Study: Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector
Date: August 2004

In 78% of the incidents, the insiders were authorized users with active computer accounts at the time of the incident. In 43% of the cases, the insider used his or her own username and password to carry out the incident.

Twenty-six percent of the cases involved the use of someone else’s computer account, physical use of an unattended terminal with an open user account, or social engineering (i.e. gaining access through manipulation of a person or persons who can permit or facilitate access to a system or data).

In one case, an insider who worked for a credit card point-of-sale terminal vendor used social engineering to obtain authentication information from the credit card company help staff. The insider posed as a distraught individual (with a fabricated identity) working for a particular, authorized merchant needing help with a malfunctioning terminal. He was then able to credit his own credit card by reprogramming a terminal using the information he had obtained.

In one case, an organization assigned default employee passwords that were widely known to be the employee’s office number. In other cases, passwords were explicitly shared among multiple users.

One insider employed at a credit union, who had system administrator access, was terminated and his account disabled. However, the credit union neglected to disable his remote access to the organization’s network through the firewall. Company personnel also failed to change the root password. These oversights enabled the insider to sabotage the system, making it inaccessible for three days.


PasswordResearch.com Comment:
The statements above are based only on of data from 18 of the 23 incidents. Data relevant to this subject was not available for the other 5 incidents. Percentages are modified so that 18 is equal to 100%.