By Andrew Hurst, European Banking Correspondent
Banks are pouring money into building formidable defenses against computer hackers but are only just waking up to what may be a bigger threat -- the physical theft of client information by criminals in the office.
"You can have a fortress-like security system, but if you are not terribly discriminating with consultants and temporary employees, that is a terrible vulnerability," said Carmen Oveissi Field, a New York-based consultant on computer crime.
"If people can get physical access (to a bank's systems), the game is over," said Oveissi Field, managing director of Daylight Forensic & Advisory, a security consultancy.
Banks, especially in Europe and the United States, are investing vast sums to make computer systems impregnable and have been warning customers of the dangers of being duped into giving away confidential information about their accounts.
Under one of the most widely used methods known as "phishing," a spoof e-mail is sent out, leading recipients to a bogus bank Web site where they may be fooled into keying in account usernames and passwords.
The information can then be used by criminals to ransack bank accounts over the Internet.
Many banks have placed written warnings about phishing on their electronic banking Web sites and are encouraging clients to forward suspicious e-mails to them so they can then identify the phony Web sites and have them closed down.
"It's like hosing down spray paint from vandalized walls," said Ken Allan, an information technology expert based in Ernst and Young's Glasgow office.
If phishing attacks go unchecked, they could undermine public confidence in Internet banking, which is far less costly than branch banking, and drive customers back to their local branches for even the most simple banking operations.
DATA "WALKING OUT OF THE DOOR"
"Surveys show customer concerns about security are one of the biggest obstacles to increased Internet use by the general public," said Chris Potter, a partner at PWC in London who advises financial institutions on technical risks.
Banks should be far more active in informing their customers against the dangers of Internet crime, said Oveissi Field.
Warnings on bank Web sites are "the moral equivalent of sending your grandmother down a dark alley with instructions on how not to get mugged," she said.
While banks are confident they can deal with phishing attacks by constantly warning customers of the dangers, they are now getting increasingly concerned about the physical theft of confidential client data by insiders or impostors.
"Identity theft can happen through hacking into a bank system or internally with someone walking out of the door, and that worries me more than phishing," said a security officer at a major European bank who asked not to be identified.
Widespread outsourcing of data management and other services has exposed some weaknesses and made it harder to prevent identity theft by insiders.
"There are lots of weak links," said Oveissi Field. Back-up tapes are being sent to offsite storage sites or being mailed and getting into the wrong hands or are lost through carelessness."
In what many regard as the biggest wake-up call in recent memory for financial institutions, thieves disguised as cleaning staff last year narrowly failed to steal the equivalent of more than $400 million from the London branch of Sumitomo Mitsui.
They installed programs to record keystrokes on computers that were used to handle international wire transfers of money.
After analyzing user identifications and passwords recorded by the keylogging programs, they used the information to make a huge money transfer to an Israeli bank but were foiled at the last minute when police were tipped off.
"What banks worry about is that they may have a combination of weaknesses such as staff vetting and physical security, which when put together can let a sophisticated attacker get at their real crown jewels," said Potter.
Banks are starting to respond to the threat by combining teams working on physical and information technology security, which have traditionally been separate functions, said Potter.
Copyright 2006 Reuters Limited.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at