Well said, Jeannie! Your service on the ITAC board of directors and US Bancorp’s support of the Identity Theft Assistance Center helps ITAC achieve its mission of helping consumers and preserving their trust.

From Linked-In:

We live in a really interesting time, where there are two potentially disparate forces on a business. One is the need for increased transparency – to share a great deal of information with consumers about internal processes that in reality, may have little to nothing to do with the good or service that consumer is seeking. Second is the need for greater security, to protect data and sensitive information. Traditionally, businesses wait for a competitor to suffer before communicating that they are trustworthy – think of all of the peanut butter ads touting inspection practices which came out AFTER the recent product recalls. But to truly get into a proactive position (which is admittedly rare in marketing), businesses, especially banks, mortgage companies, and others on the front lines of the economic crisis, must understand that consumers already expect the worst, and that the only way to build trust is to acknowledge that incidents may happen in today’s day and age by sharing strong, clearly written information security policy. I actually recently wrote a white paper about this topic, which is free to download by checking out idBUSINESS.com. Thanks for the question!

From Linked-In:

There are rumours that some Banks that outsource data / service fulfillment / software to Offshore companies – may protect customer data well in the homeland yet it is out of their hands when O’seas. Thus call centers may access it, to answer queries, and, if rumour is to be believed, some unscrupulous operators may sell it on for a small fee. [Albeit a large percentage of their low salary.]
Not a model I would encourage.

From Linked-In:

To be clear. Yes!

The situation is so clear that it is even possible to compute the business savings a bank can realize by instituting the right plans.

From Linked-In:

I used to have to evaluate bank security and after spending time w/ the banks my first thought was to w/draw all of my money and bury it in my backyard! Seriously, a big fat YES, however, I think we might be missing something here. Banks don’t really care about the individual account holder. They care first, second and third about profits. They do have a perceived “cost of doing business” and if security mechanisms cut into the profits they are not implemented. If the loss from a security breach is less than the “cost of doing business” that’s life. So losing someone’s account even if we’re talking about the maximum FDIC insured amount is less than the cost of doing business, then don’t expect your bank to increase security. If we want banks to increase security we need to convince them that security is a good investment for their bottom line, and it must be done w/ hard numbers.

From Linked-In:

One of our focuses is auditing financial institutions. I would whole heartedly agree. It is amazing how many banks just don’t get it. When there is a data breach they are required to report it (that assumes they are even secure enough to detect it). When banks whole business relies on trust and security you would think cyber security would be on the top of their list.

I have walked into banks and seen a $400,000 bank vault, and then they are protecting their corporate network with a linksys firewall. I just shake my head…

But in fairness there are banks that do get it.. And one thing we always tell our clients is use it in their marketing, let people know that you are proactive in protecting their customers assets

Just my 2 cents

From Linked-In:

Certainly, banks or any institution that use information systems can and should be proactive in protecting their vital information. Information assurance is not limited to simply maintaining a static posture while waiting for the worst, a perception more akin to buying an insurance policy. Information assurance requires risk management, dynamic responses to new threats, practice in business resumption, and strategic planning. In today’s rapidly changing business cycle, information is vital to keeping a competitive advantage: the process and systems to keep that information intact and available are just as important as the information it protects.

Agreed. Also many of the simple things still go unaddressed. Like top performers having too much access to bank systems and procedural noncompliance like disposing of banking records improperly. Even in the simple things we can get careless.

Trust is necessary in banking, but I’m not sure how informed Bank Management is on the implications of specific technology. How well are the governance processes working, how well are staff trained on AML (anti-money laundering) and do they have data loss prevention processes in place? Are these on-line “training” sessions that are completed within 15 minutes on an annual basis or are these issues discussed on a weekly, monthly or quarterly basis?

Just because the policies and procedures are in place, is management aware of what is actually going on in the trenches? Is 123-456-7890 a telephone number or a thinly disguised SSN (drop the zero)? Just having the technologies, policies, or procedures in place do not good if they are not backed up by good management and monitoring.

We have had some banks that realize they can do more than just educate their customers about identity theft. They are partnering with us to provide a tangible solution on their website to provide monitoring and restoration from all five types of identity theft, not just finanancial. They are also finding opportunities to provide identity theft lunch-and-learns for their business customers to help learn more about the Red Flag Rules and other federal laws.

From Linked-In:

Positive comments in the article.

However, most the ideas mentioned are reactive – they are after the data/funds have been stolen. Fraud detection, fraud alerts, ID theft insurance and tools to restore standings, are all reactive solutions. Once the data/funds have been stolen, confidence has been lost.

A lot more can be done. Banks can go a lot further and protect customers’ data from being stolen in the first place. Highly effectve solutions are available that can substantially reduce the likelihood of data stolen when it is input by end users, and signficantly prevent phishing, key logging, screen capture attacks, pharming and MITM attacks.

From Linked-In:

We have had some banks that realize they can do more than just educate their customers about identity theft. They are partnering with us to provide a tangible solution on their website to provide monitoring and restoration from all five types of identity theft, not just finanancial. They are also finding opportunities to provide identity theft lunch-and-learns for their business customers to help learn more about the Red Flag Rules and other federal laws.

From Linked-In:

Well, not to be negative, but until corporate America reshapes and the current wave of poor administrators that are only interested in looking good during their term and has no care in the world about how the business will be in the future gets resolved….

Not only banks, but almost every organization could be doing better.

As for marketing, I think that is often one under explored area. One must however advance with caution. Spreading the good news that you NOW have encrypted laptops for example, is a bad idea when your corporate policy is to not have files stored locally. This simply contradicts and encourages folks to keep tons of stuff on their laptops…

We can only make them better one at a time… if they are willing!

From Linked-In:

Yes I agree, funding is very often an issue in the banking sector nowadays. However, some organizations are coming up with creative solutions to funding this protection. Some AV companies offer free limited functionality to end users through their banks, in the hope of upgrading the customer later. At SentryBay our solutions can be tailored to protect a specific bank site, and we are examining ways of providing this to the bank’s customers at nominal charge to the bank, and then encouraging the end user to upgrade so that s/he can enjoy the protection for all internet activity. With the bank sharing in the upgrade revenue, it turns it into a revenue gathering exercise for the bank.

Jeannie,

After years of research onto why online frauds happen, our team at Uniken, which includes Dr. Pat Shankar (Advisor to US DOD), we have come out with a potentially safe solution – RMAP based mutual authentication. The real problem in today’s technologies is that our customers are asked to enter their credentials on an unauthenticated channel – only after they enter their credentials, does a bank application allow them access. Bad guys use Man in the middle, man in the browser attacks apart from several others, to steal identity credentials.

We must build in mutual authentication. One way to do this is to mutually authenticate the bank and the customer, without transmitting the real identity of either side. Once this is done, we have a trusted connection between the two parties. RMAP is the only known technique, that I am aware of, which does simultaneous mutual authentication, and there is no change is the user behaviour.

Cheers!
Shaillender

I also found out about this article via one of the Linked In Security Groups.

There should be easier ways for customers to opt out of stuff THEY think is Risky.

I had a US Bank Account, moved out of town, tried to close some stuff … nope you have to come into the specific office of the bank near where I used to live. Something signed, notarized, do at some other bank won’t cut it.

Security Rating … customers don’t need to know details on what you working on fixing, improving … but it would be nice to know that you get inspected by some outside cyber security auditor at what time interval, what kind of rating you go, how fast you fixed any minor problems.

We hear about ATMs at gas stations, convenience stores, shopping centers, all over creation, that some skimmer got inserted in, which stole people’s magnetic card info, pin #, other info, leading to counterfeit debit cards. Customers might like to know how often ATMs, with YOUR brand name on them, get cyber security inspected, to make sure no skimmer in there.

There was also a story about an ATM manufacturer in another nation, that got broke into, and hardware modified. Crook goes to ATM, looks like inquiring about balance in account, but is really getting on receipt statements a list of all PIN#s & other info from people who had used this ATM since the last time this was downloaded. Because a Manchurian Chip is in the ATM machine, inspections for skimmers don’t find any problems.

Customers would like to know what you are doing to protect us against this.

From Linked-In:

Even when banks use single SSL, the connection remains untrusted, if not only for the fact that user side the bank doesn’t know if the client’s machine is secure, and even when it is there might be a Man-in-the-Middle.

To get a trusted connection mutual authentication is required, but again would need to take place in such a way that it is Man-in-the-Middle proof. Preferably not just mutual authentication but also some acceptable level of assurance that the client machine is safe.

Implementing such a solution will however impact the marketing side of things for the bank. I sat several times with banks who’s marketing department want online banking any time anywhere, but the security officer wants proper restrictions.

Some banks already solved this problem, by making their customers aware that banking anytime anywhere is not really feasable security wise. So their customers can, at an acceptable risk, see their account details and sometimes perform minor transactions anytime anywhere, but larger transaction can only be done from machines which run client side banking software.

The client banking software allows for verifying the user’s computer on availability of updated anti-malware, verification of the connection to the bankserver, verifying the bankserver SSL certificate, and authenticating the user (PIN, OTP, Biometrics and/or user Hardware Fingerprint).

To protect against identity theft, some banks have chosen to keep record of their customers computer fingerprints. So even when the customer looses his authentication details, any login attempt will fail due to the fact that it comes from unknown user hardware (not IP or MAC-address based)