider who you're banking with and why.
The rest of us can download the FinCEN Suspicious Activity Reports in Excel format here: http://www.fincen.gov/news_room/rp/sar_by_number.html (within the PDF click the .xls link)
I would love to know what others think of this data. Ideas about how to solicit government or private sector help to unwrap these statistics are more than welcome in the comments.