Recently I had a client contact me wanting my help in resolving some identity theft problems and the resulting losses his business had incurred. It seems that two of his bank accounts had been accessed and over $30,000 was taken through fraudulent transfers.
Of course he was surprised when he contacted his bank and found that the bank would make good on none of the losses. It seemed that my constant reminding him that commercial accounts don't receive the same protection that private accounts do had fallen on deaf ears. (That will be the topic of another article.)
But as expected he was really mad and was just certain that he knew the person responsible for the theft and wanted me to help him prove it.
It seems that he had recently fired a young man that had been with his company for about two years and this young man had be involved in both handling tech and maintenance on his computers. So this young man would have had the knowledge and the ability to access the bank accounts in question and he felt he must be the one who had done the crime.
As in most cases of forensic accounting and security investigation a good rule is to never jump to conclusions. Far to often it's not the one we suspect that is the guilty party.
So the first thing that I did was to look at the records and then begin to study the security and protection in place for the companies computers. Of course what I found was both a surprise and an embarrassment to my client.
For the truth of the matter was that in the end I discovered that both he and his office manager often met at a local club for breakfast and to go over issues that they wished to discuss out side of the office. They just loved this place because, you guessed it, they had Wi-Fi and free Wi-Fi at that.
Well after some careful investigation it seems that one of the young people that worked at the restaurant in question had left his job. He had left to go back to college in another state. The police are still investigating but it seems almost certain that this young man was the thief. I'm not certain that he will ever be charged (Computer crimes are very often never solved or if solved no one is charged due to their complex nature.) but with everything we know he's the guilty party.
So what's to be learned from this?
1. Wi-Fi isn't secure. Everything that you do, send, or have on your computer is at risk while you are on a Wi-Fi network. And that risk extends to paid Wi-Fi as well. The only part of paid Wi-Fi that is encrypted all the way to the ISP is the sign on screen. So while paid Wi-Fi is more available it's not safer. There are a couple of easy answers to this problem. First is to use a VPN secured gateway to access a Wi-Fi network any time you use one. And Second is to go with a wireless ISP, which is much different, over using Wi-Fi. Providers like AT&T, Version, Sprint, T-Mobil, and the other big wireless providers protect your connection and make sure it's private from your computer to their computer.
2. That not having important data encrypted on your computer means that this data can be accessed by others even when you aren't using it. It seems that up on checking credit cards and other company assets were compromised as well and all were items of information contained on the owners laptop in clearly visible files. So the owners computer had been accessed not just the data that was transmitted over the Wi-Fi network.
3. That everyone in a company needs to be aware and trained in security issues. Bosses and others at the top are often the worst offenders since they don't usually answer to anyone. That's part of the $30,000 lesson my client learned in this case. He can be a security risk just like everyone else.
4. That not paying for and implementing security and the proper training of your personal may well be much more expensive in the end. Security is a constantly changing and increasingly important part of your companies operations. It's not something to be left to chance or circumstance.
So a word to the wise DON'T USE PUBLIC WI-FI WITHOUT VPN PROTECTION and use encryption on files that contain important data or risk losing that data.
As a point of information the client involved in this issue knows of this article and approved it's content. He allowed it's publication with the hope that it could prevent others from leaning these lessons the hard way as he did.