It needs to start with training and discipline. The best security in the world is worthless and easily thwarted and/or bypassed if the user simply opens the door and invites the bad guy in. So users need to be trained to recognize, or at least be very wary of and disciplined enough to avoid being "click-happy" on unsolicited links.
True... Like the DNC chairman in 2016 who used "password" as his actual password and got hacked; his emails ended up on Wiki-leaks.
And finally, and most importantly, those IT and security managers must be held accountable - to include being held accountable for criminal negligence - when they fail to do their jobs.
I am not big on criminal liability. If criminal charges are brought for a mistake or even negligence, it opens up the door for criminal charges in other industries - like the airline industry. Only in extremely very rare cases of passenger "heavy" jet crashes that I'm familiar with would I want to see the pilots, co-pilots, flight engineers (if these 3 survive a crash), Air Traffic Control, etc... prosecuted criminally and imprisoned post-crash like Argentina and some other countries do.
However, if one in such a position has lied on their job application, makes false or misleading statements - then yes.
The bad guys exploited an already known vulnerability! How? Because the IT and security managers responsible failed to apply the available patch. The program developers had previously identified, developed and distributed to Equifax, the critical update to fix and secure that vulnerability - months prior to the breach! They had the "critical" patch for months!!! But sat on it.
Even this I would not want to see people going to prison for years. The problem in private corporations is that all serve at the pleasure of the Board of Directors who very well could have piled work on them thus leaving no time for implementing the patch. It happened at E. I. DuPont de Nemours & Co., and Hertz Rent-A-Car all the time.
Imagine getting a sales/use tax increase letter from New Jersey stating effective the 1st of next month, the tax rate is increasing from 6% to 7% and tax division holds on to it because of instructions from a VP and member of the board, never passing/informing tax systems division of it to change it in the then hard-coded system code. Tax continues to be collected at 6%. Whose fault is it?
Mine, of course! I was the head of both tax law and tax systems divisions. But I'm not going to prison over this BS!! So, adjustments were made and 'we'll worry about the audits later, if ever'.
Government and regulators need to do more to deal with these kinds of things in the aftermath.
I would change that to "
BEFORE the aftermath" at the end!
Prevention is what is needed, IMHO.
Yeah, well, sadly, and why I don't know, but protecting private citizens from wrong doings is a hot-button political issue with one side of the aisle opposed to any regulations on the banking industry, despite history showing us over and over again that they are incapable of regulating themselves. But as noted above, that is for a different discussion.
[Save yourself an hour of drama and skip to the next one!
).... OR. . . .
Banks need some regulations.
Remember the days in the 1980s where banks were "state" and not "federal"? You COULD NOT use you new ATM CARD (introduced in mid-late 1970s...?) that you got in one state in another state -- even if the bank name was the same.
I worked for E. I. DuPont during the early-mid-1980s on "co-op" (a 6-month work/study program instituted by Drexel University, Philadelphia, Pennsylvania) 3x.
I had bank accounts with Girard Bank, PHL, later bought by
Mellon Bank (you can look up where they were & now after 100 mergers! - now they are "Bank of New York Mellon). Mellon had banks all over in many states. For me - New Jersey, Pennsylvania, Delaware. I had accounts in each state at Mellon.
DuPont did not offer us lowly co-ops direct deposit in 1982/3/4. So, back then, if I deposited my MONTHLY DuPont payroll check drawn on WSFS (Wilmington Saving Fund Society) or Bank of Delaware -- both in Wilmington, Delaware, into my Mellon PA account, it would take 5-7 business days to clear (usually 10 full days). For argument purposes, assume the payroll check amount was $8,000 NET payroll for the
MONTH. Getting paid while in college working 40+ hours per week (and commuting 60 miles round-trip per day - with gas nearly at $2.00/gallon), rent, etc... no way could I wait until the 10th of the month to
start paying bills BY CHECK and MAILING them. I'd be late every month on most items. (I know.... save up a month, then you'll never be behind! - IMPOSSIBLE!)
So... I would go into Mellon Bank, Wilmington, DE, and with the utmost drama by bank officials EVERY SINGLE MONTH telling me that Mellon Bank, DE, is not the same bank - or even affiliated with (BS, BS, BS), Mellon Bank, PA., they would eventually always cash the check "this time only", but they ended up doing so for all 18 total months over 3 years that I worked for DuPont as a co-op, then full-time after graduating Drexel University and attending
I would then take the $8,000, drive up north on I-95 (today, I'd be stopped on I-95 and police would seize the cash under CAF - Civil Asset Forfeiture!), get off local exits and make my way home, stopping at Mellon Bank, PA, and (please don't scream and curse at me as I cannot believe that I was ever this stupid and naive either!) deposit the $8,000 in hundred dollar bills into the ATM.
Does anyone care to guess what happened to the $8,000 cash one of those times?
A few weeks later, I got a bill from my checking account credit line saying that I owed about $7,500 on the credit line. I called Mellon PA's automated bank number and found that my checking account had $8.37 balance.
I went to Mellon PA the next morning with my ATM and deposit slip receipt and asked for a bank statement and/or a 30-day daily transaction report. My $8,000 cash deposit was nowhere to be found, of course.
The bank manager said there was no way for them to know whether I did the ATM transactions for an $8,000 cash deposit and/or whether there was anything in the sealed envelope containing the cash and the ATM receipt#1 was placed into the ATM or if I just placed an empty envelope into the ATM.
The bank manager and the lady then stood there over me smiling. I asked to use the phone; they said they were busy.
I went outside to my car, which contained a pre-cell, hard-wired actual mobile phone and I called the police. My grandparents had lived in this town (grandmother still alive) since 1939 and she knew all of the cops. I knew most of them from my car detailing business that I did on the side. (I drove the police's personal vehicles and marked police units to my grandmother's house to work on them). They came to the bank right away.
The bank manager was NOT pleased at all saying that "WE could have amicably worked this out, officer". I think not. Police called in fraud detectives and upon their arrival, they demanded all of my Mellon bank records going back to the opening of the accounts in 1979, ATM video - external and internal (where the armored car guards processed cash in a small room), the names and personnel files of all armored car guards and anyone else that would have handled money from that particular ATM as well as anyone else that had access to the ATM in any way, cops dusted the ATM for fingerprints after putting up the neon-yellow crime scene tape, and just about anything else you can think of. I had called DuPont telling them I'd be ~2 hours late, but now - probably 4 or 5 hours late.
They took us all, including bank tellers who were in the bank the day after I made the deposit (which was around 11-midnight) to the police station in separate cars and seated a few of us in those tiny rooms with video and audio and 1-by-1 took our statements. They took me back to the bank (ATM drive-through) to do a re-enactment with a blank envelope that they marked beforehand.
By 2 pm, the police were done with me and the Chief of Police himself drove me the 1-2 miles back to the bank simply saying not to worry, that if in fact, I did deposit $8,000 in cash, they will get to the bottom of this matter quickly. He went on to ask me about my grandmother, work, and school.
A full week goes by; I get a call from the police asking me if I can come in at 9 am the next day. I had to clear it with DuPont first; DuPont said OK; I told police "see you at 9 am at police station".
9 am - police building is rather crowded. They took us in a conference room and pointed out seats for me and the bank people across from me. There were piles of 8.5x11 pics, very large sheets of paper with diagrams, etc...
A police Colonel or Major (??) began. They showed us/put up on the board -
- pic of me in Mellon bank, DE, cashing the check
- pic of Mellon bank DE teller handing me the envelope w/money
- pic of teller verification that the check and cash were both for $8,000
- pic of the back and front of the canceled DuPont payroll check clearly showing the amount and the date cashed
- still pic from a video showing me/my car entering I-95 North at ? time
- still pic from a video showing me exiting I-95 onto surface streets (I went back to look for this camera - could never find it!)
- the last 2 pics had timestamps on them showing, based on time and mileage, that I made no stops or detours
- a few more still pics w/timestamps of me in car
- pics from ATM at the drive-through Mellon-PA bank
--- police created a summary sheet showing distance from Bank in PA to DuPont in DE
- police actually did several drives at the same time I did to obtain an average drive time using the same roads that I did (there are at least 4 or 5 different I-95 exits you can take and snake your way through many different surface streets at that time. Today, I-476 cuts all of that out and I-476 runs from I-95 to an exit within 1-2 miles of my grandmother's old home. I-476 was held up for ~40 years due to birds or turtles or something like that. A FED judge one day said "ENOUGH... BUILD IT".
- Anyway, my arrival time at ATM was within the average drive-time from my Delaware office to the Bank ATM drive through; no stops or detours anywhere
- pics at/from ATM along with transaction info from the ATM show me in my car obtaining the 1st ATM receipt after I punched in
8000.00 into the keypad
- pics show a large amount of cash and a bulging envelope (could see "100" partially on a few bills)
- pics show me placing ATM receipt #1 into envelope; licking it shut
- ATM pics continue to show me with a sealed bulging envelope placing it into the ATM
- ATM transactions show receipt of the envelope and [internal bank docs] show the weight of the envelope (I never knew banks did this)
- the weight of my envelope was consistent with the weight of an envelope + 80 $100 bills + ATM deposit receipt (this was done by the FBI the records showed)
- the handwritten ATM log -- 2 employees there, 1 writes down "empty envelope with $8,000 deposit ATM receipt"
Well.... wouldn't you think that whoever was the supervisor or manager at the bank in that township or in Philadelphia where all of this ended up at would have called or written to me saying "you attempted to deposit $8,000, but the cash or negotiable instrument(s) were missing"?? Or something like that??
I mean how often does that happen? We're now going on around 3+ weeks since deposit.
Other bank records/reports from the bank ATM employees said "24 envelopes expected; only 23 found" - or similar.
So which was it? The bank people were still adamant at this point that I had committed fraud and demanded the police to arrest me because they were pressing charges. The top-cop was like "hold on a second". Which part did you not understand here? We went back to January 1982. Mr. Griffith leaves work in Delaware around 5 pm as he goes to a second job at 6:30 pm. He 'overshoots' that 2nd job by 6.8 miles on the last working day of the month, which is pay-day at DuPont. Other nights, he goes directly to that 2nd job's store, but not on these nights -
- they put up a list of 1982,3, [maybe]1984 which shows the date and time of my cash ATM deposits. ALL are within 10-15 minutes of each other and all are on DuPont payroll day.
- Bank then says "sue us then" looking at me
- the Chief of Police gets up and says to the bank people "you're here this morning as representatives of the bank?"
- bank mgr - "I am the branch manager of [***] location
bank - other - I am the (??) manager and report to Mr. *** [bank mgr]
- Chief: "So you are then
acting as officers of the bank?"
- bank mgr - "Yes"
- Chief - reads off their names, hands them arrest warrants; "you are under arrest"
- bank "FOR WHAT?"
Chief - "Fraud to start with. This young man works hard for his money to pay for school, etc... We have extensively investigated him/background. Every month he goes through this routine with your bank in Wilmington, Delaware, who tell him every single month that they are not affiliated with you, which I can prove otherwise and they always initially refuse to cash his payroll check. We've talked to everyone at Mellon Wilmington DE branch."
It went on and on with the bank people calling their bosses who authorized the return of my money.
They asked "how do you want it [the cash]"
I said to deposit it in my checking account, pay off the credit line
after deleting all of the interest (prime rate was 20-22% then remember); then I should have a p[positive balance in the account.
The next month - I deposited the DuPont check into my PA account. It took 11 days to clear, which is awful.
I borrowed $$ from my grandmother and promptly paid her off when my check cleared.
DO NOT EVER DEPOSIT CASH INTO AN ATM!!
First, I 100% agree with your sentiment. I too hate scammers and crooks who prey on the innocent. Especially those who prey on the downtrodden - like disaster victims or the elderly who are barely scraping by and depend on their savings.
I honestly do not understand at all how anyone can fall for some of these scams.
When I was in Palm Springs, CA, in 2007 at my step-dad & mom's house, the phone rang at 2 am one night. It was my step-sister a few towns over. She's all excited, can hardly talk, but does manage to say "get my dad, there are guys with guns here".
So, I knock on the master BR door, my step-dad opens it, I said "V**** [his daughter] is on the phone (he immediately starts to slowly close the door....) and she said there are guys with guns......"
My step-dad said "wonderful, John. This sh** goes on every night with her and the b******** she's married to. Tell her to call the police. That will shut her up."
So, I do - and it did [shut her up]
She said "OK, tell him I'll be by tomorrow".
I do not know her voice as I only met her 2 or 3 times in 25 years. I wondered if it was a scam or not. She came by the next day though.
John
