‘Fraud buster’ series – Divulging the golden code

Would you randomly hand out the key to your home? Or maybe the user ID to your personal laptop or bank account? The answer is a definitive no. Then why do individuals not pay heed to maintaining the confidentiality of access credentials at their workplace?

It is a well-known fact in this digital era that information technology is vastly relied upon by most companies. But, it seldom occurs to an average user to realize the innumerable fraud risks that could potentially arise on account of sharing the access credentials. One of the continuous challenges organizations face is evaluating whether the confidentiality of passwords and user credentials is being safeguarded by their employees.

In this digital age, every employee needs to take responsibility to thwart intruders and not enable them to violate proprietary access granted by the company. This could be as simple as protecting storage devices, mailbox, companies’ master data-base, restricted modules of the companies’ enterprise resource planning (ERP) system, official or personal folders etc.

Password sharing in a business environment is conveniently used to justify the unhampered conduct of various operations.

Here are some common instances where employees share passwords and user credentials:

  • An employee, who is unable to login with their own credentials (either due to failure to remember the credentials, expiry of access details, loss of OTP generators etc.) would borrow the access details from their colleague, until it is resolved
  • Password of superiors shared with their subordinates to enable higher level approvals to release requisitions, purchase orders, invoices, payments etc. on an ‘urgent’ basis
  • Mangers maintain the password list of their subordinates to access their mails, files and folders in the employee’s absence (due to personal leave, working from remote locations etc.)
  • Inter-departmental sharing of access controls to ratify / regularize differences in the value or quantity for the requisition notes, purchase orders, goods receipt notes, invoices etc.
  • Usage of the access details of team-mates to circumvent the restrictions on the number of transactions that could be initiated with a particular user ID

Employees should consider the implications of password sharing in terms of its impact on confidentiality, integrity and availability of data. User names and password sharing can give rise to significant threats or breaches around information security to any organization. They can lead to situations resulting in:

  • Gaining unauthorized access to sensitive information
  • Executing fraudulent transactions with the credentials of another employee, thereby creating a fake audit trail resulting in identity theft
  • Possible leakage of sensitive information to the competitors
  • Unauthorized approvals and initiations

To explain this with an example…

Insurance company fraud

So what can companies do to detect and mitigate fraud risks arising out of password sharing practices among its employees?

An appropriate approach would be to establish some ground rules and drive the right message within the company. This includes,

  • Establishing company policies that restricts/prohibits password sharing, and educate the employees on the potential consequences of sharing user credentials
  • Encouraging the employees to preserve their credentials appropriately
  • Conducting periodical review of e-mails, chats conversations etc. to identify sharing of user details
  • Undertaking analysis of access logs to identify multi-users of a single access detail
  • Adopting single sign-in solutions
  • Devising systems to make the password expire on a frequent basis, thereby necessitating regular change of passwords
  • Limiting the use of certain sensitive accounts to the IP of the workstation that will be logged into regularly
  • Implementing biometric login access for sensitive roles

Can the organization be assured that the implementation of the above strategies would ensure a radical change in employees’ conduct? To be realistic: not entirely. But it is of utmost importance to know that to enhance the effectiveness of encryption, fire wall and other security measures; the keys to your door should be guarded.

(The above is fourth in the series of blogposts which will deal with different fraud scenarios and highlight measures that could be used as ‘fraud busters’)

Follow @EY_India and track #EYForensic for regular updates

2 thoughts on “‘Fraud buster’ series – Divulging the golden code