[HN Gopher] Hackers threatening to publish a stolen sanctions an...
___________________________________________________________________
Hackers threatening to publish a stolen sanctions and financial
crimes watchlist
Author : coloneltcb
Score : 73 points
Date : 2024-04-18 17:09 UTC (5 hours ago)
(HTM) web link (techcrunch.com)
(TXT) w3m dump (techcrunch.com)
| ghostpepper wrote:
| It's an interesting perspective for the LSEG to say
| (paraphrasing) "we maintain a sensitive database that we gave to
| a third party (presumably with some amount of vetting, since the
| data is sensitive) and that third party did not adequately secure
| it, therefore this is not a security lapse on our part"
|
| I'm not sure if I buy it.
| lazide wrote:
| Pass-the-buck is the oldest game in the book.
| meragrin_ wrote:
| If the hackers phished the customers of the third-party and
| used their accounts to scrape the information in some way,
| would you consider that a security lapse on LSEG's part?
| Havoc wrote:
| Bit of a nothingburger.
|
| The whole point of world-check as a service is that you can
| access it. This is not exactly info locked away in a vault.
|
| Sucks for them as a business and perhaps some interesting
| connections/stats can be gleaned from having the whole thing as a
| unit for analysis...but meh.
| pseingatl wrote:
| Is there some reason why these records should not be public?
| Making them public would lead both to greater accuracy and their
| more widespread use keeps criminals out of the financial systems.
| kube-system wrote:
| This is a list made up of other lists, and some of those lists,
| like sanctions lists, are public.
|
| e.g.: https://ofac.treasury.gov/specially-designated-nationals-
| and...
|
| > their more widespread use keeps criminals out of the
| financial systems.
|
| Governments already have solved this by _requiring_ banks to
| use lists like these (or similar subsets of these) where
| desired.
| psychlops wrote:
| I'm not seeing a problem with them going public either. The
| article even states that there are innocent people on the list.
| It would be nice to know so they can contest and clear their
| data off the list.
| kube-system wrote:
| > It would be nice to know so they can contest and clear
| their data off the list.
|
| That can be done here:
|
| https://www.lseg.com/en/risk-intelligence/screening-
| solution...
| lazide wrote:
| Only if you know you're on it and why though, right?
| kube-system wrote:
| That's the case whether or not it's public.
| mrangle wrote:
| Why is the identity of a wrongly accused person, formerly
| kept private, your business?
| cedws wrote:
| As I understand, in the finance world lists like this are
| considered classified because knowing you're on one, or the
| circumstances that put you on one could help you/others
| circumvent the measures. Fraud detection works like this - if
| you're under investigation, you won't know about it, you'll
| have some vague issue with your bank account.
| mb5 wrote:
| This is where the article is insufficiently clear. Lists of
| people who are under investigation for fraud is definitely
| something banks keep quiet, for the reason you mentioned. But
| as a sibling comment says, sanctions lists are public, as are
| records of people convicted of relevant crimes in most (all?)
| jusrisdictions. So what kind of lists are these? Because the
| article's line about "individuals who were sanctioned as
| recently as this year" is hardly exciting - the UK sanctions
| list has people sanctioned today, 18 April.
|
| https://www.gov.uk/government/publications/the-uk-
| sanctions-...
| PeterStuer wrote:
| These are hundreds of lists from all over the world updated
| a few times a day. They are very diverse ranging from known
| terrorist fronts to things as benign as a locally elected
| politician. Assuming everyone mentioned in the DB was
| somehow involved in fraud or criminal activity would be a
| gross misrepresentation. Financial institutions and other
| businesses use them in KYC/AML, but also for flagging
| accounts that might need some white glove /red carpet
| treatment as mistakes made on those could lead to bad
| press.
| somelamer567 wrote:
| Fairly sure that anything super sensitive like that won't
| make it into the World-Check datafile. The records in there
| are mostly already public information if you know where to
| look
| nradov wrote:
| This is private commercial data distributed under license. It
| isn't classified as Secret by the UK or US government.
| mrangle wrote:
| Because the people in question aren't necessarily criminals.
| You should be careful of how easily that you may be hypnotized
| by language, including but not exclusive to accusations.
| johnmaguire wrote:
| I think there are a lot of non-criminals who would LOVE to
| know they are on the list.
| fullspectrumdev wrote:
| As I said in another comment: they respond to GDPR
| requests.
|
| I found out I'm on their list, as have a few other friends.
| somelamer567 wrote:
| PEPs -- Politically Exposed Persons, like family of
| politicians. Businesses with KYC screening requirements
| beyond sanctions and criminal convictions might care about
| it, because they fear bad media coverage, for examples
| PeterStuer wrote:
| Worldcheck is an aggregator of lists for political sensitive
| persons and anti money laundering. Many of the lists they
| aggregate are public.
| nradov wrote:
| LSEG is a data vendor. They don't want to make their data
| public because they charge for it. Much of the original raw
| data that they aggregate is already public.
| somelamer567 wrote:
| They're charging for the effort of collecting and curating it
| all.
| TacticalCoder wrote:
| > Making them public would lead both to greater accuracy and
| their more widespread use keeps criminals out of the financial
| systems.
|
| What about arresting criminals for their actual crimes instead
| of having a gigantic, worldwide, army of bureaucrats inventing
| sick and sicker KYC/AML rules which do nothing but cost
| business and honest people time and money?
|
| Estimated worldwide KYC/AML compliance costs: $180bn. For
| absolutely nothing: nothing of value is produced. Pure Brazil
| (the movie) style redtape pointless documents, processes, code,
| etc. To freeze (not seize: just freeze, some of it shall be
| unfrozen after more pointless public servants shall waste time
| producing nothing of value)... $12 bn. 15x less than the
| estimated cost.
|
| That's totalitarism for you: pure insanity created by sick
| minds and admired by sicker minds.
| kube-system wrote:
| That is because money can cross lines on political maps but
| police jurisdictions often do not.
|
| Also, criminals can hide, but bank accounts are always
| maintained at the bank.
| somelamer567 wrote:
| Much of the data is indeed public. LSEG have analysts going
| around all the websites of major government entities publishing
| sanctions lists to update their database. If you're politically
| exposed or get mentioned in the media for being convicted of
| fraud and it's public knowledge, it'll gets pulled in too.
|
| LSEG get sued by people all the time, so they document and
| justify everything that goes into the file. There are very good
| legal reasons to do so.
| mrangle wrote:
| "Hackers" want to publicly snitch on those with supposed "links"
| to financial crime and sanctions. Not convictions nor actual
| sanctions, but links. Like the same brand of hacker that is all
| in on bitcoin, anarchy, etc? Hackers are shaming agents in
| service of the State Department now? Sell us another one.
|
| People should not be de-personed because a bank thinks that they
| are risky. The population, in general, needs to stop pretending
| that anonymous "hackers" are legitimate justice advocates instead
| of the likely state actors that they are. Unless they want
| anything of the sort to be co-opted and then utilized against
| them.
| nradov wrote:
| Hackers come in many different flavors. It's entirely possible
| that this group is state sponsored. Would that really change
| anything?
|
| I don't see anyone seriously claiming that leaking this data
| would deliver any sort of legitimate justice.
| mrangle wrote:
| My point was that it should change public support for their
| intended data release.
|
| Because no one should be ok with the State anonymously
| doxxing uncharged targets, let alone people who are merely on
| lists as being known to have "links".
|
| I assume that such an action would be to create both leverage
| and punishment, outside of what legal constraints would
| otherwise allow.
|
| The nature of democracy is such that the government can't
| punish individual citizens via stealth practices, and the
| citizenry can't be ok with it.
|
| Generally speaking, this type of thing would have been vetted
| by a journalist. Who would have acted as the final release
| valve, after verifying that the source was legitimate and
| not, for example, the government itself. While keeping the
| source confidential, and vetting the information for the
| ethics and justification for its release.
|
| But today it would be foolish to trust most journalists with
| that process. And so the public are left with the judgement
| as to the possible motivations, identities, and probable
| legitimacy of the actions of anonymous sources who, for
| whatever reason, aren't first releasing to journalists.
| Backstops removed, such an action represents a lot of social
| risk and begs questions.
| nimbius wrote:
| These are KYC checks so the information is very interesting if
| you're the average joe.
|
| the US Bank Secrecy act prohibits you from ever knowing the
| details of a SAR, or suspicious activity report. there are
| _criminal_ punishments if a bank were to tell you a SAR had
| even been filed against you.
| https://en.wikipedia.org/wiki/Suspicious_activity_report
|
| if this agency does not capitulate to the demands of hackers,
| then 5.3 million people would suddenly know their SAR/KYC
| status. it would do quantifiable harm to the prosecution of
| financial crimes globally.
| johnmaguire wrote:
| From your link:
|
| > A 2020 Bank Policy Institute study found that American SARs
| elicited a response from law enforcement in a median of 4% of
| reports, and that a tiny subset of those responses resulted
| in arrest and conviction, suggesting that 90% to 95% of SARs
| reports were false positives of unlawful activity.[5]
|
| Anecdotally, I've heard of many people having issues with
| this system.
|
| I find the claim that "it would do quantifiable harm to the
| prosecution of financial crimes globally" technically true
| (it is quantifiable), but to be overall exaggerated as to its
| actual harm.
| kube-system wrote:
| That's not surprising. There are plenty of suspicious
| things that aren't illegal. Moving $10k in cash around can
| often be legal, but could trigger a SAR. SARs aren't just
| supposed to catch illegal things. They catch suspicious
| things, and illegal things will be a small subset of those.
| FireBeyond wrote:
| Is it just cash? I was doing some freelancing and as I
| invoiced each month, I'd often generate a cashier's check
| from my business checking account to my personal
| checking, that varied between 9-12K a month. I was
| "warned" by my credit union about this and that there
| could be flags raised, but my response was, "what am I
| meant to do? That number is derived from my consulting
| hourly rate and the work I put in each month."
| kube-system wrote:
| No, I just picked one example, there are a lot of things
| that could trigger it
| reaperman wrote:
| I believe the way to avoid SAR here is to file for an
| LLC, then create a business account, then pay yourself
| whatever wage via direct deposit for 1099/W-2/capital
| divestment payments. I'm not saying that you _should_
| have to do that, but I believe it 's the best way to
| avoid SAR.
| FireBeyond wrote:
| KYC checks have in the past resulted in me being unable to
| open a bank account due to a "discrepancy" between my SSN and
| my DOB (due to me being an immigrant).
|
| The flip side of your comment is that 1 in 60 (including
| minors) people in the USA are on a watch list for financial
| crime.
|
| I think more worrying as a society is not the risk to
| prosecution of financial crimes (this list being uncovered
| does not erase evidence of previous or current financial
| crimes in progress) is how those 1 in 60 people got to be on
| such a list in the first place.
| kube-system wrote:
| That doesn't really sound like a lot, in the scheme of
| things. Almost 1 in 3 Americans (adults) have been arrested
| for a felony crime. (edit: _have a criminal record_ )
| marcosdumay wrote:
| > Almost 1 in 3 Americans (adults) have been arrested for
| a felony crime.
|
| That one is absurd. How do your governments (on all
| spheres) keep up? Do they even know who is arrested?
| kube-system wrote:
| They... keep records? It's not like they have to memorize
| it lol
| marcosdumay wrote:
| The keep searchable records so that criminals get to see
| a judge when their sentence finishes?
|
| Or they keep local records that nobody looks at or know
| if they are correct?
|
| Because if it's the first one, kudos for whoever created
| that system. Plenty of countries fail with way less
| prisoners/inhabitant.
| Retric wrote:
| I think you're misremembering that statistic. 1/3 of
| Americans have some form of criminal record, but not all
| crimes are felonies, anyone with a traffic ticket counts.
|
| https://www.ncsl.org/civil-and-criminal-justice/criminal-
| rec...
| kube-system wrote:
| The 1/3 number I'm citing counts arrests without
| convictions
|
| https://www.politifact.com/factchecks/2017/aug/18/andrew-
| cuo...
|
| But on a second reading of that page, I think you're
| right, "criminal record" is more accurate. My point is
| the same, either way -- it's a lot of people.
| recursivecaveat wrote:
| Wow, I found this hard to believe. I still couldn't find
| the figure of % arrested for a felony, but I found a
| reliable looking source that 8% of adults have been
| convicted of one in 2010, so I find it very believable
| now.
| https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5996985/
| mistrial9 wrote:
| that is false information
| krunck wrote:
| If I was incorrectly "linked" to some financial crimes I'd like
| to know about it. If others make decisions based on this data
| that affect me personally then I'd like to know about it. I
| have to pay to know about it. But any powerful/wealthy person
| who has done things that could get them on the list probably
| have the means to see the list for themselves.
| fullspectrumdev wrote:
| Send a data access request (under GDPR if you are in the EU).
|
| I did so a few years ago and found I'm on their shit list :)
| redavni wrote:
| I'd be wondering if sending the request was enough to get
| you on the list.
| Terr_ wrote:
| I'm confused, is this a restatement of "call the bad ones
| crackers not hackers" debates of a couple decades ago?
| PeterStuer wrote:
| A Worldcheck sub gives you access to all the lists. How is this
| "hacking"?
| kube-system wrote:
| This part:
|
| > illegally obtained from the third party's system
| pc86 wrote:
| That makes it theft but doesn't make it hacking.
| kube-system wrote:
| Legally speaking, in many/most places, taking any data
| you're not supposed to take from a computer system is
| 'hacking'. This is a story about a hacking group that took
| data they're not supposed to have. I don't see many
| scenarios in which it wouldn't qualify.
| PeterStuer wrote:
| I've integrated worldcheck for AML in financial service
| companies. Just like any other consultant doing this type of
| work, I could have walked out the door with a full copy of
| the DB on my laptop or a USB stick any time I wanted. Doing
| that might have made me a 'pirate' or a thief, but rest
| assured no 'hacking' would have been involved.
| kube-system wrote:
| The data was stolen by a hacking group, not employees
| somelamer567 wrote:
| The data goes stale after a while. The real value of World-
| Check, is that it's constantly updated, and if you're using
| LSEG's KYC screening platform, you get notified in real time as
| soon as anybody you've screened gets a new hit or update in the
| datafile. That covers you when good customers turn bad.
| PeterStuer wrote:
| True in theory but compliance is not a realtime businesses
| process. In my days as I remember we got updates 3 times a
| day which was more than enough (many if not most
| risk/compliance processes either run once every 24 hours
| overnight, or are triggered at events such as customer
| onboarding.)
| Rickasaurus wrote:
| We used WorldCheck data at my last startup, it was the best in
| the business at the time. High quality groomed data, well tagged,
| with an actual timeline for each entity that explains why they're
| in there. Absolute top notch.
| pc86 wrote:
| Yeah if you don't care about the false positives I'm sure it
| was great.
| somelamer567 wrote:
| To use the World-Check datafile, you need decent tooling to
| go with it. You can either build your own, or use theirs.
| That said, it's only as good as the analysts using the tools
| as well as the consultants configuring it. It's a hard
| problem.
|
| Source: worked as a developer on World-Check One for ten
| years.
| fullspectrumdev wrote:
| From reviewing my own record there - it contained some factual
| errors.
|
| Friends reported the same.
| faserx wrote:
| so what's the big deal? (barely) every bank in the world has
| access to the world check database and there is no "secret data"
| in it. Just a collection of public records...
| dcan wrote:
| I wouldn't consider passport, social security, or bank account
| numbers "public records".
| faserx wrote:
| Unless it is a different subscription, I've never seen such
| information in the worldcheck database.
| fullspectrumdev wrote:
| Oh, I'm in that database!
|
| You might be also - if you are EU based, send them a request
| under GDPR.
| BeFlatXIII wrote:
| > financially motivated criminal hacking group
|
| Sad! This information should be published because it's in the
| public's interest, not because someone didn't pay up.
| barfbagginus wrote:
| Publish the list! I wanna show people I'm on it!
|
| You're not paranoid if they're actually after ya!
___________________________________________________________________
(page generated 2024-04-18 23:01 UTC)