Loading ...
Amidst the resignation of Eliot Spitzer, there is one primary lesson to be learned from the scandal (as it relates to our field). For those who do not know, as Attorney General of NYS on of Spitzer’s roles was to prosecute prostitution rings. It is most likely the case that he knew how the government conducts its surveillance and the government’s internal procedures, at the state and federal level. According to CNN,
According to two sources, Spitzer hit the federal radar when a bank reported to the Internal Revenue Service that a significant amount of money had been suspiciously transferred from one account to another.
I will make a conjecture that he believed that as an insider he would be able to avoid the controls that would ultimately lead to his capture.
And, that’s the lesson: even if one knows the controls in place, given enough time one will generally be caught. Given enough time, one will not be able to avoid the checks instituted.
5 Comments
I suspect there is a certain amount of automation in the process. A computer program doesn’t care if a person is a politician or a fast-food worker. It notices a large amount of money being moved and sends a notice to someone, either at the bank or the IRS.
I think banks are required to have anti money laundering checks in place, and moving large amounts of money is one sign of that.
A little knowledge about how banks are required to track potential money laundering answers the question easily. He knew the legal parameters — what the law requires banks to report. He did what every money launderer of any size or stripe tries to do. He broke the transfers down into amounts that were not immediately reportable. Doing that to avoid reporting is in itself illegal.
All banks are required to have software in place that datamines for suspicious activity. Just like antivirus software, some brands are more successful or more sophisticated than others.
The banks have some discretion over reporting what the software spits out. Most banks err on the side of inclusion.
This is where things get a little grey. There is something like a six month to one year back log for reviewing and responding to Suspicious Activity Reports. The amounts were not large by money laundering standards. That they were associated with a major public figure may well have gotten the report bumped to the front of the line. Whether that was politically motivated, time and investigation may tell — or not.
It seems to me that irregularities will ultimately be discovered: SocGen is another primary example. While it may not be the case that it was from an internal control, it was from an irregularity.
“And, that’s the [Primary] lesson [for Information Security Professionals]: even if one knows the controls in place, given enough time one will generally be caught.”
Are you sure you want to word it like that? It sounds like what you are saying is “Hey, Information Security Professionals, don’t use your inside knowledge of security controls to try and bypass the controls because you will get caught eventually.” I had to re-read your article a couple times to find an alternate interpretation of the lesson.
Given the relative simplicity of the controls it would appear to be nothing more than hubris. I don’t know that he thought that “as an insider” he would somehow be excluded from passing through the same control environment - we kept hearing what a bright guy he was/is - the evidence does not point to that.