According to numerous media outlets, including The Wall Street Journal, one of Citigroup's own employees has been moving pennies from the penny tray:
A former Citigroup Inc. employee was arrested and charged with allegedly embezzling more than $19 million from the bank in "the ultimate inside job," federal prosecutors said on Monday.
The case shows how management of increasingly complex derivatives transactions may create more illicit opportunities for staffers involved in their administration. Robert Jossen, a partner in the white-collar securities litigation practice at Dechert LLP, said such transactions involve "increasing use of sophisticated computer programs, electronic access and speed, none of which involves face-to-face interaction. This combination of factors may increase the temptation to seek personal gain."
Mr. Foster allegedly put a phony contract or deal numbers in the reference lines for his wire transfers to make them look like they were for legitimate contracts.Yet another (and another) inside job. While not exactly an attack, it remains an example of a company with poor security monitoring. Citigroup is lucky Mr. Foster just took money, and that they didn't lose face and valuable market capitalization, as well. This should be a cakewalk for Citigroup, compared to their previous mishaps; it's not that they have no experience with these things...
There is a solution to this, of course, to prevent future incidents. We've recommended strong two-factor authentication before, utilizing challenge-response and transaction data signing, for user-side transaction authentication. The same technology can be used on both ends, and authenticate employees and transactions internally at companies. This is important for non-repudiation purposes.
(Stapler not included)