Blind Sentinels: All FIAU analysts shared one password

Blind Sentinels: All FIAU analysts shared one password

For several months at least the computer system of the Financial Intelligence Analysis Unit worked with a simple log-in/password system for its security. Given the sensitivity of the money laundering investigations this Unit is responsible for that is staggering in itself. What is more amazing is that all staff shared a single password to log-in the system, a password less complex to crack than an expired bag of Twistees: “12:00”.

Notes on ongoing investigations into suspicious transactions, including a famous million dollar transfer into Pilatus Bank, and another transfer from the LNG tanker manufacturer to a famous Dubai company, were accessible to people who had nothing to do with the investigations. This was so even when the investigations had not yet been completed and signed off.

They were also accessible to people who had an interest in the investigations not reaching a conclusion.

Now it is impossible to boil down the mad single-password strategy to lack of awareness of basic information security needs. Even someone managing a small car rental business will want to know who logged in and out when and to have an audit trail of any manipulations to the data retained by the system.

The government is especially aware of cyber-security issues, as well it should be. The 2016 MITA strategy on cyber-security does not make especially gripping reading but in its way it is evidence government agencies are aware of the risks of operating entirely exposed to cyber-crime.

And the FIAU is not your average paper-piling bureaucracy. It’s a clear and present target to sophisticated criminals who are keen to cover their tracks or destroy evidence against them.

Some of those suspected criminals are prominent officers of the state: senior government officials investigated for laundering of money from illicit sources – briberies and kick-backs.

If using an office-wide shared password cannot be reduced to banal incompetence, you have to suspect intent.

One: a shared password creates doubt in the soundness of an investigation and is a card retained for anyone worried about where those investigations might lead to, to argue in a court of law that the findings may have been tampered with;

Two: A shared password environment creates uncertainty and suspicion allowing for the attribution of collective guilt if there are leaks or even collusion with suspects. Why would anyone want to allow that? Go back to one.

There has been spectacular turnover of employees at the FIAU at every level from the director down to lowly analysts. There rarely has been much explaining about what causes this unusual turnover. But it can be safely assumed that FIAU officers enjoy little confidence that they can fulfil their mission of policing money laundering without interference from people who may very well be acting on behalf of the suspects they are or should be investigating.

It would be re-assuring to know whether the FIAU has now adopted an individual signing-on procedure in place of the mess they had when Keith Schembri and Konrad Mizzi, among others, were in their staff’s sights.

  • Frans Cassar

    What shall we call It? Collective compliance!

  • The FIAU seems to have devolved into nothing but another biased and amateur organisation trying to wear big-boy’s shoes and parade about pretending to be qualified for the role; quite a common occurrence during the recent years.

    In truth, to anyone with an acceptable IQ, the FIAU has long since lost its credibility in the post Galdes era, and with that in mind, it is hard for anything to be surprising at this point.

    But then, the average IQ in Malta stands at 97, so I would not really expect anything to change before the harm would have already been done, since the general populace lacks the strategic vision and ability to forecast what might hurt them in the future, and only then will they start making noise like a bunch of angry chimps who have just exhausted their supply of bananas.

  • David M Grech

    A user specific login / password standard controls access to the systems. Access to specific (case related) data to specific users on a need to know basis requires a further level of access control to the directories / folders that contain that data. Just saying.

    • Emanuel Delia

      How is that useful when everyone shares the same password?

      • David M Grech

        It’s not! – My point is that even if different users had different login names and passwords, access to the agency’s data should be further restricted to certain users on a need to know basis. Adopting a unique user login/password regime still allows ALL users unrestricted access to ALL data on the server. – Just saying.

    • The acceptance of sharing the initial password encourages a culture leading to the acceptance of sharing any subsequent password in a ‘that’s what we do here’ fashion.

      From my experience (10+ years) working in investment banks, such as Credit Suisse and Citi, sharing of any password; even merely sending the password to yourself over email, is grounds for immediate dismissal.