The real challenge for the banking system is how to protect their firewalls from attack by hacktivists, goverworms and cybercriminals and, conversely, how to deliver easy access to online banking for their clients and customers.
It’s a real dilemma.
On the one hand, everyone wants mobile access to his or her account balances and to make payments; on the other, no-one wants to consider the issue of haemorrhaging losses if they don’t protect their account properly.
This is also a challenge in terms of building business as, for example, many people do not use mobile banking for exactly this reason: they worry about haemorrhaging losses.
So there are two distinct focal points here for information security within a bank:
- protecting the banks information from attack; and
- allowing the bank’s customers to access the information they need when they need it.
Looking at the first part, hacktivists are not really the issue here.
A massive Distributed Denial of Service (DDoS) attack from the anonymous collective is concerning, but bringing down a website does not bring down the system.
MasterCard and Visa made this clear when they were attacked last year, and so it's an inconvenience rather than a concern.
However, a targeted hack is a concern, and there are many instances of banks failing to deal with this properly. Last year, for example, hackers got access to some of Citibank’s customer data, with at least $2.7 million lost by 3,400 customers. That’s small beans and is manageable, but shows the vulnerability.
The insider threat is even greater, with employees who can gain millions by selling access to bank data. An instance of this was also seen last year, with Bank of America losing over $10 million thanks to a staffer giving away account details to an identity theft ring.
Again, it’s small beans but when there’s a crack in the firewall, it can soon grown into a fissure, chasm or canyon.
That was well illustrated by Sumitomo Bank who lost almost $350 million in a keylogger scam.
You would think that this bank would therefore have gotten its act together after such a near fatal disaster. No. This is the very same banking operation that was fined £3.5 million by the Financial Services Authority in May for serious IT governance failings.
Regardless, as I keep saying, banks are data guardians, information providers and knowledge developers. Or they should be.
This means that the way in which you guard against data failings from external attack is by having the obvious data protections: firewalls, secure sign-on, dual authentication with triangulation of access, real-time business events monitoring and so on.
What I mean by this is that banks should be moving towards much improved real-time tracking and business intelligence about their information flows, and this will alert them to any security breach.
After all, most banks know that they will be breached. In fact, they know they cannot stop a breach. It will happen. The real question then is how you deal with it and how fast.
That’s the key.
This is why complex event monitoring of business intelligence flows with real-time alerts is a key focal point. The ability for a bank to keep its finger on the pulse of every transaction across its global operations will be the key to protecting against internal and external threats.
And if real-time business monitoring can solve the first issue, an external or internal security breach, what do you do about the second area: ensuring ease-of-access securely.
Again, it seems simple and yet so many fail.
I was astounded to read a report for example, that stated the mobile banking apps from world leading banks like Wells Fargo, PayPal, Chase and others were failing the viaForensics security tests. At the time, August 2011, a quarter of all mobile bank apps failed basic security tests.
According to Neil O’Farrell, executive director of the Identity Theft Council: “There were more breached records last year than U.S. population than U.S. residents last year and more cases of identity theft than just about all other crimes combined”. He went on to say that: “Eight out of ten mobile banking apps have security flaws, but Apple and the banks don’t want you to know that.”
Whether true of not, there are obvious flaws in mobile security right now, and yet there shouldn’t be. As Business Week points out, mobile banking is more secure than online banking … or it should be, when done right.
As most users always know where there mobile is and have it with them, unlike their wallet or credit card, it means that they are far more likely to know when it is lost or stolen.
Equally, as mentioned, triangulation or more secure techniques mean that you can use the mobile telephone number and the geolocation proximity of the phone, text messages and apps, alongside a card and PIN, to make sure that the person who says they are trying to access the account is actually the person who should access the account.
The bottom-line of securing banking is that banks will never be able to keep ahead of the criminal. That’s the criminal’s job: to continually test and try to break the security of the bank.
This means that the bank must therefore always be one step behind those who want to create cracks in their firewalls.
That means continual renewal of information security policies, systems and infrastructures, and making sure that the bank keeps up with the best practices in securing their customer’s data.
Some banks do this brilliantly.
Just make sure you’re with the ones that do.
This is the last entry in a series about Hacktivism: