News

01:33 PM
Connect Directly
RSS
E-Mail
50%
50%

Epsilon Data Breach Emphasizes Need to Proactively Create Security Awareness

Though it's not clear whether an attack is on the horizon, both bank and customer awareness can mitigate risk.

The Epsilon data breach that saw names and email addresses of millions of Americans become exposed by unauthorized access to the company's system might or might not present a threat financial institutions such as Citigroup, Capital One and JPMorgan Chase, who are clients of the online marketer.

In the near term, if that information is out there and available, it could mean more spam emails and phishing attempts.

"In reality that’s all it is," says Paul Schaus, president of CCG Catalyst consulting group. "So from a bank’s perspective you’re worried about customers getting spam emails or getting phishing emails. Those are the two big issues. It’s not a confidentiality issue."

But if those email addresses and names get out there in lists that can let fraudsters make a correlation between an individual and the place they bank, then it could lead to some well-aimed phishing attacks.

"That’s the big concern," Schaus says. "That’s the area of risk."

However, it takes some work to get there. As Schaus explains, it's two parts: first the customer has to be unaware of the breach and secondly the email has to look so authentic they don't think about it.

"I think from a business perspective, those who are in charge to protect accounts clearly have to do a more vigilant job because they can expect a wave of attack," says Ori Eisen, CEO and founder of fraud prevention and detection provider The 41st Parameter.

Eisen believes that if a bank is doing due diligence to protect from fraud, it'll minimize risk.

"People say the sky is falling," Eisen adds. "However if you do the monitoring day in and day out, regardless of the breach, you should have your risks managed."

Eisen added the Epsilon breach, if it is only names and email addresses, isn't as bad as some of the other recent events, such as the RSA security breach in mid-March. But names and emails correlated with a financial institution could have other, less-direct effects.

"You can do some other things with it as well," he says. "If I know your email, I know a couple of things. In this case I know your name and email and I know you are a customer at a particular bank. I can also try to break into your email."

Shaus qualifies that, with the amount of information readily available, the Epsilon breach -- if it's only names and email addresses that were accessed -- doesn't add much new to the online security scene.

"You’ve got to put this all in perspective," Shaus says. "How many people put their email addresses out there in blogs, or in comments or emails or reviews on Amazon?"

There's a lot of data already on the web.

Eisen warns that the Epsilon breach should, if nothing else, emphasize the importance of proactive account takeover detection.

"You don’t know when an attack will happen," he says. "It could be today, it could be a month from now."

In its email following the breach, Chase made several recommendations to its customers, including:

  • Don't give your Chase Online user ID or password in email
  • Don't respond to emails that require you to enter personal information directly into the email
  • Don't respond to emails threatening to close your account if you do not take the immediate action of providing personal information
  • Don't reply to emails asking you to send personal information
  • Don't use your email address as a login ID or password
  • There's no harm in reminding customers about safe practices online.

    "I see a direct correlation between the frequency of security awareness training and the success rate of these email attacks," says Brendan McGowan, director of Consulting Services for Safe Systems. "The most effective countermeasure to phishing emails is user awareness."

    Comment  | 
    Print  | 
    More Insights
    Register for Bank Systems & Technology Newsletters
    White Papers
    Current Issue
    Bank Systems & Technology Oct. 14, 2014
    Bank Systems & Technology's new Must Reads is a compendium of our best recent coverage of customer analytics. Learn what big data means for banks, meet Wells Fargo CDO Charles Thomas, find out how to connect with your Gen Y customers, and more.
    Slideshows
    Video
    Bank Systems & Technology Radio
    Archived Audio Interviews
    Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.