Thursday, October 04, 2007

How was Mayor Bloomberg's BofA account jacked?

Here is a clear case, which shows that just about anyone can have their financial identity compromised. In this case, the victim is none other than the mayor of New York City, Michael R. Bloomberg.

This story is getting a lot of coverage, but no one is saying (if they know) how Mayor Bloomberg's financial information was compromised.

The New York Times (Sewell Chan) reported:

One man, Odalis Bostic, was indicted for trying to steal $420,000 from the mayor. According to prosecutors, Mr. Bostic created the Laderman Development Company in Elizabeth, N.J., and set up accounts in the company’s name at two banks, PNC and Sovereign Bank.

In early June, Mr. Bostic deposited a $190,000 forged check into the Sovereign account and a $230,000 forged check into PNC account, according to prosecutors. Both of the forged checks were drawn on Mr. Bloomberg’s personal account at the Bank of America and were issued in the name of the mayor’s financial manager, Geller & Company.

Mr Bostic was probably hoping the bank would release the funds, at which time, he would have drained the accounts.

During the course of the investigation another fraud was discovered, where Mayor Bloomberg was the victim:

A second man, Charles Nelson, has been charged with stealing $10,000 from one of the mayor’s financial accounts on May 11. In an online transaction, Mr. Nelson transferred $10,000 from the mayor’s Bank of America account to an E*Trade account the defendant had set up, prosecutors said. They said he later used a debit card for cash advances and to make purchases from the E*Trade account.

The next question is how did Charles Nelson get Mayor Bloomberg's log on credentials to his Bank of America account? Getting a copy of a check and counterfeiting it is one thing, but online transactions normally require a log on ID and password.

I checked the press release from the Manhattan DA and it doesn't disclose how this happened, either.

None of the stories indicate that Bostic and Nelson knew each other. In fact, Robert Morgenthau, the DA was quoted as saying they were unrelated in the NY Times story. The DA's press release doesn't stipulate whether they knew each other, or not.

Mr. Nelson was arrested in New Jersey and is being charged with grand larceny and identity theft.

There are a lot of ways an account can be compromised (jacked). Phishing, where account owners are tricked into giving up their details and data breaches happen at an alarming rate these days. The sad thing is that there is so much of this going on, it's pretty hard to determine the original point-of-compromise.

Another sad thing is that, according to most statistics, over 99 percent of the criminals doing this are never brought to justice. In fact, most of the time, a victim can do little more than file a report, which never gets investigated.

This story is a testament to making sure you review your accounts on a regular basis. As long as unauthorized withdrawals are reported in a timely fashion, the owner of the account normally can't be held liable.

New York Times story, here.

Manhattan DA press release on this, here.

1 comment:

JC said...

One thing I remember while working in security at a large credit union was that crooks would actually set up the user ID and password on online accounts that hadn't been set up yet. The crooks could set the security questions then switch to online statements to keep the customers from getting them.