Blog | Privacy/Security

»  Weblog Main   |   »  View Entries By Topic   |   »  View Entries By Date

Honor Roll: This Week's Top Banking Blogs (Feb. 28-Mar. 6)

Posted on March 05, 2010

Our favorite banking technology-related blog posts from around the Web (February 28-March 6, 2010):

Open Identity Exchange (OIX): The Next Big Thing, or The Next "What was that Initiative Called Again?"

James Van Dyke of Javelin Strategy & Research delves into the recently announced Open Identity Exchange. "We can now wonder if we're finally ready for the inevitable industry identity (III?) standard for how identity records are created, maintained, verified and accepted," he writes.
---

The Thriving Fee-based Economy – Unless You're a Bank

Thanks to recent legislation, limits have been placed on banks' abilities to implement fees. In other industries though, fees are alive and well, writes Celent's Bob Meara. "In light of the moral high ground claimed by some supporters of the proposed legislation, one would think that banks stand alone in an otherwise ocean of fairness and serenity. But, this is hardly the case," he suggests.
---

McDonald's Showcases Glocal Strategy

Forrester's Bruce Temkin discusses how companies like McDonald's work to grow their business by introducing products tailored to specific parts of the world, but under a global brand. "These efforts are not isolated, but represent a move to a strategy called Glocalisation," Temkin explains.

Comments

Banks' Struggle to Achieve Document Security

Posted on February 02, 2010

By Adi Ruppin, Confidela

Keeping electronic documents secure is a challenge in any industry, but banks have extra considerations. Checks, loan applications and monthly statements need to be accessible online. The same applies to sensitive internal bank documents that need to be shared among employees, branches, auditors and others. And industry regulations such as Sarbanes-Oxley require banks to maintain an audit trail of all these documents. There are three conditions in many banks that make document security particularly hard: phishing attacks, remote workers and customer communications.

1. Phishing and privacy. Probably the toughest data security problem for banks to address is the issue of phishing. Phishing employs ‘social engineering’ and ‘technical subterfuge’ to steal consumers’ identities and account credentials. Social engineering uses spoofed e-mails that appear to be sent from legitimate businesses to lead consumers to counterfeit Web sites designed to trick them into divulging personal data such as their user names and passwords. Technical-subterfuge schemes plant Trojan horses or other types of malware on consumers’ PCs to steal their data or credentials. Phishing incidents are on the rise and are plaguing customers of major companies, such as Citi (which is currently used in 54 percent of Phishing messages according to Anti-Phishing Working Group), AOL, Amazon.com, Ebay, and PayPal.

What makes phishing so hard to deal with is the human factor. It requires a lot of consumer education to raise awareness of phishing techniques and to offer ways of preventing or detecting them. As long as it’s up to the end user, phishing is here to stay.

So what can be done about it? New technologies make it possible for banks to deal with the issue without imposing unreasonable burdens on the consumer. Deploying two-factor authentication or using new virtualization products aimed at providing the consumer with a truly protected transaction environment can curb the effects of malware and most forms of social engineering.

2. Dealing with remote workers. Bank staff work from many different places: a remote branch, on the road or from home. Take, for example, members of a bank’s management team. These members need to access highly sensitive information from multiple locations. This means this information can easily leak in different ways. Common examples include the person’s laptop being lost or stolen, a Trojan horse software eavesdropping, accidentally sending sensitive information to the wrong party and more.

There is no single solution for all these problems. Obviously, there’s a great need for full hard drive encryption or an ‘anti-theft’ service. Additionally, the data needs to be encrypted when it travels and protected at all times from being copied, printed or forwarded to an unauthorized party. This can be accomplished via digital rights management software, a document control system, and/or possibly a data loss prevention system.

3. Customer communications. Whether you're corresponding with private wealth management customers or just sending statements to retail customers, protecting these transactions is vital and also required by different regulations.

Some key elements need to be addressed. First, messages must be encrypted while en route to the customer. Second, the bank must verify the identity of the customer. Third, it is sometimes crucial to be able to track and prove delivery. Last but not least, all this needs to be accomplished without imposing impossible burdens on the typically non tech-savvy customers.

Encryption is a partial solution, as it only addresses one or two of the issues raised above. It is also typically a pretty significant hassle for the end user. Banks need to put in place more seamless document control and solutions that ideally do not involve much (or any) software installation, do not rely on passwords, and secure the data at all times.

The risky Internet eco-system and recent regulation, combined with consumers who are under-informed and typically not tech-savvy, call for new technologies to solve issues that are not addressed today, or not addressed well. These technologies also must be simple enough to be deployed and used by the consumer. The good news is that vendors are coming up with such solutions that will change the way electronic banking is conducting, for the better.

Adi Ruppin is vice president of marketing for Confidela.

Comments

Heartland Shares Lessons Learned from Its Data Breach

Posted on January 28, 2010

Heartland Payment Systems has gone from data breach victim to card data security expert. Although the card payment processor suffered a data breach in late 2008, lost 50 percent of its market cap shortly thereafter, and spent more than $32 million in legal fees, forensic costs, reserves for potential card brand fines and other related settlement costs, it has since designed and implemented an end-to-end encryption system that puts it ahead of many of its peers in terms of data security. Details about the breach and Heartland's data security efforts since then are described in a paper the Federal Reserve Bank of Philadelphia released this week on lessons learned from the Heartland data breach. (At Bank Systems & Technology's Executive Summit last year, Kris Herrin, CTO of Heartland Payment Systems, did a video interview about his company's security efforts that can be viewed here.)

According to the paper, the method used to compromise Heartland’s data was SQL injection. "Code written eight years ago for a web form allowed access to Heartland’s corporate network," the report states. "This code had a vulnerability that (1) was not identified through annual internal and external audits of Heartland’s systems or through continuous internal system-monitoring procedures, and (2) provided a means to extend the compromise from the corporate network to the separate payment processing network. Although the vulnerability existed for several years, SQL injection didn’t occur until late 2007. After compromising Heartland’s corporate network, the intruders spent almost six months and many hours hiding their activities while attempting to access the processing network, bypassing different anti-virus packages used by Heartland. After accessing the corporate network, the fraudsters installed sniffer software that was able to capture payment card data, including card numbers, card expiration dates, and, in some cases, cardholder names as the data moved within Heartland’s processing system. The fraudsters’ focus on compromising data as they moved within Heartland’s network – data in transit – rather than when they were stored in consumer databases — or, in other words, when data were at rest — was a relatively new phenomenon." A similar data-in-transit breach occurred earlier in 2008 at Hannaford Brothers, the paper notes.

Heartland's response to this intrusion has run along two lines: efforts to promote better information sharing among companies that perform PCI audits and that act as response investigators, and technologies to improve data security.

Heartland considered three types of data security — end-to-end encryption, tokenization and chip technology — and in the end settled on end-to-end encryption as the best method. The payments company has helped design a tamper-resistant security module that fits in a merchant's POS terminal and encrypts PIN numbers as they're entered. It costs merchants $300 to $500. Data is decrypted only after it's been received into Heartland's hardware security modules and when required by the card brands to enter their authorization networks.

Comments

Three Ways to Deter Cyber Crime

Posted on January 25, 2010

By Joe Spatarella, Online Banking Solutions

Ironically, as businesses move from risky paper check payments to a safer means of electronic B2B payments, the online banking systems through which payments are originated have become an attractive fraud target. Although businesses are using payment fraud control devices such as ACH Positive Pay and ACH Debit Filter, they only mitigate fraud after it occurs. There are at least five fresh reasons to step up the security investment.

1. The browser is the weak point. Trojans and other malware like man-in-the-browser attacks that are difficult to detect hijack the transaction inside of a browser session, and subsequently attack the application and database on the server. According to FinServ Strategies, most of the top 100 banks have experienced similar incidents. Man-in-the-browser attacks are becoming mainstream, RSA reports in its whitepaper, “Business Success in a Dark Market: An Inside Look at How the Fraud Underground Operates,” especially in the U.S. and Europe where two-factor authentication is already densely deployed.

2. The customer is the endpoint. Banks deliver services to business customers through the browser; however, they aren’t in control of the business’s computing environment. Businesses are legally responsible for their transaction banking environment, but 20 million U.S. small businesses are particularly vulnerable to cyber fraud as they don’t have the experience or resources to combat fraud, yet they initiate high risk payments transactions (e.g., ACH, wires). Many banks provision online services to small businesses on consumer systems with inadequate security for business activity.

3. Tweet this - multichannel banking is here. The cyber threat environment is growing more complex, especially as Web banking expands from Web and file transfer to mobile/smart phone and social channels and as the workforce grows younger. An integrated multichannel approach to information, transactions and fraud is necessary to lower costs and increase effectiveness.

4. Single sign on lags business banking. Banks are seeking new corporate/business portal solutions or independent SSO applications to solve the security usability problem. If the bank looks for an SSO solution in an existing packaged online banking offering, it may not get the integrated authentication and entitlements it needs. “Most solutions secure the session,” says Nick Owen of WiKID systems. As malware is now attacking at the application level, transaction authentication needs to be cryptographically distinct from the session.

5. Fuhgettaboudit - cyber crime is organized crime. According to RSA , Internet fraudsters have created an end-to-end supply chain to advance malware attacks and the online vector used to efficiently deploy them. While the security technology market is creating security-as-a-service solutions, criminals are creating fraud-as-a-service and fraud has moved from the consumer to businesses that initiate payments and bank online.

But new approaches are emerging to tackle 21st century online banking problems. Among them are the secure browser and integrated single sign on. Banks are taking three positive steps in the right direction:

Organizing to combat fraud. Business fraud incidents are significant (albeit under reported) as related by major security companies and members of industry entities such as the Financial Services-Information Sharing and Analysis Center. Formed by presidential directive in 1999, FS-ISAC, now has 4,100 members from institution, brokerage and insurance sectors. “Members successfully share threat vulnerabilities through a network of trust that guarantees anonymity, while reporting important threat information to financial industry, government and other industry sectors,” says FS-ISAC president William B. Nelson.

Implementing secure browsers. The secure browser solves the openness problem of the Internet without plunging the world back into private networks. Much like a dedicated business to bank connection, the secure browser uses only the rendering portion of the browser and restricts URL destinations with a bank and company controlled list through entitlements and self-tests for changes indicating malware such as Trojans. This creates a secure connection akin to a virtual private network, but without the technical requirements and cost overhead. Like a regular browser, the secure browser performs site authentication, but it shuts the user down if a site is not authenticated, rather than asking the normal user to decide whether it is okay to continue during an abnormal event.

Using integrated, single sign on. Independent integrated SSO solutions are appearing to fill the security gaps of online business banking and cash management solutions, which were never intended as portal or SSO solutions. The new integrated SSO combines user credential management for entity Websites with browser validation with a multi-layered security approach including strong authentication, software based keyboards to thwart keyloggers, one-time perishable passcode generation and utilization, and strong authentication of destination Websites to prevent DNS poisoning and pharming.

The global economic costs of cyber crime are estimated at more than one trillion dollars and costs to the U.S. at about $8 billion. The banking industry is moving to shared fraud analytics to detect cyber crime in flight, but it should also be prevented at the outset. Financial products with built-in security are absolutely essential. Industry groups, banks and technology companies are emerging to fill the gaps and build the online experience with the proper foundation to mitigate threats that have moved beyond network perimeters to applications and data.

Joe Spatarella is vice president of sales and marketing for Online Banking Solutions.

Comments

Time for A Holistic Fraud Prevention Effort

Posted on January 22, 2010

By Mike Ressel, vice president of business development, Fiserv

Despite continuing effort and investment by banks to mitigate financial crime risk, fraud is evidently still a growing problem.

So what’s going wrong?

Platforms and opportunities for fraud and malfeasance are continually opening up in the form of mobile banking and through different technologies, regulations and time zones. The resourcefulness of financial criminals can be taken as given, and is not going to change. What can and must change are industry tactics for countering these attacks. Transaction monitoring, one of today’s most widely accepted tactics for mitigating fraud risk, has reached a point of diminishing return.

By its very definition, transaction monitoring focuses on detecting fraudulent transactions after they have occurred. While this reactive approach certainly helps identify and assist affected customers (and can potentially lead to the conviction of fraudsters) it does little, if anything, to address increasing fraud rates.

One area which has spiked in growth due to the economic downturn is internal fraud. For example, the Société Générale rogue trader who hid fraudulent transactions using varied and sophisticated techniques cost the bank over three billion pounds. The UK’s Fraud Prevention Service, CIFAS, reports that dishonest actions by staff to obtain benefits by theft and deception increased by 69 percent in the first half of 2009 compared with the last half of 2008. CIFAS also comments that two in five frauds were identified through internal processes and audit procedures, demonstrating the continued importance of having robust checks and processes in place.

In another more recent event, a woman stole nearly 20 million Australian dollars from electrical retailer Clive Peeters, in Australia. After getting payments approved, she allegedly changed the account details so the money was siphoned into her own accounts. The fraud was detected through routine end-of-year ledgers reconciliation, but the company had to substantially restructure to accommodate the cost to their bottom line.

Recognizing the increase in fraud, some banks have implemented real-time detection solutions. The problem is that the solution often falls short because proactive, real-time detection requires a greater commitment of infrastructure and operational resources to interact with, as well as decision exceptions on a real-time basis. It’s also only feasible for specific transaction types (e.g., wire transfers, credit card) that are inherently real-time. Like transaction monitoring, real-time detection solutions cannot address the more insidious forms of financial crime such as identity theft, phishing and malware attacks, complex legal entity and time-zone exploitation fraud. Transaction monitoring, batch and real-time, still has its place. It just needs to be seen as part of the solution, not the full answer.

Rather than continuing to implement and then attempt to tune individually siloed fraud risk management solutions for ‘better’ performance, banks need to take a more holistic approach to financial crime risk mitigation and prevention. They need to ‘de-risk’ each and every transaction throughout the transaction lifecycle. This includes not just point of transaction initiation and following clearance and settlement, but also the point where users access banks’ systems, and when customers first establish their relationship with a bank.

While valuable point solutions do exist for each of these transaction lifecycle ‘stages’, the key to fighting today’s financial crime is the integration of these traditionally siloed solutions into a common framework. This means relevant information could be shared from one transaction lifecycle solution to the next, offering customers the ability to identify, manage and ‘de-risk’ suspect transactions and banking activities. It creates a seamless, integrated and highly effective multi-layered ‘deep defense’ fraud mitigation strategy to counter increasingly complex and inventive fraud scenarios.

Fraud is more complex and faster than it has ever been, yet, fraud, anti-money laundering and compliance systems remain focused at the individual or group level of transactions. The monitoring solution then often doesn’t calibrate, resulting in a fraud and compliance solution that offers at best poor ROI and, at worst, an expensive false sense of security.

The ultimate goal is to ‘de-risk’ a transaction from before the point of execution. This requires a revolutionary and highly creative approach to increasing the transparency into fraud and compliance risk which uses existing investments and substantially cuts operational costs. The ultimate goal is to ‘de-risk’ a transaction from before the point of execution. Combining the defensive layers, including real time, batch, complex, simple, cross product, cross enterprise (which by themselves bring value) - into a common framework magnifies the efficacy. With a common, fully integrated workflow, alert investigation dashboard and case management user interface, revolutionary preventative capabilities can be realized, as well as earlier and more proactive detection and enterprise uniformity in the investigation and management of exposure.
The result is a much more robust fraud and compliance environment offering higher prevention rates with increased opportunity earlier in the transaction lifecycle to identify and mitigate exposure. In an era of increasing mobility in financial crime such an approach will offer customers an operationally more efficient, productive and cost effective solution as well as a several fold improvements in exposure transparency. Placing the correct tool, focused on a specific exposure, within the transaction process would also drastically reduce the expensive investigation of false positives.

In such an environment, transaction monitoring – the traditional answer to the challenge - becomes an exception processing solution and not the vanguard against financial crime. In other words, the transaction monitoring system can focus on what it was designed for - to reduce the risk of false positives and spot key risks.

It all comes down to those who recognize the need to cover the whole transaction lifecycle. Banks that recognize this need to ensure tighter integration of financial crime risk management solutions will be among the first to beat back the seemingly inexorable rise in financial crime rates.

Mike Ressel currently serves as vice president of business development at Fiserv. Mike has over 16 years experience in the banking, electronic payments, and commercial software industries, including specialization in cash management, capital markets, retail payments and risk management systems. Prior to joining Fiserv, Mike held various internal audit and security roles at Banc One Corporation.

Comments

Three Approaches to Combatting Enterprise Fraud

By David Nussenbaum, vice president, ACI Worldwide

Fraud is on the rise and it’s expected to accelerate in the wake of the global financial crisis, with not just cards but other bank products and channels being targets for criminals. Urban gangs like the Crips and the Bloods have been known to collect more than 10,000 credit card numbers a night. Right now, a gang member is likely approaching a waiter as he starts his shift. The crook simply offers the waiter a card skimmer, which is smaller than a deck of cards, and he tells him that all he has to do is swipe cards through the skimmer during his shift, and in return he’ll get paid $25 per swipe. Unfortunately people need money for gas and rent, especially in this economy, so they tell themselves they aren’t doing any harm and they go ahead and swipe the cards of unsuspecting diners.

ATM skimming is another popular form of card fraud. In fact, according to the U.S. Secret Service, it’s one of the financial industry's fastest-growing electronic crimes, now costing institutions and consumers $8 billion annually. This scam involves hiding a skimming device and camera within an ATM machine. When people slide their cards through the skimming device it reads all of the account information stored electronically on the magnetic stripes, and a small camera that is fitted to that ATM records their personal identification numbers (PIN) as they punch them in on the ATM keypad. The criminals download this sensitive data and sell it to counterfeiters.

Card related scams have been around for years. As countermeasures to fight card fraud get erected, enterprising fraudsters hedge their risks of getting caught by expanding into other sorts of attacks. Internet banking, ACH and wire transfer products are also being compromised via schemes ranging from the use of high tech malware to simple social engineering.

If that’s not enough to keep bank CROs awake at night, all they have to do is starting thinking about a mass data breach. When a retailer or financial institution stores card or identity information it is at risk of getting hacked. A mass data compromise can result in the theft of millions of valuable records, which in turn are brokered over the internet, resulting in compromised identity and card information. Fraudsters then rack up millions of dollars in merchandise using the fake credit cards to make purchases at stores, online and over the phone. Others open up new account relationships at bank and draw down on available credit. Detective Bob Watts, Newport Beach police department, explains how criminals make counterfeit cards in the Wired Magazine video below. It’s scarily easy.

To successfully combat payments fraud, bank risk managers need to look at payments fraud holistically and overcome the following three challenges:

1. Accurate quantification and timely reporting of fraud. Fraud definitions and the labeling of reported payment fraud differs widely throughout the industry, from region to region and even from institution to institution. The most typically reported and accepted quantification of card fraud is the annual losses reported by card issuers – Visa, MasterCard, American Express, and Discover. However, these estimates do not reveal the whole picture. Unreported and undetected fraud at card issuers is significant, and it often ends up classified as a credit loss, which means these losses end up in the collections file making fraud losses difficult to separate from bad debt write-offs. The losses from individual merchants and consumers are accepted to be even greater, yet these losses are incredibly disparate and go largely unreported and unmeasured. Furthermore, the fraud levels that are quantified are reported in aggregate, and by the time these reports reach the strategists who are combating fraudsters, the information is out of date and watered down.

Inadequate quantification and reporting is an industry problem that needs to be addressed in order to help financial institutions stay one step ahead of criminals. Without detailed information, experts within banks can’t properly assess current fraud schemes and apply appropriate countermeasure techniques. With this in mind, banks need to implement strategies and technologies for real-time fraud detection.

2. Current processes do not detect fraud quickly enough. Today, much of bank fraud is detecting something after it happens. But, the end game is real-time fraud detection, which is the ability to quickly detect a fraudulent transaction while it’s being authorized and before the transaction is actually consummated. It’s a double-edged sword because banks don’t want to err on the side of too many false positives, which means declining legitimate transactions that appear to be fraud. For example, banks don’t want a VIP customer who is traveling to Hong Kong to be denied a hotel room because the system sees the transaction as unusual.

It comes down to the accuracy of the analytics deployed. Real-time and what we call “near-real-time” fraud detection, which is essentially doing the analysis within milliseconds after the transaction is consummated, is a demanding science. Proactive banks are using predictive and dynamic analytics for real-time fraud detection. For instance, ACI has been working with one bank in North America to implement real-time blocking capability for ATM and POS usage of its debit cards. The bank has achieved $2.4 million in savings a month, while keeping a remarkably low false positive ratio.

Quality models are built by teams of expert mathematicians and may be combined with dynamic rules, capable of reacting to ever-changing environmental shifts. For example, if there have been recent attacks on an ATM, fraud analysts can quickly respond and adjust rules to account for the current fraud scheme. Or, if a customer advises that there was a false alarm and a transaction was legitimate, the rules may be dynamically changed to minimize any disruptions to the customer going forward.

3. Fraud departments remain in silos. Banking payments and administrative systems can be a confusing mix of different technologies. This approach is mirrored within fraud management departments, where different teams and systems deal with different types of fraud. Even debit and credit card fraud management may be handled by different teams at some banks, using different systems and ‘best’ practices.

This makes it difficult to gain a comprehensive overview of customers’ payment patterns or to identify fraud that crosses payment types or channels. In a case of account takeover as a result of phishing, a fraudster who goes online and changes the account address and then requests a new card to use for fraudulent purchases may not be picked up within a siloed system. The address change may be viewed by one team and the card transaction by another team. In isolation, this may appear to be normal activity, but when combined, it’s flagged as abnormal activity and investigated for fraud.

Banks can benefit from consolidating to one strategic financial crimes detection and case management platform, while at the same time having the knowledge and capabilities to address all types of threats, including card fraud. They need a holistic view of the account, the customer, and the risk type that cuts across product, channel or geography.

Debit card fraud has a dual nature. Many of the scams around debit cards are similar to other card frauds, however the debit card is also linked to the consumer’s checking account. Therefore, if the area of the bank that has been managing debit card fraud extends its system and processes to include transactional data from other lines of business such as wire transfers, ACH, internet banking, and check processing, it can monitor and protect other cash movements that are tied to the debit card. With a holistic view of the account, the bank experts that are managing debit card fraud are now positioned to examine the other debits and credits that are hitting the account.

When it comes to breaking down the silos, banks are in different phases of evolution. Even the more sophisticated fraud managers are just getting their hands around a thorough monitoring of demand deposit accounts. Consolidating other fraud silos on the asset side of the bank balance sheet, including credit card, mortgage, auto loan and student lending will follow. The ultimate vision is where banks can see fraud across silos and connect the dots to better detect and prevent fraud. It’s easy to talk about enterprise fraud, but to be effective banks need to understand the individual dynamics of how transactions are processed within each silo – card processing, wire transfers and Internet banking – and the way that translates into constructing rules and scenarios that are specific to those particular silos. For example, a rule for an anomalous wire transaction may be completely different than a rule to look for an anomalous credit card transaction.

Criminals innovate and continually avail themselves of new technologies and techniques for robbing banks electronically; so there is an ongoing need for to banks to break down the silos and implement real-time fraud detection solutions. To stop fraud in its tracks, bank CROs must also realize the importance of combining powerful mathematics with a dynamic, and agile financial crimes software platform and best operational practices that can be responsive to sudden changes in the environment.

David Nussenbaum is product line manager for ACI’s Risk Management solutions. He began his career working in the cash management group of today’s JPMC. He has specialized in fraud management at HNC-FICO, TransUnion and FML.

Comments

It's Time to Unite Money Laundering and Fraud Prevention Efforts

Posted on January 21, 2010

By Karen Van Ness, Oracle Financial Services Software

In the last year, the financial services industry received a rousing reminder of the profound damage that increasingly complex financial schemes and fraud can inflict on their reputation and bottom line. Analysts estimate that financial crime costs industry organizations approximately $20 billion in losses, annually. At the same time, banks are grappling with expanding anti-money laundering (AML), fraud prevention and risk management regulatory requirements, and spiraling compliance costs associated with those initiatives. In this environment, many organizations are reevaluating their compliance and fraud prevention programs and increasingly pursuing an integrated approach to achieve the operational and cost efficiencies critical to maintaining profitability.

By consolidating AML compliance and fraud prevention efforts, financial institutions stand to gain a vital holistic view of enterprise data across lines of business, channels and products, resulting in a better understanding of the full impact of financial crime on the institution, as well as improved return on investment for risk and compliance initiatives. For example, by improving coordination between compliance and fraud analytical teams, organizations can leverage strategic operational synergies to gain cost savings and efficiencies for transaction monitoring programs. From a customer management perspective, an integrated approach to AML compliance and fraud prevention can support customer retention in an era in which it is most vital. Security and trust remain paramount in the minds of the today’s consumer, so a reputation for strong compliance, security and risk management can go a long way toward cultivating customer trust and confidence, which, in turn, bolsters client retention.

Centralizing AML and fraud prevention also enables financial institutions to expand reporting capabilities to increase the efficiency and accuracy of monitoring efforts. A consolidated approach can help to cut the number of defensive filings of suspicious activity reports (SAR’s) and yield higher quality reports for law enforcements.

While these benefits are attractive, many banks face hurdles – primarily related to their legacy IT and organizational structures – that prevent them from capitalizing on the potential benefits of a consolidated approach. Historically, many financial institutions have installed point solutions for AML and fraud prevention supported by siloed data marts, with limited data visibility across teams. Also, in many institutions, the AML compliance and fraud mitigation teams are separate entities that each develop, maintain and leverage their own watch lists. Collaboration across these teams generally occurs on an ad-hoc basis, with each department sharing information across teams infrequently and informally. To begin the process of breaking down silos, organizations must first make a commitment to, at the very least, improving and establishing ongoing, formalized communication across AML and fraud prevention teams.

Organizations can then begin to address the IT infrastructure issues, starting with the creation of a single, common data repository for AML and fraud-related information. There is a high correlation of data used for both AML compliance and fraud prevention efforts. Both programs often consider the same products, transaction types and channels as high-risk items that require close monitoring. A consolidated approach enables organizations to easily acess a more unified view of fraud and AML risks and eliminates duplicate monitoring efforts for high-risk elements.

Financial institutions can further increase operational efficiency by re-using scenarios and detection models for both AML compliance and fraud detection, as AML scenarios may also be indicative of fraudulent behaviors, and vice versa. Organizations can repurpose AML scenarios for fraud detection by adding fraud-specific parameters for detection and risk scoring to leverage common data requirements and reduce the costs and time previously spent to on-board new scenarios. A consolidated approach also enables financial institutions to intelligently and quickly aggregate and correlate related entities and alerts. By centralizing data access, organizations have the power to generate more targeted and actionable fraud and AML alerts, as well as manage and investigate alerts and cases in a more efficient manner.

By taking these steps, institutions will also benefit from more flexible workflows to facilitate easier hand off of alerts, cases and investigations, as well as greater sharing of leads and information between AML and fraud teams. A centralized monitoring approach also supports load balancing across teams to meet changing business and regulatory needs and mitigate the risk of inadequate coverage.

Banks that approach AML compliance and fraud mitigation operations in tandem can rapidly realize the benefits of a consolidated approach. For example, a leading U.S financial institution recently implemented a centralized case management solution that enabled its AML and fraud departments to share information across a single system. After its initial deployment, the institution quickly realized increased efficiencies in its AML and fraud prevention operations by minimizing the workload associated with alert notifications, decreasing alert decisioning time and reducing duplicate case activities. The centralized system also enabled the bank to take a more holistic approach to its client relationships by providing its AML and fraud departments with access to the full history for each customer, and improved collaboration across the AML and fraud teams by facilitating discussion of common information within the system. The bank plans to extend the value of its investment by leveraging the case system to enable pattern detection and link analysis that will help the bank’s fraud team identify new types of risk and strengthen its overall efforts to combat financial crime.

In the coming year, financial institutions will almost certainly continue to face a host of new AML and fraud threats as well as new levels of regulatory complexity. An integrated approach to financial crime and compliance management will empower institutions with the visibility and flexibility they need to efficiently mitigate known and emerging criminal threats and support critical efforts to ensure public trust and confidence.

Karen Van Ness is senior manager for product management at Oracle Mantas, part of Oracle Financial Services Software. She has 20 years of experience in the information technology and financial services industries. At Mantas, she has helped bring to market Mantas solutions targeted at AML and fraud, and supported implementations at top-tier banking and brokerage firms in the US and internationally.

Comments

How to Protect Online Business Banking

Posted on January 20, 2010

By Craig Priess, Guardian Analytics

Online business banking is under attack.

While much ink has been spilled detailing consumer banking fraud and its victims, business accounts are no less susceptible to cybercrime – and in many ways are more at risk. Small business banking is particularly vulnerable, especially in the current economic climate. Why? One reason is that Regulation E of the Federal Electronic Funds Transfer Act requires banks to reimburse consumer victims within ten days of a reported fraud, but it does not protect businesses in a similar fashion. Another is the fact that these companies are often too small to have large information technology staffs on duty around the clock. Not to mention the fact that some small businesses have started to sue their bankers if not made whole to their satisfaction – an alarming but not unexpected outcome.

Those of us in the cybersecurity industry have noticed an alarming sophistication in the schemes and methods employed by fraudsters to extract both data and dollars from online business accounts. Business banking is being targeted more frequently because criminals know that these transactions typically involve larger dollar transfers from larger balances than from individual accounts. The thieves steal in amounts under $10,000 to avoid triggering traditional transaction alerts. The malware is sometimes so well written that the connection comes from an authorized and authenticated computer – a legitimate computer and session that has been hijacked, circumventing even token-based authentication. The money is then transferred to “money mules” recruited over Internet job boards who unwittingly think they work for a legitimate company. One of Guardian Analytics’ customers recently intercepted an attempted Automated Clearing House (ACH) transfer of $800,000 for a business banking customer in a scheme involving more than 80 smaller transactions all set up to be sent to unwitting mules.

The Washington Post reported that recent victims include a school district near Pittsburgh that lost $700,000, an electronics testing firm in Baton Rouge that lost $100,000, and a Texas manufacturing firm that lost $1.2 million. Thankfully, there has been significant recognition of how truly vulnerable businesses are when they bank online. Consider that in a single month this past August, no less than the FDIC, NACHA, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and IT advisory firm Gartner Inc. all published alerts about rising Internet threats to business banking. The following month, the Senate Committee on Homeland Security and Governmental Affairs held a special hearing to discuss cybercriminals targeting small- and medium- sized businesses. New protective cybersecurity legislation could arrive soon.

Meanwhile, it’s getting ugly out there. Washington Post also reported in September about a construction firm in Maine that is suing its local bank after cyber thieves stole more than $500,000 from the customer in a sophisticated online bank heist. The lawsuit alleges that the bank didn’t do enough to prevent the series of transfers to dozens of co-conspirators over an eight-day period in a single month. The construction firm's attorney maintains that the contract his client signed with the bank does not absolve the institution of its responsibility to protect customers from fraud under the Uniform Commercial Code.

Aggressive and adaptable cyber criminals have elevated online fraud to be a significant risk to business customers from revenue, legal and public relations perspectives. For institutions, the threat of lost customers or worse – business victims that have filed suit against their banks – should give banking executives pause to reexamine their fraud strategy.

Here are some tips for online business banking fraud prevention:

Educate management and employees on the threat. Distribute the latest fraud attack reports cross-functionally beyond the fraud team, so more stakeholders can become educated about questionable transactions as well as understand the risks to the institution should a business customer fall victim.

Be proactive. Don’t let your institution wait for the law to catch up with it. At worst, avoid being sued. Meet with legal counsel to discuss procedures following a business banking fraud discovery. Know your rights should a customer ever decide to sue. At best, avoid losing lucrative customers by ensuring you have the most effective fraud prevention solutions in place.

Strengthen your online fraud defenses. Would your current fraud system recognize online fraud like the ones detailed above? If not, it’s time to bolster your security before it’s too late. Security should be commensurate to the risks, which is the essence of the FFIEC authentication guidance.

Educate customers on the threat. Initiate programs to educate financial managers within small business customer organizations – forwarding the latest fraud advisories and stressing distribution to heavy online users such as the CEO, CFO and Accounting. Aim to increase general customer awareness of optional security features of your online banking platform such as dual control of transfers, and advocate use of the latest anti-malware software and security firewalls.

Review customer policies. Terms of use for Automated Clearing House transactions in particular should be reviewed to ensure bank and customer obligations are clear and consistent with security policies as well as legal and regulatory requirements.

Assume that customer machines have been compromised and react accordingly. Forward-looking banks already do this by implementing sophisticated back-end fraud prevention solutions (going beyond multi-factor authentication) that look for anomalies in individual customer behavior that reveal account compromises. Don’t be one of the ones still lagging behind.

Craig Priess is founder and VP of Products and Business Development at Guardian Analytics.

Comments

The Case for Data Mapping

Posted on January 19, 2010

A, um, wise man once said, "There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don't know. But there are also unknown unknowns. These are things we do not know we don't know."

A similar sentiment (albeit one that can be more simply stated) holds true when it comes to fighting fraud and, in particular, defending enterprise systems and applications from fraudulent attempts to access sensitive data. It is one thing for a bank to protect the data it knows it has stored on its various systems, but it is another to go about protecting the data that exists in the dark, uncharted corners of its IT environment.

Referring to a 2008 survey from Verizon (here's a link to the 2009 version of the report), Jill Frisby says that 66 percent of data breaches involve data that the victim didn't know was on the system. "It's a tell tale sign of some of the problems with data protection," says Frisby, a senior manager in Crowe Horwath LLP's risk consulting group. "We don't do a good job of mapping where our data is and understanding our data universe and we don't have the type of monitoring controls in place to even know when we have been breached."

In many ways, it's a disconnect that exists along the line between structured and unstructured data. Most companies have a centralized database or system for key data, Frisby suggests. "They're probably aware of these major systems. Where we tend to see more problems is with copies of data and unstructured data, where they have backup tapes or development environments or other channels that they are not aware of," Frisby relates.

As a result, Frisby says that data mapping has become an indispensable tool when assisting clients with data privacy and protection issues. Essentially, data mapping allows an institution like a bank or insurance company to follow the path of data as it moves throughout the enterprise. "It's very useful to start at the beginning -- at the point of data collection -- and trace that data through the organization and see where it sits and where it is most at risk," Frisby explains. "Often, the places that it is most at risk are the places they don't think about."

Comments

What Banks Need to Do to Combat Card Fraud

Posted on January 15, 2010

The Aite Group reported last week that card fraud costs the U.S. card payments industry $8.6 billion per year. Although this is just 0.4% of the $2.1 trillion in U.S. card volume per year, the analyst group noted it's still a number card providers would like to reduce. There are measures banks and others in the card processing chain can take to deter card fraud experts from their dastardly work; however, many of them are costly and hard to execute.

There are three main forms of U.S. third-party fraud, according to Aite's researchers, each of which account for about 15% of cases. They are: card-not-present fraud, in which a criminal steals card details and uses them to make purchases over the internet, by phone or by mail order; counterfeiting, where criminals create fake cards using data from real cards and then use the cards anywhere, even to withdraw cash from ATMs; and lost-and-stolen fraud, referring to any use of a card that's been reported lost or stolen. ID theft, in which a criminal uses a fraudulently obtained card or card details to open or take over a card account in the name of a legitimate user; and non-receipt card fraud, where legitimate cards are intercepted while in transit from the issuer to the cardholder (this is why so many issuers require cardholders to activate new cards by phone) account for only 1.5% and 0.3% of card fraud respectively. Another common type of card fraud that is not often tracked but causes an estimated 7% to 10% of overall issuer charge-offs, according to Aite Group, is first-party fraud, where cardholders intentionally max out their credit cards without intending to repay them. "That's perpetrated by either legitimate card holders who decide for whatever reason that they're not going to pay off their balance, they're just going to become bad debtors, or by criminals, maybe using a manufactured ID, running up to the credit limit on cards pretending they're a legitimate cardholder when in fact they're just taking the money and running," said senior analyst at Aite and report author Nick Holland in a recent interview.

In a chilling note in the report, Holland writes that "carding" sites, where cybercriminals sell the card information they've stolen, have gotten more sophisticated over time. "Initial offerings were mostly 'dumps' — information copied from magnetic stripe cards revealing track-one and track-two data. Market demands have increased, however, with carding sites now offering 'fulls' — a complete package of data relative to a victim, such as Social Security number, address, mother’s maiden name, credit history, commonly used passwords and other individual-specific information."

From a technology point of view, the easiest type of card to rip off, Holland asserts, is the magnetic stripe card because it is easy to replicate. Yet while an apparently obvious solution would be for the U.S. to migrate from magnetic stripe to computer chip cards the way many other countries have, this won't happen for a long time, he says. "There are a variety of reasons why the U.S. isn't moving to the next type of point of sale infrastructure or the next level of cards," Holland says. "The main one is cost." More than a billion magnetic-stripe debit and credit cards are currently in circulation in the U.S.; it would cost about $12 billion to replace them all with chip cards. (When you refer back to that total fraud cost estimate of $8.6 billion, it's easy to see that the ideal of reducing fraud won't drive a movement toward chip cards.)

But there are ways to make magnetic stripe cards more secure, Holland says, such as asking the cardholder to provide his address or the card security code (the three-digit number on the back of most credit cards) at the point of purchase. End-to-end encryption is another approach, but it requires merchants and acquirers to make expensive software and hardware upgrades. Where encryption is most needed, Holland says, is to protect transmission between the merchant (such as, in one famous data security breach case, TJ Maxx) and the card processor. "That's where the big data breaches are happening; it's probably the weakest link," he says. "There have been big leaps in terms of fraudsters hacking into networks and getting data en route, rather than while it's in a static database." (Databases containing customers' personally identifiable information by law must be encrypted and protected from unauthorized access.) Networks between issuers, banks, acquirers and processors, on the other hand, tend to have robust security, he says.

So what should banks be doing to alleviate the problem of card fraud? For one thing, "it's up to the industry as a whole to push for better standard encryption," Holland says.

Out of band, two-factor authentication would also help. "Given the short life span of out-of-band codes and the requirement that fraudsters have a second item (either the cardholder’s token or their cellular phone) to commit card fraud, we estimate that three-quarters of card-not-present, counterfeit and lost and stolen card fraud could be eliminated with the implementation of such a system — more than 35% of total U.S. card fraud," the Aite report states. Holland notes, however, that these technologies are cumbersome to put in place and expensive. For card and payment providers throughout the U.S. to deploy two-factor authentication using text messaging would cost about $400 million, the Aite Group estimates. A physical token-based system would cost about $950 million, the group says.

Requiring customer signatures is not that helpful, Holland says, because retailers rarely check them and those that do are usually not handwriting experts. PINs, though more reliable, are not infallible. "A lot of people write their PINs down on Post-It notes, or on the card itself," Holland notes.

"The biggest thing banks need to do is encryption and making sure the card data isn't exposed at any point," he says.

Comments

Google Reconsiders China Strategy After Hack

Posted on January 13, 2010

Google is rethinking its involvement in the Chinese market, after uncovering a serious hacking attempt against the company and many others that originated in China.

According to various news reports, Google and other companies like Adobe were the target of the recent hacks, which sought source code and access to the e-mail accounts human rights activists in China.

From Wired.com:

A hack attack that targeted Google in December also hit 33 other companies, including financial institutions and defense contractors, and was aimed at stealing source code from the companies, say security researchers at iDefense.

The hackers used a zero-day vulnerability in Adobe Reader to deliver malware to the companies and were in many cases successful at siphoning the source code they sought, according to a statement distributed Tuesday by iDefense, a division of VeriSign. The attack was similar to one that targeted other companies last July, the company said.

In a blog post, Google’s SVP of corporate development and chief legal officer David Drummond wrote that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. The attacks, combined with the limits that the country places upon free speech, has led Google to rethink its place in the Chinese market, Drummond said in the post.

From the Official Google Blog:

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

Comments

Consumers Are Ready to Protect Their Accounts, But Will Bankers Let Them?

Posted on December 09, 2009

By James Van Dyke, Javelin Strategy & Research

A popular misconception about consumers’ willingness to be involved in fraud protection is holding back retail bankers’ profitability. New Javelin factual research debunks the mistaken belief that consumers won’t sacrifice convenience in order to increase security. By analyzing rigorous data comparing latest behaviors and preferences toward banking security, Javelin identifies steps bankers can take to not only lower their fraud mitigation costs but to launch marketing efforts to strengthen customer relationships. On top of decreased losses, the customer value proposition of security partnering can be translated into profitable opportunities such as: increased online shopping, retaining customer revenue, gaining new customers, creating a top-of-wallet card, and garnering income from identity protection offerings.

Consumers are already participating in identity theft programs outside financial institutions, applying many different ways to protect themselves against criminals. Over half of consumers use anti-virus protection, and one in four subscribes to services that offer credit monitoring, fraud alerts, and/or transaction alerts, even though these activities require additional efforts. Javelin makes it clear that bank customers not only seek opportunities to get involved in their banks’ security efforts, they actually prefer providers that give them the chance to do so.

Identity monitoring companies such as Affinion and Intersections and credit bureaus Equifax, Experian and TransUnion provide co-branded opportunities for FIs. Wins for security-partnering for merchants, financial institutions, and card issuers include increased online shopping, card choice as “top of wallet,” and opportunities for banks to partner with security and identity protection companies to attract consumers and increase fee income. While Wells Fargo, Bank of America, Chase, and Citi all currently offer ID protection services to their customers, there are still many opportunities to address customer needs.

By understanding consumer preferences, financial companies can redirect their security approach to optimize consumer involvement. Specific methods for sharing account security responsibility preferred by consumers include better authentication, alerts, user-defined limits and prohibitions (UDLAPs), Extended Verification SSL, and discounted third party services such as PC protection software, credit monitoring and fraud prevention services. By using self-detection methods such as monitoring accounts, consumers can discover fraud sooner than they would through external notification. Partnering reduces the time of the abuse and therefore lowers the mean dollar value of the fraud losses for consumers, thereby reducing the total expenses for all parties involved.

With half of fraudulent activity first detected by consumers, it is not only helpful for institutions and customers to work together in the fight against I.D. fraud, but in both parties best bottom-line interest. Nearly four in ten consumers turn off paper statements out of concern that someone will steal their personal information. Friendly frauds are among the most pernicious, requiring 50 hours for resolution compared with the average of 30 hours, resulting in higher consumer costs. In addition, victims may be reluctant to press charges against friends or family, resulting in average consumer costs twice as high. Not surprisingly, research shows that consumers are willing and able to share the responsibility for fraud protection with their financial institution, with the most enthusiastic response from those who bank electronically.

Safety spurs action to create more profitable relationships, and presents new marketing challenges for banks and card issuers to promote a ‘secure’ image. When consumers are either selecting a new credit card company or one of the several existing payment cards for their next transaction, they rank security against identity fraud as their paramount concern, overtaking interest rates, rewards, customer service, and other costly offerings. Increased security and privacy protection not only make a consumer spend more online, but credit cards that are perceived as more secure will generate more transaction income for the issuer as well and will win over competition that is perceived as less secure.

With consumers seeking greater participation in their security, banks, issuers, merchants, and vendors can take advantage of the tremendous growth opportunities in the financial security sector. Security professionals can improve their ability to fund strategic investments in customer-partnered security methods, using factual research data to bolster business cases with benefits such as increased customer acquisition, cross-selling, loyalty, and increased preference at point-of purchase. This is both an exciting and innovative time for industry professionals to shape their practices offer services and products that increase security, thus increasing profits for financial institutions, merchants, and credit card companies.

James Van Dyke is the founder of Pleasanton, Calif.-based Javelin Strategy & Research.

Comments

Drama at BAI—Security Vs. Convenience

Posted on November 03, 2009

If you were staying at the Renaissance Boston Waterfront Hotel and were in your room last night at around 8:15 like I was (starting to come down with a bad cold), you were startled out of your perusing of e-mail by the fire alarm.

My entire floor had to evacuate as two engines from the Boston Fire Dept. came roaring to the hotel. Fortunately, the drama didn’t last much more than a half hour, if that. Turns out there was a leak—a water leak (at least that’s what the girl at the front desk told me). Well, it’s good to know they take something like that so seriously. But a water leak? OK, I am not at all familiar with engineering and plumbing, so you’ll have to forgive my ignorance. What would warrant such an urgent response related to water? Maybe there was a leak in the sprinkler system. I guess that wouldn’t be a good thing. Still, if you were feeling as lousy as I was last night, it was quite unwanted.

That said, to the uninitiated like me, this would seem like an overreaction, an inconvenience to evacuate over a water leak that was fixed in less than 10 minutes (but I’m not complaining about their looking after their guests’ well being!). Still, it reminds me of some security measures in certain operating systems or in some banks’ customer facing systems. Security versus convenience. It’s a tricky thing to master. Personally, I think deep down people ultimately care more about the safety of their money than the extra step or two required to log in to pay a bill or check a balance. Would I have liked to have stayed in my nice, warm room uninterrupted? Yes. But it’s good to know someone’s looking out for us.

Comments

Heartland Calls for End-to-End Encryption, Cooperation to Prevent Data Breaches [VIDEO]

Posted on October 19, 2009

After falling victim to one of the biggest data breaches in history last year, Heartland Payment Systems chose to talk, not hide. Fritz Nelson, executive producer, Techweb TV, caught up with Kris Herrin, Heartland’s CTO, while at the Bank Systems & Technology Executive Summit in Pasadena. Kris was one of the featured speakers at the show. In this video, he discusses the sophisticated nature of the attack on Heartland and what the company is doing to keep it and other organizations from becoming victims once again.

Comments

For Online Business Banking, Shun Windows?

Posted on October 13, 2009

As if Microsoft wasn’t getting hammered enough in technology circles over security flaws in Windows, now comes this article from The Washington Post saying small and midsize businesses should not use Windows for online banking.

Specifically, the writer noted that all the victims of the recent rash of cyber thefts directed at banks’ commercial customers (and local governments) used Windows machines. To prevent such crimes, the author was quite blunt in his assessment:

“The simplest, most cost-effective answer I know of? Don’t use Microsoft Windows when accessing your bank account online.”

The reason is that Windows is just too vulnerable to malware attacks that will let thieves take over businesses’ online banking accounts. The malicious software is outsmarting most of the major security measures banks take, such as dual-factor authentication. Yes, they’re even able to circumvent hardware-based security tokens, according to the report.

In the end, the writer suggested businesses access their online banking via Live CDs running a Linux-based operating system on a stand-alone computer that does not have web access.

Or, they can all just switch to Macs! However, the writer offered the Live CD as a less expensive alternative to buying pricey Apple computers. Of course, and this is just my opinion, the more popular Macs become, the more tempting targets they’ll be for cyber thieves. I know the Mac OS is built on a Unix-type kernel which makes it very unlikely that malware can be built for Macs. I find some solace in that. However, one of the speakers at the BS&T Executive Summit last week said that cyber criminal gangs are becoming so sophisticated now that they’re outsourcing their malware development to India. That speaker was Heartland Payment Systems’ CTO Kris Herrin.

Based on all the conversations I’ve had with bankers, analysts and vendors, I think in the world of computer security, one should never say never.

Comments

Like the FBI Director, I’m Extremely Cautious of Cybercrime

Where we (FBI Director Robert Mueller and I) part company, however, is in the fact that I never enrolled in online banking. So it’s quite easy for me to ignore phishing e-mails, even fictitious ones from my own bank, let alone all the fake wannabes. My reason for not putting my monetary transactions on the Internet is simple—I know too much about technology and its user friendliness, even as it applies to intruders. For every new hurdle the hopeful protectors set up, it takes only 18 hours for the intruders to undo. In truth, the intruders are smarter than the protectors. I’m sorry, Director Mueller, but you of all people should never trust anyone or anything, and you almost did.

Putting my money and its related data on a public facility is equivalent to leaving the vault door of a bank unlocked, and posting a sign on the front door of a public street showing the location of the vault for every passerby to see.

The best safety measure the world has today, is that a very large majority of citizens has no desire whatsoever to commit a crime. You won’t believe what I’m saying because the press covers the crooks not the good guys. Even if the bad guys amount to less than one-tenth of one percent of the world population, that’s 7 million possible intruders. I’d still be concerned if the number were only 100, because unlike Bonnie and Clyde, the electronic masterminds don’t need a fast Ford, guns, brute force, and a branch to get the dough. They can do it from a PC connected to a public network in the privacy of their cave anywhere in the world.

Unlike the risk management systems that banks used to calculate exposure for packaged loans and investments, my risk management system allows no tolerance. If it’s theoretically possible to encounter loss, I don’t do it. That’s why I use 12 out of the 13 modes of consumer and business banking, and I’m quite pleased with them. And my tongue isn’t complaining because I use a little sponge to seal the envelope and all stamps are now self-adhesive. At this point Bill Gates would call me a dinosaur like he did with bankers a few years ago. That’s OK.

I want to relate a couple of stories regarding online security from my client work in bank technology. Fifteen years ago, I was hired by a large defense contractor who wanted to get into the bank tech business. For me, it was easy and done. I called 30 large bank CIOs who I knew personally and asked for a meeting. They all said yes except one, but limited the meeting to 60 minutes. They weren’t honoring me; they knew the name and reputation of the defense contractor. The reason Citibank declined is that the CIO had already hired them. Citi has not always been the “so-big-it-almost-failed” of the banking industry. In years past, Citi did things right. In this case the bank was securing its IT in preparation for Internet banking and [then Citi CIO] Colin Crook knew where to go to implement the right protection. The contractor related enough experiences regarding esoteric work it had performed for the spook agencies and military operations, that seven CIOs asked for a proposal, after only the 60 minute casual conversation.

I was teaching a class at Stonier School of Banking in the early days of Internet banking where half the class was composed of bank examiners. As a test of online banking usage, which the researchers were claiming 10 percent penetration, I asked this class how many were using online banking—18 percent raised their hands. First I was surprised, but later I realized these are the same guys who perform walk-in-the-park audits of banks and rubber stamp them “passed.” The “banking cops” are very trusting people.

It is reported that about 43 percent of U.S. households are now using online banking. I don’t think the Muellers will influence a decline since they stopped using online banking. And certainly one bank tech consultant won’t have an impact. I don’t know how researchers count things like households that use online banking, but if the number is correct, it must be a pretty good thing. Once, even subprime mortgages were a good thing, until holders stopped making their payments. Be careful, it’s a jungle out there and the animals are hungry.

Comments

Fast Action, Good Communication Key to Data Breach Prevention

Posted on October 12, 2009

By Nick Buri, Deluxe Corp.

A data breach can have a serious impact on your business, costing an organization $4.1 million on average (Javelin Strategy & Research). Investing in data breach preparation up front will determine how and if a financial institution recovers after one occurs.

While traditional data breach threats like insider fraud and lost laptops remain, new breach threats like web application attacks and keylogging trojans are rising. As new techniques continue to emerge, no financial institution is immune. According to a recent Ponemon Institute U.S. Cost of a Data Breach Study, approximately 85 percent of businesses have experienced a data breach.

Preventing and detecting
The methods for preventing and mitigating the impact of a breach continue to improve. There’s no better time than the present to: 1) assess your financial institution’s vulnerability to a breach and 2) incorporate steps into your response plan that fill in the gaps.

When reviewing your institution’s current data breach response plan, first consider how well it prevents and detects a breach. To help streamline the process updates, leverage your institution’s recent Red Flags Rules compliance work.

Business and technical controls should be clearly established, with an emphasis on prevention. A comprehensive, well-documented security policy is a necessity, it is only as good as its implementation. It is not enough for operations to know proper procedures. Thoroughly communicate departmental security roles and responsibilities to employees and outline employee communication methods in the plan.

Risk assessments should happen regularly. A breach drill can be a quick way to assess breach risk and can serve as a big wake-up call. Additionally, dedicate resources in each area of the business to monitor and research how your institution is protecting sensitive information. Encourage employees to give feedback on potential risks and make reporting easy.

Don’t underestimate the effectiveness of accountholder fraud protection services like new-applicant screening tools and identity theft prevention services. They provide technical controls for detection and provide added-value service options for accountholders

Mitigating impact
As your institution improves its breach response plan, add measures that help increase the speed of the response and minimize the business impact.

Begin by establishing a method for surveying the impact of a data breach. Gather facts to determine the scope of the breach. Consider who is affected, what information was involved, how the breach occurred and whether the data was encrypted.

Next, an incident response team should review the data breach facts. The team should be a designated, cross-functional team that is created before a data breach occurs. Based on the situation, determine who will lead the response team and assign other key areas of responsibility.

Drawing from the initial fact gathering and new information discovered, the response team should document all events related to the breach as soon as possible. Once events are documented, the response team leader should work with other team members to develop effective strategies for addressing key issues like:
• Restoring data security and repairing affected systems
• Preserving the financial institution’s good name
• Minimizing impact on accountholders and employees
• Preventing additional data breaches

Sometimes the best way to learn is by making a mistake. Although a thorough, well-documented plan will help minimize the impact of data breach, there is always room for improvement. The plan should outline a post-breach process for reviewing lessons learned and deadlines for implementing improvements. This will help increase future confidence in your institution’s data breach prevention plan and reduce time spent assessing risks.

Increasing loyalty
While managing the operational side of a data breach, don’t lose site of account holder impact. Sixty-five percent of the cost of a data breach is due to lost business (Javelin). Accountholders, along with law enforcement, SEC and other stakeholders, should hear the news of a data breach from their financial institution first, not from the Internet or a social media outlet.

Proactively alerting accountholders to the steps their financial institution is taking to ensure wellbeing can create a lasting effect. A McKinsey and Co. study on customer loyalty commissioned by Deluxe found that while 72 percent of accountholders left their institution due to a negative experience, 87 percent of accountholders gave more money to their institution as a result of a positive experience.

An accountholder data security breach notification template can be prepared in advance of a breach. It should cover specifics surrounding the breach and the immediate actions being taking to minimize the impact on operations. It is also an opportunity to highlight the operational controls your institution is activating to ease accountholders’ concerns, such as offering a period of free credit monitoring or investigation and recovery services.

With crime rates historically rising during a recession and data breaches up 47 percent in 2008 (Identity Theft Resource Center), now is the time to help your institution be more prepared.

Nick Buri is senior product manager for Shoreview, Minn.-based Deluxe Corp.’s fraud and protection team.

Comments

FBI Director’s Brush with Phishing

Posted on October 09, 2009

In yet another illustration of how cybercrime is an equal opportunity venture, FBI director Robert Mueller revealed that he had a close call with phishers.

According to The Washington Post, Mueller was addressing the Commonwealth Club of California and said that he was tricked into clicking on an email that appeared to be from his bank. However, as he was filling out the “form” with his personal information, something told him he should probably stop what he was doing and step away from the computer.

He told attendees that the email seemed “perfectly legitimate” and was fortunate enough to have stopped what he was doing just in time. Mueller was ready to chalk it up as being a learning experience, but his wife would have none of that. At her behest, the Mueller family no longer banks online to safeguard their money.

For the rest of the article, see Phishing Scam Spooked FBI Director Off E-Banking.

Comments

Is PCI DSS a Safe Investment?

Posted on September 10, 2009

By Robert Vamosi, Javelin Strategy & Research

Should merchants continue to invest in Payment Card Industry Data Security Standards (PCI DSS) in a down economy? Yes. The losses—not just in fines and litigation, but also reputational damage—associated with the consequences of a data breach are astronomical when compared with the annual burden of maintaining compliance. PCI is an excellent baseline for cardholder security, but should PCI be made law? On this, there is plenty of room for debate.

Back in 2006, when PCI DSS was first mandated, there was a flurry of activity with 13 states considering legislation modeled after the standards. In the end, only Minnesota passed a law that reflected only portions of the 12 requirements spelled in PCI DSS. In 2009, Nevada passed a second law, and did so wisely. Rather than burden the merchants with another layer of bureaucracy (with requirements which may or may not conflict), the Nevada legislature told them to follow the latest version of PCI DSS.

Given that the threat and fraud landscape is constantly evolving, Nevada handed off the ongoing maintenance of PCI to those who know it best: the card brands, acquirers and merchants that make up the PCI Security Council. Politicians, on the other hand, aren’t handling card data themselves, don’t understand all the technical points, and often don’t react fast enough (consider the current healthcare debate).

Should other states adopt PCI as law? As a baseline security standard, it couldn’t hurt to have more states follow Nevada’s example. Authoring a new standard (some merchant groups are talking about resurrecting the X9 standard) would be a wasteful exercise and unnecessary.

That said, could PCI DSS be better? Yes. The original standards evolved out of individual brand requirements. Unfortunately, in crafting one unified standard, the original parties didn’t include enough feedback from the merchant community, a community that is now quite vocal at times about changes they’d like to see made. For example, there needs to be clarification around retention of cardholder data for charge backs.

Fortunately, the PCI Security Council has signaled it is receptive to change. Going forward the council is soliciting the merchant community for feedback before its next iterative release of the PCI DSS standard. Additionally, PCI has released guidance around wireless. It is the result of the council’s Special Interest Group (SIG), which is also preparing detailed guidance around scoping, virtualization and pre-authorization.

Furthermore, the council is also conducting a comprehensive study around alternatives to current technology. One promising area is tokenization. Here, merchants send the Personal Account Number (PAN) data to a trusted third party who then takes the responsibility for storage out of the hands of the merchant. In place, the trusted third party sends back a number or a token that the merchant can use for future reference if there is a dispute or need for a chargeback.

Another area is end-to-end encryption. Here the PAN is encrypted at the POS terminal and that encryption is maintained all the way to the acquirer and card issuer. This would, of course, require an agreement among several bodies around the encryption standard to be used. One processor, Heartland Payment Systems, has proposed the use of 256-AES using Format Protected Encryption (FPR), which means the final result will keep the record the same length for storage (as opposed to the hashes of MD5, which expands the record significantly as it obfuscates the PAN data).

A final technology under consideration is the domestic use of EMV technology, also known as Chip and PIN. While EMV is used extensively outside the U.S. (and PCI, by the way, is now global), Javelin thinks the U.S. will continue to do without EMV technology.

Despite these changes, some merchant organizations have assailed the PCI Security Council for catering only to the interests of the major card brands and cite the mounting costs for merchants in providing on-site assessments or improvements to hardware. But delaying implementation of new rules, as one merchant group asks, only forestalls the inevitable: the potential for more data breaches. The strong push back from these more vocal merchants will only be effective if they find a more constructive way to work with the existing council members.

PCI DSS isn’t perfect, but it is adaptable to the ever-changing threat landscape. It should never be seen as an end point, only a baseline. And in a bad economy, it can be insurance against fraud.

Robert Vamosi is an analyst at Javelin Strategy & Research covering Security, Risk, and Fraud.

Comments

The Lighter Side: It's a Virus!

Posted on September 04, 2009

Computer viruses and hack attacks do still receive coverage these days in the news, provided they're big and scary enough (e.g., Confiker or the alleged hacking by certain foreign governments). But it's still fun to see how we thought about such tech problems 20 years ago. This video portrays coverage of a relatively harmless bug discovered by "MIT nerds" -- the video poster's words, not mine!

Still, as quaint as the story is, the so-called nerds still provided a sobering message that this particular virus was just a "warning" of what was to come. How right they were.

Comments

Ben Bernanke’s Brush With ID Theft a Lesson for Everyone

Posted on August 28, 2009

When experts say no one is immune to identity theft, they aren’t kidding. The latest victim to come forward couldn’t be more high profile (or ironic)—Federal Reserve chairman Ben Bernanke.

According to The Wall Street Journal, Bernanke’s wife was in a Starbucks last August when her purse was stolen. The bag contained a treasure trove of information for anyone bent on committing fraud and besmirching someone else’s good name.

A few days later, says the Journal, someone named George Lee Reid allegedly walked into a Bank of America branch in Hyattsville, Md., and deposited a $900 check under the names of Mr. and Mrs. Bernanke into a third person’s account and then withdrew $9,000 from that person’s account, using other stolen identities.

Following his own advice to Americans to act fast when they think they’ve been the victims of ID theft, Bernanke immediately called his bank and credit card companies when he noticed suspicious activity in his financial accounts.

The full article can be found here.

Comments

Bill of Rights for ID Theft Victims Gains Steam

Posted on August 24, 2009

Just this morning, I heard on the radio that New York’s senior Senator Chuck Schumer plans to push legislation around creating an airline passengers “bill of rights.” I, for one, don’t particularly like being trapped on the tarmac for hours on end, so kudos to Sen. Schumer.

But that’s not the only “bill of rights” that should make headlines. The Identity Crime Victims Bill of Rights also seems to be gaining steam as well.

Congress met this past Friday with the vendor council of The Santa Fe Group, the security consultancy run by former BITS CEO Catherine Allen. This follows June meetings where Allen and other identity theft experts testified before the Congressional Committee on Oversight and Government Reform’s Subcommittee on Information Policy, Census, and National Archives.

This most recent meeting was meant to hammer out legislative language to advance the rights of ID crime victims. According to a release from The Santa Fe Group, the recommendations were drafted by members of the Legislative Subcommittee of The Santa Fe Group Vendor Council’s Victims’ Rights Working Group. Five main tenets form the core of their suggestions:

1. Funding to encourage state and local law enforcement to use Federal Trade Commission tools for documenting and reporting identity crimes.
2. Amendments to the Health Insurance Portability and Accountability Act (HIPAA) to define medical identity crime, clarify the rights of victims, and assist victims in recovering.
3. Research on the efficacy of documents, such as identity theft passports, that distinguish criminal identity theft victims from perpetrators.
4. A requirement that the Internal Revenue Service flag files of victims and verify any new entries to those files.
5. New regulations, enacted within the next 12 months, to enforce these recommendations.

Rep. William Lacy Clay (D-Mo.) supports these recommendations and says they will use them as Congress crafts legislation around an ID theft victims’ rights bill to “ensures victims of identity crime are treated fairly under the law.”

According to The Santa Fe Group, this “bill of rights” calls for consistent processes for handling identity crime incidents in addition to amendments to privacy legislation and regulation so victims can more easily access and correct their personal information records. The five basic rights address the need for legislation that enables individual victims of identity theft to access and correct personally identifiable information (PII) records.

The Santa Fe Group is providing the Bill of Rights draft white paper, titled Victims’ Rights: Fighting Identity Crime on the Front Lines, on its website. The company is also looking for participants for its working groups on ID theft awareness and education; legislative affairs around ID theft; and best practices group for promoting resources for victims.

Fighting ID theft is in everyone’s best interests. Maybe this bill of rights isn’t the be all and end all, but it’s a good step in the right direction. The victim should not be treated like the criminal. Never mind the financial implications of ID theft, but there’s also a psychological element to it as well. Helping victims rebuild their lives is the right thing to do.

Still, much more could be done on the prevention side. I’m still steamed at how much our social security numbers are used almost haphazardly by utilities companies and other businesses—and if you refuse to give it to them, you don’t get served. And there are always delays when such legislation is passed. Look at what’s happening the with Massachusetts data privacy law. Originally due to take affect this May, it is now being delayed until March of 2010.

Also, it may not even be a matter of there being dishonest people at these companies that house your SSN and other personal information—it’s the lax data security you have to worry about. And good old fashioned dumpster diving, of course. We can only hope use of shredders is increasing.

Comments

Banker Is Hero of Afghan Culture

Posted on August 12, 2009

Funny how you can (eventually) put two and two together in very unrelated circumstances.

I visited the Metropolitan Museum of Art in New York this weekend. We probably didn’t quite plan out the trip too carefully because it was packed when we arrived. Still, we persevered.

As we were nearing the end of our visit, I suggested going to the Afghanistan exhibit. We were kind of tired and the crowds were wearing on us. But still, I couldn’t help but be struck by the beauty of the artifacts that were on display (but still too weary to read the descriptions). It wasn’t until I ran across an article in The Wall Street Journal that I realized exactly what it was I had seen—the Bactrian Gold.

Ameruddin Askarzai was a central banker in Afghanistan who oversaw the vault in the presidential palace. Through his efforts, the Taliban were kept from stealing the centuries-old treasures. It wasn’t an elaborate, high-tech plan that kept the Taliban from the gold—it was this quick-thinking banker and a broken key. And now, Askarzai is about to get his due, says the Journal.

The Bactrian Gold is an ancient treasure trove of crowns and jewels discovered in 1978 by a Soviet archaeologist. The gold was housed in the Kabul National Museum until the early 80s, when war broke out with the Soviet Union. To ensure its safety, the gold was transferred to a secure vault in the presidential palace, which was controlled by Askarzai.

Askarzai’s determination to keep these national treasures safe from Taliban hands was put to the test in late 2001 when a “delegation” of the warlords demanded access to the vaults. They absconded with the country’s foreign reserve of gold and silver but were kept from an inner vault containing the Bactrian Gold, having been lead by Askarzai to believe it contained ceramic pots. For good measure, however, the banker later broke the vault key in the lock to make sure the Taliban would never access the treasure—or at least make it more difficult for them.

Askarzai has been in hiding, says the Journal, in fear of Taliban retribution. Now, he is due to receive a medal from Pres. Hamid Karzai for his efforts and has emerged from the shadows.

It’s a fascinating story of determination and selflessness as Askarzai put the hopes and history of the Afghan people ahead of his own safety.

Different situation, but it still reminds me of the stories of how some bankers risked their lives during Hurricane Katrina (see here and here) to keep the money flowing and help their stricken towns to return to some semblance of normalcy amidst the chaos.

Sometimes the industry can use a little positive PR.

Comments

Using Covenants to Protect Trade Secrets and Other Intellectual Property

Posted on August 03, 2009

By Jennifer J. Spencer, Esq., Spencer Crain Cubbage Healy & McNamara

In the current financial market, almost no industry, including banking, is immune to employee layoffs, reductions in force or terminations. Employees who are laid off can possess, or be privy to, numerous types of confidential or trade secret information. They may have information about your bank’s finances, mergers and acquisitions, future plans, technology and other sensitive data. What is to stop those employees from going to work for a competing bank and using the confidential information that your bank worked hard to develop? The answer is a covenant (or agreement) not to compete.

In a covenant not to compete or a confidentiality agreement, the employee agrees not to disclose confidential information he receives on the job. The agreement can and should also limit the time, scope or geographical boundaries of his employment after he no longer works for you.

What Is a Trade Secret?
In Texas, trade secrets are protected under the common law, rather than pursuant to a codified uniform act, like in most other states. Examples of trade secrets include: software, and information including formulas, patterns, compilations, programs, devices, methods, techniques or processes that would be detrimental to a company’s business if disclosed to a competitor. A customer list may or may not constitute a trade secret, depending upon the circumstances.

Texas courts weigh the following criteria to determine whether information merits trade secret protection: (1) the extent to which the information is known outside the employer’s business; (2) the extent to which it is known by employees and others involved in the employer’s business; (3) the measures the employer has taken to guard the secrecy of the information; (4) the value of the information to the employer and its competitors; (5) the amount of effort, time or money expended by the employer in developing the information; and (6) the ease or difficulty with which others can properly acquire or duplicate the information.

Trade Secrets and Covenants Not to Compete
Banks can protect their trade secret/proprietary information by using non-compete agreements. Mann Frankfort Stein & Lipp Advisors, Inc. v. Fielding is the most recent Texas Supreme Court case on the use of covenants not to compete to protect confidential information. No. 07-0490, 2009 WL 1028051, *1 (April 17, 2009). The Mann court found that a non-compete agreement need not explicitly state that the employer agrees to provide the employee with the confidential information.

In Mann, the employee was a tax accountant. Although the agreement contained an explicit promise by the employee not to disclose confidential information, there was no corresponding promise from the employer to provide confidential information. The court ruled that the agreement was nonetheless enforceable. When the nature of the employee’s work will require the employer to provide him with confidential information—such as tax accounting—the employer implicitly promises to provide the confidential information.

The Mann court also noted that the other requirements of covenants not to compete, including limitations as to scope of geography, time and activity, must be satisfied. The Texas Covenants Not to Compete Act states that the restraints the employer puts on the employee must not be greater than is necessary to protect the employer’s “goodwill or other business interests”: Tex. Bus. & Comm. Code, § 15.50 (Vernon Supp. 2002).

The current law on non-competes has evolved over time. A prior Texas Supreme Court case stated that the employer was required to promise to provide the confidential information to the employee at the time the agreement is made (Light v. Centel Cellular Co. of Tex.). In fact, an earlier case from Austin stated that a non-compete agreement was unenforceable because of a four hour gap between the time that the employee signed the non-compete and the time that the employer gave the employee trade secrets. The court reasoned that because the employer could have fired the employee during that four hour time period, the mere promise to convey confidential information was illusory.

However, in 2006, the Texas Supreme Court ruled that the moment the employee receives the confidential information (or when the employer performs whatever promise it made in exchange for the covenant), the agreement becomes enforceable: Alex Sheshunoff v. Mgmt. Servs v. Johnson, et al.

With the Mann decision, the Texas Supreme Court has now eliminated the requirement that the information be given at the time the employer and employee enter into the agreement. It has also changed earlier cases that required the employer to promise explicitly in the agreement to provide confidential information.

Texas courts’ palpable shift in favor of enforcing covenants not to compete is good news for employers. Nevertheless, wise employers will continue to have counsel review their non-compete agreements to ensure compliance with Texas laws. In the future, courts will likely review non-compete agreements to determine reasonableness of scope and to determine whether the information conveyed is actually worthy of protection. They will also likely examine the harm which an employer will suffer if the subject information is disclosed and any difficulty the employee will have finding new employment if the agreement is enforced.

A company that takes these additional preventive steps will best minimize the chances that one of its employees will misappropriate its trade secrets:

1. Have all employees and independent contractors sign a confidentiality agreement at the outset of their employment that defines a trade secret, limits how employees can use confidential information and explains damages the company will receive upon a breach of the agreement;
2. Schedule periodic meetings/training concerning the type of information the company considers confidential. Make it clear that trade secret information is the property of the company;
3. Designate confidential information as such by stamping the face of all copies as “confidential and proprietary” or “trade secret”;
4. Limit employee access to confidential information by placing it in a locked file cabinet and requiring password-protected access. Maintain computer security by limiting access to confidential information. Establish a policy for shredding documents. Require employees to maintain control over their workstations. Install “AUTHORIZED PERSONNEL ONLY” signs in sensitive areas of the plant or company. Enforce those signs;
5. Ask new hires whether they are bound to their former employer by confidentiality agreements. Abiding by these agreements promotes awareness and a commitment to confidentiality;
6. Revise company handbooks to establish policies about confidential and proprietary information and trade secrets. Distribute copies of the policies to all employees. Maintain oversight policies to prevent the disclosure of trade secrets in public speaking engagements, written publications, trade shows and seminars outside of the company;
7. If necessary, require vendors who have access to confidential information to sign non-disclosure agreements;
8. Separate components of a trade secret among several departments, if possible, so that each section has only a “piece of the puzzle”;
9. When an employee leaves the company, hold an exit interview and instruct the employee to return all confidential information, and re-emphasize company policies concerning trade secrets.

Jennifer Spencer is an attorney in the field of commercial and products liability litigation with Dallas-based Spencer Crain Cubbage Healy & McNamara. She represents national banks, mortgage companies, technology and pharmaceutical companies and industrial manufacturers in all types of financial issues and trade secret cases. Spencer can be reached at jspencer@spencercrain.com.

Comments

ATM Fraud Scheme Comes Crashing Down

Posted on July 29, 2009

Only in New York. And New Jersey. And Pennsylvania. A foursome of so-called “financial whizzes” apparently worked together on a multi-year ATM scheme which, according to reports by the New York Post, bilked banks in these states of up to $1 million.

They were all college buds who had stayed in touch since their days at New York University.

Believing that “simple is better,” the crooks didn’t employ ATM skimming devices. Nor did they produce counterfeit ATM cards. Rather, they would set up bank accounts, then disguise themselves on their trips to the ATMs to withdraw money, later claiming they were victims of ATM theft. They would then call the banks and make a stink about wanting their money back. One of the perps (a lawyer) was particularly brazen in his hounding of the victimized banks, according to the article.

Authorities believe approximately 50 banks were targeted in the scam. According to the Post, law enforcement caught on after a former Brooklyn homicide detective working as a bank investigator called another bank for video footage of the ATMs and they compared notes.

Just goes to show that low-tech fraud is alive and well.

Comments

Dot-Matrix Printers and the Sound of Security Risk

Posted on June 30, 2009

Sometimes I just run across something that makes me go, “Hmm.” In this case, it was the editor’s note from a sister brand’s e-mail newsletter, Dr. Dobbs Update, which is produced by the makers of technology resource Dr. Dobbs.

In it, editorial director Jonathan Erickson discusses the state of dot-matrix printers in today’s technology world. According to a study he cited, the loud, “old fashioned” printers are still alive and kicking—especially in banking, with 30 percent of banks surveyed admitting to using the devices.

However, caution researchers from Saarland University, financial institutions and others who use these printers should be aware of a security risk unique to these kinds of output devices. In the paper "How Printers Can Breach Our Privacy: Acoustic Side-Channel Attacks On Printers," the team concluded that clever criminals can discern very sensitive information that is in the midst of being printed (account numbers, medical information, and the like.) by paying attention to the sounds coming from the printer.

According to Erickson:
What the researchers discovered is that by capturing (recording) the ratta-tat-tat of dot-matrix printers, then applying feature extraction from speech-recognition (Hidden Markov Models) and music processing, you can extract valuable, private data from dot-matrix printers.

The researchers say that although dot-matrix printers are outdated for private use, they “continue to play a surprisingly prominent role in businesses where confidential information is processed, in particular in banks (for printing account statements, transcripts of transactions, etc.) and doctor’s practices (for printing the patients’ health records and medical prescriptions).”

Why the continued love affair with such out-dated printers? The Saarland team claims there are several reasons the printers are still present in businesses, including robustness, cheap deployment, incompatibility of modern printers with old hardware, and, overall, the lack of a compelling business case for modernizing such hardware. On the medical front, they also note that several European countries, such as Germany, Switzerland and Austria, have laws on the books mandating the use dot-matrix (carbon-copy) printers for printing prescriptions of narcotic substances.

The study is a pretty interesting read from what I saw. But it just amazes me that this kind of acoustic exploit exists out there. However, after additional follow up my colleague at Dr. Dobbs, it turns out the acoustic exploit is well-known. Erickson says there actually is a special "Tempest" certification for equipment that reduces, eliminates or obfuscates the inadvertent "signals" produced by printers. These are in use by government and military facilities, for instance.

By the way, of the 30 percent of banks that said they use dot-matrix printers, only 8.3 percent said they planned to replace them with more modern equipment. But, I suppose the industry can take heart in the fact that doctors’ offices are even more guilty of using the noisy devices—58.4 percent of those surveyed, to be precise. Furthermore, fewer of them (4.7 percent) plan on upgrading any time soon.

Comments

Your Card Data MAY have been Compromised

Posted on May 27, 2009

Well, I guess there's a first time for everything. I was just informed by my very large credit card company that my card data MAY have been compromised.

I received an email from them saying they were shipping me a new card. That was pretty much all they said. I found this rather peculiar since my card doesn't expire until months from now. So I decided to call. After navigating the usual IVR tangle, I got hold of a person. I explained what happened and she (quite cheerily) said that one of the merchants the card company deals with experienced a data breach and that my card data may have been compromised. She said that doesn't necessarily mean my information was truly at risk, but that the card company was issuing me a new card as a precaution--same number, different security code.

OK. I appreciate the proactive nature of what they did. But, really, should I not have been informed in that email of the true reason I was getting this new card? I guess they don't want people to panic and count on their customers not caring or being an editor on a banking publication!

Still, this was the first time I ever experienced it. I have to say, it's kind of a creepy feeling (even though the rep assured me it might not have been my own data at risk). Then again, this is the first incident I am AWARE of. Who knows what kind of characters have my data as part of some huge database they acquired through nefarious means.

Never was able to get the name of the merchant out of the CSR. I knew she wouldn't give it to me, but it was worth a shot. It makes me wonder if the mystery merchant was up to date on its PCI compliance. PCI isn't bullet proof, as recent breaches have shown, but it's a good first step.

Still, according to the Identity Theft Resource Center, 93 businesses in the U.S. were breached as of May 19, 2009 and at least 192,407 records were reported to be compromised. How much longer are consumers (and businesses) going to have to tolerate such news? What's the next step after PCI compliance? It can't come soon enough as far as I'm concerned.

Comments

The Regulatory Burden Continues to Grow

Posted on January 15, 2009

I attended a teleconference hosted by law firm Goodwin Procter on the impending data security regulations being imposed by the Commonwealth of Massachusetts. The laws are meant to give consumers greater protection beyond the usual post data breach notification that we’re used to hearing about. For more information please see Massachusetts Gets Tough on Data Security.

In the wake of the massive data thefts witnessed over the past two years, Massachusetts decided to take matters into its own hands in keeping its residents’ information safe. And some expect such incidents to only increase as the financial crisis lingers. But the depth to which the Massachusetts rules go to protect peoples’ personal information is stunning.

Businesses will be required to follow a prescribed regimen of procedures designed by legislators and the Office of Consumer Affairs in that state around data storage, encryption, transmission and usage. It even applies to the third party service providers of these entities!

As a consumer, I think what Massachusetts is doing is great. If I were a banker, or an executive at any company that deals with consumers, I’m not sure how thrilled I’d be. Do the Massachusetts regulations go too far? Are they, as one of the attorneys said during the teleconference, too “invasive” from companies’ points of view? Are they too much for many companies to handle? Banks are already heavily regulated. With the credit crisis, they expect the regulatory hammer to come down on them harder on the federal side. Now these almost draconian laws must be obeyed by any company dealing with the personal data of a Massachusetts resident—regardless of whether that company has an office in that state.

On the other hand, if a bank already has a compliance-focused culture and a strong data security and vendor management policy in place, it might just be a matter of checking for overlap and adding something new here and there. Massachusetts is definitely raising the bar on consumer data protection. The Bay State’s efforts will no doubt be followed very closely by other states and the federal government.

Comments

CheckFree Sites Hijacked Due to Vendor Vulnerability

Posted on December 05, 2008

It’s so important to keep tabs on your service providers—especially around security procedures.

CheckFree is at the center of the latest example of security due diligence gone bad. Cybercriminals pulled off a bold stunt by hijacking two websites run by Fiserv’s CheckFree online bill payment service. According to a report in the Washington Post, an unknown number of CheckFree users were redirected to a phony website that tried to install malware on their computers.

According to the Post, the attack occurred in the early morning hours of on Dec. 2 when CheckFree’s homepage and customer login page were redirected to a server in the Ukraine. A CheckFree spokesperson said users would have been directed to a blank page. However, the company says it regained control of the site at 5 a.m. that very same day. CheckFree continues to analyze the nature of the malware.

One expert believes it to be a new strain of Trojan designed to steal user names and passwords. And so far, all evidence indicates that the attackers were able to execute this hack by snagging the user name and password to Network Solutions, CheckFree’s domain registrar.

This is yet another example of how careful companies have to be when dealing with their business partners. CheckFree might have one of the most rigorous online security regimens, but if the same standard is not applied to its service providers, then their efforts are for naught. So it’s not just banks that have to keep tabs on their vendors, but the vendors have to keep tabs on their vendors as well! No one is immune.

Comments

Swedish Banker Unplugs Fraudsters

Posted on January 30, 2008

Wow. Talk about catching something in the nick of time. According to an AP report, a gang of fraudsters in Sweden were just seconds from pulling off a heist worth millions when an alert bank employee literally yanked the plug on the activity.

Apparently, the audacious criminals left sophisticated electronic equipment under the banker's desk that allowed them to remotely take control of the worker's computer. The banker only discovered the device when he noticed a transfer for millions was suddenly being made to an account outside the bank. With fast thinking and commonsense, the banker yanked his computer's plug from the outlet.

Exactly how the device was planted hasn't been explained, but it's probably safe to say that the bank (which hasn't been named) is seriously re-evaluating its security procedures—and this time it seems like physical security is coming into focus as well.

It is important not to lose sight of the physical when it comes to keeping things safe at banks. Sometimes this very basic tenet of safety is overlooked in favor of flashier, more trendy IT security. The two actually are very interconnected and only by keeping both types of security in mind can banks ever truly have an all encompassing security policy. That and having some quick-thinking employees helps a bit too!

Comments

Were People or Technology to Blame for Multibillion Dollar Societe General Fraud?

Posted on January 24, 2008

Societe General is in big trouble—about $7 billion worth of trouble. Today, it was revealed that the French banking giant suffered this staggering fraud loss at the hands of trader Jerome Kerviel. The bank said it will seek emergency funds as a result, according to a Reuters report. The implications of this huge oversight are many.

How can a bank of SocGen's size (and reputation) have missed what was occurring? Such sizeable fraud doesn't usually occur overnight. This fraud was the result of either people or technology. After what I've been hearing with regard to the subprime mess, I'm inclined to say that it was most likely a people problem. Someone at SocGen dropped the ball and let this trader get away with financial murder. Surely there were clues along the path to destruction that indicated something was amiss—that's what risk management and fraud prevention software is designed to do. But people are the ones who ultimately have to analyze the readouts produced by the software. Then again, I could be wrong. What if the technology in place was inadequate? What happens to the vendor?

Well, according to newly emerging reports, SocGen might actually have been turning a blind eye to such activities. Also, it looks like fraud runs in Kerviel's family. The UK's Daily Mail revealed that his brother Olivier was fired from a bank job for "trying to get rich off the back of his clients."

But perhaps the most dramatic development is that Kerviel, although not completely exonerated of all charges, pretty much gets off with a slap on the wrist (relatively speaking) as the most serious charge of attempted fraud was dropped against him (pending further investigation,of course). In fact, Kerviel is playing the scapegoat card, saying he was only doing his job., did not profit from the activities personally and was simply trying to advance his career.

Well, I guess in some twisted sort of way, the news is a refreshing change of pace from all the subprime mortgage fallout we've been hearing about lately! Although at least one analyst thinks it was for this very reason that SocGen missed what was happening on the trading side—it was focused too much on its own subprime losses.

But what do you think went wrong at SocGen? Feel free to leave your comments below.

And for more on the how's and why's behind the SocGen mess, read How Did the Societe Generale Fraud Happen? by Melanie Rodier from our sister publication Wall Street & Technology.

Comments

Companies are Thinking of Information Security as a Strategic Asset

Posted on December 13, 2007

Well, it looks like it's finally getting through to the world's corporations. Information security IS about more than just staying out of trouble. Ernst & Young issued findings from its tenth Global Information Security Survey and concluded that a growing number of firms recognize the other fringe benefits of keeping data safe.

E&Y polled about 1,300 senior executives in over 50 countries and found that although compliance is still a big driver of info sec initiatives, almost half of respondents (45 percent) said that meeting business objectives were among their top three drivers of information security.

I think this trend can also be examined from the angle of compliance with PCI standards— payment card industry data security standards (PCI DSS). There has been a huge about face among large and midsize merchants in this country and their attitudes toward PCI DSS. I actually explore this topic a bit more in the upcoming January issue. PCI DSS is a set of the data security protocols for keeping customers' card information safe. As we all know, many of these retailers have been, shall we say, negligent in this respect? I wonder how much longer their flouting of the PCI rules would have continued had the ridiculous number of data breaches not occurred in 2007. But they got caught. Visa certainly didn't like this behavior and was at the forefront of levying fines against offending merchants for not passing their PCI audits. And Visa and the other card brands are finding further backing courtesy of the PCI Security Standards Council (of which all are members). The council is adopting more stringent standards and requirements around keeping card data safe for all those involved in the payments chain—banks included.

It's encouraging to see that information security is taking on greater importance at organizations, even beyond compliance requirements. Getting back to the E&Y study, the firm found that companies are better integrating their information security and risk management initiatives (82 percent of respondents). More than two-thirds (69 percent) of respondents felt that information security improves IT and operational efficiencies. This finding sharply contrasts to previous years, according to the firm, when information security was viewed as a barrier to IT and operational efficiency.

Of course, the report wasn't all rosy. Other findings showed that info sec it still too isolated from management and the strategic decision-making process. Nearly a third of respondents said they never meet with their board or audit committee. Things are improving on this front, but at a slow pace, according to E&Y.

Another problem is the lack of experienced security experts at companies as info sec programs expand. This was cited by more than half of respondents. Related to this, 60 percent of them said they are outsourcing certain elements of information security. That in itself can present some problems. On the other hand, why not let the experts handle these things?

Although E&Y didn't specify the kinds of companies involved in the study, it's not too difficult to draw parallels to the financial services industry. And many banks out there can probably relate to the findings. It's encouraging to see that at least things are getting better. Data safety is always a good thing.

Comments

Live from BS&T Executive Summit: Is Online Security Hopeless?

Posted on September 25, 2007

Should banks and others bother to continue playing catch up with cyber criminals and their constantly evolving techniques? This was the question FBI special agent Timothy O'Brien set out to answer during his session titled Is Online Security a Lost Cause? O'Brien is with the Bureau's computer crimes squad and tracks criminals' activities on the Web.

He emphasized that crooks are no longer motivated by the bragging rights traditionally associated with hacking into an important corporate or government network. "Profit motive is powering cyber crime today," O'Brien said. These people are usually a loose affiliation of disconnected, highly specialized individuals looking to make the most money on stolen information in their underground economy.

Of course, not all network break-ins deliberate or from the outside. O'Brien said it's important to remember that it's often a "trusted user" who either becomes disgruntled or is simply ignorant of what he downloads onto a company computer.

I think what was most interesting were the reactions of the bankers in the audience as agent O'Brien's presentation unfolded. The segment with perhaps the greatest impact involved a detailed screenshot of a website used by cyber crooks to buy stolen card information. It was set up like a legitimate business site! There was all the account information available to prospective crooks, including type of credit card, Social Security numbers, account number, mother's maiden name, and more. All this was priced accordingly, depending on the detail of the account data. There were even discounts available to certain "customers"! It was really frightening when presented in such a manner. There were many incredulous laughs from the audience, including yours truly.

One of the bankers commented to me, noting how prominent PayPal's name was on this shady e-commerce site, "PayPay isn't even regulated for Know Your Customer." It only drove home the growing presence of nonbanks in the financial transaction space and perhaps the need for them to play by the same rules as traditional banks.

Comments

Live From BS&T Executive Summit: Can Security Be a Differentiator for Banks?

"Sixteen years ago, if you asked me if I was going to be dealing with the kinds of things I'm dealing with today, I would have said no," said Dick Harp, SVP and director corporate security for Huntington National Bank.

Following 9/11 Harp was forced to buy an anthrax pathogen tester for his banks, an entirely different type of security element than the traditional cameras and vaults.

Making security a value proposition and balancing security expense to make the bank grow and add value are problems that Harp is faced with daily, he said during yesterday's security session at the Bank Systems & Technology Executive Summit in Phoenix, Ariz.

As a direct bank, with no branches, MetLife Bank has its own unique set of security challenges, said Mark LaPenta, CTO and COO for the $7 billion bank. Preserving the bank's reputation and increasing customers' trust in online bank are two of LaPenta's top priorities.

Among the growing threats is ACH exploitation. LaPenta says the ACH rules require updating. Data proliferation also creates it own challenges, he says. Knowing how and where to integrate risk data into future data initiatives is a challenge.

Comments

Phishing for Bank Accounts Reels in Big Bucks

Posted on September 17, 2007

By Nancy Feig

Today, Symantec revealed findings about the rewards phishers are reeling in for personal information phished from consumers.

According to the security vendor, bank account details bait the biggest rewards, at up to $400. IDG News Service also reported that:

Credit card details sell for between 50 cents and $5, e-mail passwords for $1 to $350 each, and e-mail addresses from $2 to $4 per megabyte.

The report points to the commercialization and even "professionalism" of today's cyber criminals. Phishing toolkits, which can be purchased to aid these criminals, accounted for 42 percent of all phishing attacks during the first six months of 2007.

These phishers continue to capitalize on vulnerabilities in Web sites trusted most by consumers, including banks, social networking sites and job search engines. The criminals use the "scripts" provided in the toolkits to set up phishing Web sites that mimic legitimate Web sites, according to Symantec.

These social networking sites are particulary vulnerable to phishing because users tend to highly trust the sites and their security measures.

I have to tell you, I honestly used to wonder how people could fall for phishing scams, but I can tell you first hand that they are getting harder to detect. Almost everyone I know has been a victim of phishing on Myspace, the most popular social networking site. It amazes me that Myspace has not found a way to prevent these attacks or at least sent out some type of alert to its users.

I quick google search yields plenty of instructional sites on how to hack into a myspace account. There's even a YouTube video with instructions. I wonder where all of those stolen passwords are going. One organization hacked their way into the Web sites of several HSBC employees to steal their passwords, which are likely their work passwords as well. This is some scary stuff.

Banks need to be aware of the many channels criminals are to steal people's identity and money. Open dialogue with the social networking sites might be one place to start.

Comments

Cookie-based Security Creates False Sense of Online Banking Security

Posted on August 13, 2007

- By John De Santis
CEO, TriCipher

Throughout 2006, a series of high-profile incidents occurred that very painfully and very publicly highlighted how flimsy usernames and passwords are in protecting a person's online identity. Phishing and various other forms of online fraud sent the e-business community--particularly in financial services, which bore the brunt of these attacks--into a tailspin. In a bold move, one of the world's largest banks aggressively promoted its deployment of multi-factor authentication as a free, required service to all of its online banking customers.

Subsequently, many banks have followed suit, adopting technology designed to verify that the bank's Website was really the bank's Website, and that users were who they said they were. Generally, the enrollment process required people to choose an image to use as a unique identifier, write a brief phrase and select three challenge questions. The Website then dropped a cookie on the user's machine that gets passed back and forth between the user's computer and the bank to confirm each other's identities. This process made customers feel safer, and demonstrated that banks were stepping up to the plate to protect their customers online. But where the cyber-rubber hits the road, they're relying on HTTP cookies for authentication--a method which is at best weak, and at worst, completely useless.

As a quick refresher, the term "HTTP cookie" derives from "magic cookie," defined in Wikipedia as a packet of data a program receives but only uses for sending it again, unchanged. Already used in computing, magic cookies were "webified" by Netscape programmers while developing an e-commerce solution for one of Netscape's customers to implement a virtual shopping cart.

From their inception, cookies have been fraught with both security and privacy issues. Cookies are easily hacked, often deleted by users (requiring frequent answering of security questions to view their accounts), and useless against Man-in-the-Middle (MITB) and Man-in-the-Browser (MITB) phishing attacks, which are occurring with increasing frequency.

To be fair, cookies, passwords and images are more secure than passwords alone, but not by much. In a nutshell, they raise the bar from nothing to...almost nothing. As a consumer of online services, I can appreciate the initiative to ensure my safety without any major inconvenience--but if it's not buying me a safer experience, then what's the point? When the cookies crumbles, then what?

The justification for using cookies for consumer authentication is that it’s a step up from what’s currently being used (usernames and passwords) and doesn’t interfere with the online experience. It all boils down to the classic battle between security and convenience--more security means more complexity, and if it becomes too much of a hassle to bank online no one’s going to do it. So the big nut the banks, the FFIEC, the auditors, security vendors, analysts and market researchers are all trying to crack is what is “good enough” security--meaning, secure enough to actually protect people, without making the user experience so complicated that it drives them offline. It’s not an easy question to answer.

Gartner analyst Avivah Litan wrote a report highlighting the security flaws of cookie technology, stating that such a solution “… fosters consumer confidence but cannot be wholly relied on to effectively reduce fraud.” She went on to say, “Online consumer service providers need a bifurcated strategy… one piece to build consumer confidence and another piece to keep the crooks out.”

Unfortunately, the Gartner report came out after many banks had already followed suit in order to meet the tight window imposed by the December 2006 FFIEC deadline.

The irony of the FFIEC guidance is that, while it intends to ensure that banks do the right thing to protect online customers, it leaves more than enough rope for banks to hang themselves on security. Given the short timeframe banks had to comply and the wide variety of choices they had to sift through, it’s conceivable that banks would lean towards cookie-based technologies. They’re an improvement over what they had and cookies provide them with an FFIEC checkmark.

However, at the risk of raising the already nauseating level of fear-mongering that’s par for the course in the security industry, I encourage you not to throw the baby out with the bathwater. Last year MITM attacks were widely perceived as a strictly theoretical threat. In 2006, these “theoretical threats” crippled a bank in Europe and compromised a major U.S. bank (despite its use of tokens) along with several brokerages in Canada. Cookies, and even tokens, would have been useless in stopping these attacks.

People are noticing. An August 2006 Gartner survey revealed that almost nine million US adults have stopped using online banking, while another estimated 23.7 million won’t even start because of fears over security. How many more users would defect if they knew they were being scammed by the very people promising to protect them? It certainly blurs the line between the good guys and the bad guys, doesn’t it?

When the cookie crumbles, everyone loses. So why let it happen?

Comments

• Most Popular Articles
• Most Popular Tags