March 17, 2010 by 2 Comments
I just returned from the Digital Insight National Client Conference in San Antonio. I was invited to speak on social media for banking, and I also took some time to attend several of the sessions. One of the sessions I attended was a panel discussion with a group of four commercial businesses. These middle market firms discussed various cash management and online banking issues and described how they run their businesses. Eventually the discussion turned to security and the moderator asked the firms about their security best practices. Each firm described their setup and one of the businesses described a fraudulent incident where a keystroke logger was installed on a computer used for online banking. Three out of the four panelists were unaware of the rash of business online banking fraud that has hit the market (see my blog entries on this here and here). I asked the panel if their financial institution had contacted them recently to make them aware of some of the risks, or if their financial institution had implemented new policies or solutions that they would be required to adopt. The answer of all four businesses – a flat out no. Their banks had not contacted them recently about anything related to security. Needless to say I was not entirely surprised, but I was frustrated by the situation. Business banking is very much about relationships. Banks should be investing in these relationships and at the very least should be providing educational tools and support to their customers. Given what is going on in the market, security education isn’t an option but a strict requirement. Even with the various warnings and advisories that have come out it appears that banks aren’t doing enough to proactively educate their customers. There is a lot at stake and just this week several agencies have issued an ACH and wire fraud advisory. I agree with most of the points of the advisory. However, there is nothing mentioned regarding security education in the section called, “Actions for Financial Institutions.” Additionally, the recommended best practice for businesses is to use a dedicated computer for online banking. This is completely unrealistic and counterproductive. Before you know it we will all need to have separate computers to login to facebook, another to send email – you get the pictures. This scare tactic also has the potential to reduce business online banking adoption. Proactive and ongoing security education, smart practices (e.g. setting dual approval, limits) coupled with multiple layers of security solutions can solve a good chunk of this problem.
March 10, 2010 by Leave a Comment
Last Friday I got a call from the fraud department of my credit card company asking me about several transactions. None of them were made by me and I declared them to be fraudulent. We went through the usual motions – card cancelled, new card will be sent in the mail, I am not responsible for the fraudulent transactions. I didn’t think much of it all, but did wonder where the fraud originated from since this is a card that I rarely use. Yesterday I saw a tweet from @Monoprice talking about an investigation they were conducting due to customer complaints about credit card fraud. Interestingly enough, I had made a couple of recent transactions at Monoprice (I am a total gadget guy, and this is the best place to get HDMI cables) and started to wonder if this could be the source of the fraud on this occasionally used card. What interested me about this situation was how the web was being used for status updates and how this can make or break the reputation of a business. When I got the call from the credit card fraud department, I had no idea where the fraud originated from. I happen to follow Monoprice on Twitter and noticed the update. They have a large following on Facebook as well and decided to use these sites to keep their customers informed. Should Monoprice have contacted me directly to inform me that I may have fraudulent transactions on my account or rely on mass communication channels like Twitter and Facebook? Or, should the fraud departments of the credit card companies be taking care of customer communication? My take is that it’s good business for merchants to use channels like Facebook and Twitter to communicate with the public. I am also very thankful that the credit card fraud department picked this up. At this point, Monoprice has yet to confirm that there was a breach of some sort. In fact, their preliminary investigation shows that no credit card information has been stolen from them (see the message on Monoprice.com). The fact is however, that exposing the possibility of a breach to the public yielded a slew of people who experienced credit card fraud after shopping at Monoprice (see the posts on Facebook). This likely is not a coincidence. It will be interesting to see how this plays out and if the public will ever even find out if an actual breach took place. However, now that all the dirty laundry is out hanging on Facebook, it will be hard for this merchant to balance the merits of the social web with the damage to its reputation.
October 21, 2009 by 3 Comments
I recently blogged about why Businesses Require Better Protection Online. The writeup was based on a warning from the FDIC that was aimed at businesses who bank online. Last week, a firm called Genlabs Corp. had $437,000 fly out of their account. Username, password, and token were compromised as fraudsters gained access to the account. Yesterday evening, Brian Krebs from the Washington Post blogged about the story and provided some additional updates. Turns out a Genlabs computer became infected with a trojan horse that, “allowed the attackers to re-write the bank’s login screen as displayed on the employee’s computer, so that the credentials were intercepted before they could be sent on to the bank’s actual Web site.” A forensics expert who examined the computer determined that standard Windows-based scanning tools were unable to detect the infection. This raises some interesting questions about who is responsible for this mishap. The fraudsters are obviously the criminals, but catching them and recovering the funds is another story. In the meantime, who is responsible for the loss of funds?
- If Genlabs had software protection (that did not spot the infection) should they be held responsible? Would it matter if their software was up-to-date?
- Should the anti-virus/malware software company be responsible if their tool was unable to detect the infection, but a competing software tool could (hypothetical)?
- Should the bank be held responsible since their online security had been compromised?
It’s an interesting discussion topic, and I invite you all to express your thoughts.
March 11, 2009 by 1 Comment
Tough times bring about some pretty unfortunate acts. Disgruntled employees are a huge risk as they can do quite a number on bank assets and customer information. There is no doubt, the number of internal fraud incidents we are hearing about these days are on the rise. It’s unfortunate but true. However, internal fraud is not a new challenge – it is a problem even in the best of times. We just don’t hear about it as often when times are good. Insider fraud accounts for approximately 60% of bank fraud cases where a data breach or theft of funds has occurred. That is a staggering figure. No bank is immune to the risks presented by disgruntled employees and professional criminals. There are however, multiple steps that banks can take to better protect themselves and stay a step ahead of fraudsters. Given how serious the consequences of fraud can be, banks have to be quite particular about the policies and procedures they put in place. The breadth and depth of fraud solutions are of the essence, as banks must protect their physical and logical assets. In order to block and prevent potential internal fraud, banks should limit the use and display of social security numbers. They should also set policies regarding the use of personal digital storage (e.g. MP3 players, digital cameras, etc.) at the workplace, in addition to developing and adhering to a sound and timely notification process, and requiring ongoing security awareness and training. I have spent a fair amount of time researching this subject, and as you may imagine, have heard some pretty wild stories about insider fraud at banks (confidential of course). I invite you to read my report “Internal Fraud: Big Brother Needs New Glasses” if you would like to learn more about this subject and what banks can do to protect themselves.