Don't learn the hard way about what a disgruntled employee is capable of doing.
Fannie Mae waited to remove root access from a terminated employee and almost suffered dire consequences. Managers need to think about procedures and practices to protect their companies expsosure when letting employees go, especially those in payments or fraud departments.
Press Release:Layoffs? Watch Out
Red Bank, Feb. 2, 2009 /The FraudBlog Newsletter/ - While it isn't easy to do layoffs and it is uncomfortable for most managers to perform; don't let your discomfort be the cause of a potential hack or malware attack from a disgruntled employee.
As ZDNet's Larry Dignan reported, Fannie Mae almost learned the hard way what a disgruntled employee could do to a company. In this case a contractor, who had root access to their servers, was let go recently but his root level access was not removed. This individual planted malware that would have shut down all of their systems. The impact would have been enormous.
The following is not intended to be a complete list. It is a starting point for managers to start thinking about protecting their company's exposure in the sensitive area of payments and fraud. If you are letting people go that work in your payments and fraud departments you should consider:
Prior to them being notified - perform an access assessment of the individual:
What access did they have to sensitive data?
How much do they know about your fraud settings and controls?
Are they aware of weak spots in your systems?
When you notify them - perform a formal notification:
Remind them of confidentiality agreements and their obligations.
Have them sign off on the access assessment.
Shut off their access to any corporate systems that have sensitive data or are a part of payment processing.
After they have left - perform audits:
Look at anything they may have accessed in the weeks leading up to their departure for signs of abuse, misuse or unauthorized access.
In the event of a hack, malware attack or complaint of credit card data breach, you should perform a cursory review of these personnel as part of your investigation.
About The Fraud Practice
The Fraud Practice, http://www.fraudpractice.com, is a privately held US LLC based in Sarasota, Florida. The Fraud Practice provides consulting services on eCommerce payments, fraud prevention and credit granting as well as prepared research and online training for payment and fraud professionals. Businesses throughout the world rely on The Fraud Practice to help them build and manage their payment, fraud and risk prevention strategies. Utilizing best practices and leveraging key partnerships, our team of industry and technical experts offer customers a single source for learning how to design, deploy, review and integrate fraud prevention practices in their business processes and solutions.
When the Fraudster is someone you trust.
If you are like most fraud managers, your focus has been on stopping the fraudster from coming in the door, and not paying attention to the fraudster lurking inside. It can be easy to overlook how effortless it is for employees to copy down customer credit card information or to help a friend exploit a weakness in the companies systems.
Introduction to Ecommerce Fraud Fundamentals.
Provides participants foundation level knowledge about the theories, best practices and terminology surrounding electronic payment fraud. Presented in a standard format covering the history of eCommerce Fraud, consumer fraud, merchant fraud, fraudster motivation, fraud trends, identity verification and phishing.
Ecommerce Fraud Moving from Tools to Solutions.
This session covers what constitutes a fraud solution and categorizes the many types of third party fraud tools. The course outlines the common terminology of fraud solutions and describes the capabilities needed to implement a fraud solution.
- Fannie Mae IT Contractor Indicted for Planting Malware - By: Larry Dignan for ZDNet