News & Commentary

10:51 AM
Art Gillis
Art Gillis

Leaks, Freaks, Sneaks, Tweaks and Geeks -- What Do They Mean For Online Banking?

Nothing good is the short answer. Now let's look at the long answer.

First, it's time to get philosophical. Did the banking industry fall apart just because John Dillinger, Pretty Boy Floyd, Machine Gun Kelly, Willie Sutton, Bonnie and Clyde, and Baby Face Nelson were robbing banks in the thirties? Answer: No. Are bank robberies still a crime du jour? Answer: Yes. Did banks fail during the recent banking crunch? Answer: Yes, 316 in the past three years. Conclusion: I don't believe online interceptors will be the biggest threat in the banking industry, but they certainly cannot be ignored. I do believe that wildcat lending and ego-influenced acquisitions, as demonstrated by the events of the past three years, pose a far greater threat. Since I know nothing about lending to deadbeats and acquiring sick banks, I'll pontificate on the threats facing online banking.

Here's my take on what we can do to protect our own interests regarding our dependency on the internet, and if this sounds like a guy who doesn't trust the institutional protectors, you're starting off with your first right answer. Your own actions as a business and/or consumer will be your best protection against internet abuse.

Leaks -- If you tell, then consider it public. Computer-based privacy disappeared in 1980 when the personal computer was born. Up until that time, getting anything out of a mainframe, centrally-located, enterprise computer was like the roach motel ad, "data check in but they don't check out." The internet continues to destroy any idea of privacy. Add to that the growing feeling that you're nobody unless people know your junk, and you've got a huge natural case of info exposure labeled, "Just look at me now." If the secure agencies of the federal government and the defense department can't protect their information assets, how likely is it that banks will? Score one big threat for online banking.

Freaks -- There was an expression going around a few years back that seemed to explain questionable behavior. "Why do some people climb a mountain?" The answer, "Because it's there." The same kind of thing occurs with many hackers who break into systems just so they can say they did it. The days of innocence ended during the fifties. Now the information intruders could be our next door neighbors, or guys with a laptop in a country whose name we can't even pronounce. We know which government agencies are working to mitigate the operations of al-Qaeda, the Taliban, and nuclear arsenal builders. They appear on our TV screens every night. But which government agency is tracking the transparent weirdo who should be in Bellevue but is holed up in a 42nd Street flop house planning a bomb attack at a pizza joint, or planting a worm at www.anyone' Precautions such as aggressive pat downs at airports, for some reason, don't make me feel any safer after I fasten my seat belt. Likewise, firewalls, two passwords, "secure" sites, and mother's maiden name remind me of the three-dollar padlock I used to lock my bike the last time it was stolen.

Sneaks -- Do you trust your bank? In most cases the answer is yes. Do you trust every employee at every bank? Never. Banks have all the right stuff to take you to the cleaners. You couldn't get a loan or deposit account if you didn't disclose. So what makes you so comfortable that the ever popular advice of not disclosing SSN, account numbers and passwords to strangers on the phone is any kind of protection? An employee at your bank could be that "stranger" who just received her pink slip. When Security Pacific Bank lost $11 million because of fraudulent wire transfers, the perpetrator was a consultant with the Federal Reserve who had access to everything he needed, because he was a "trusted resource." When a mid-size bank in New Orleans lost over $700k from customer withdrawals from a CD account, the bookkeepers said, "Oh, don't pay no mind to them reports. The CD system is in beta test." It wasn't beta, or alpha or gamma; it was real. And the customer thought it was a Mardi Gras gift after multiple withdrawals and no objections from the bank. Even customers can't be trusted.

Tweaks -- Beware of new software releases that are designed to improve "old" systems. For reasons that go back to Day One in the business of software development (think 1958), new releases of software are like a double edge sword. They deliver lots of changes to nearly-satisfied users, but also many changes that destroy previously enjoyed warm and fuzzy good stuff. In other words, users complain about a paltry net gain at the cost of nice things they got accustomed to using. I'm sure that the 28 core system vendors in Automation in Banking - 2010 will accuse me of heresy when I say, "Ease up on change, deliver optimization, but GUARANTEE RELIABILITY." Too much tweaking of online banking systems will have a deleterious effect on consumers, especially those who were reluctant to give up their visits to the branch. Familiarity is one of the strongest attributes of online banking that can secure a consumer for life. Constant change is a destroyer.

Geeks -- By my count as an attendee at internet birthday parties, the internet is 19 years old as a commercially viable service. It is 16 years old as a banking tool. That should have been enough time for the designers and the coders to hug and make up. They haven't. To prove my point with just one tiny recent experience, I'll use the bank that gets more kudos for their Web-based systems than any other bank -- Wells Fargo. I use WF as a merchant, not a consumer. To get my transactions and statement on line I was referred to a website. I entered everything carefully, correctly, and in the spirit of the season, checking it twice. After several pages, I was delighted to see the "submit" button which I clicked and then experienced cyber-orbit, no error message, just orbit. After calling customer service, I was informed I was not using the approved browser, Explorer. Duh, shouldn't that have been declared at the beginning of the process?

We're not out of the woods yet folks, when it comes to protection in the use of online anything. The rush to market got us there only three years after the internet was born. The reach for optimization is still a work in progress, and during that progress, we should exercise a lot more judgment than the use of a "three-dollar padlock."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.