Some Facts About Data Breach at Global Payments

Some Facts About Data Breach at Global Payments
Last Friday, the press began reporting about a major data breach at Global Payments, a large US card processor. As always in the early stages of such events, there were plenty of rumours and speculation with various sources reporting stolen card numbers to be as low as 50,000 or as high as 10 million. This morning, as I write this, Global Payments is holding a conference call to provide us all with more information. So, this is what we have directly from the company:
  • Up to 1.5m cards records “may” have been affected;
  • The incident is contained to North America only;
  • Only Track 2 data has been taken (not Track 1 data and not customer name, address, etc.);
  • Visa removed Global Payments from a PCI compliance list;
  • The incident does not involve any merchants, ISOs or customers and occurred on some “local servers” at Global Payments;
  • Due to the ongoing federal investigation, the company can’t be specific about timelines, but did confirm that “about 3 weeks ago” it discovered that some card data “may have been taken” and immediately contacted federal law enforcement agencies and the schemes;
  • Customers are “encouraged to be vigilant”. Also, the company is setting up an information site for consumers which should be operational later today:
The trading of Global Payments shares was suspended on Friday and the full impact on the company remains to be difficult to estimate at this stage. However, the executives on the call remained positive and stressed that the company:
  • Continues to process all card transactions, including Visa;
  • Is working with the schemes and other parties to address the situation; “~100 people are working on this”;
  • Intends to get its ROC (Record of Compliance) back “as soon as it is humanly possible”;
  • Will continue with its planned investments in other areas, but also will “spend even more on security” going forward;
  • Expects to come out stronger and more experienced as a result, and believes that their customers will recognise this.
Data breaches are unpleasant, dangerous and costly. They are also a fact of life. In our most recent payment trends report, we called retail payments security as an important focus area for 2012. As commerce environment gets more complex (online, offline, mobile, etc.) and as access points to payments proliferate, security issues are only getting more complex. What are your thoughts on how best to ensure payments security in the digital age?

Chase Website – Down Again

Chase Website – Down Again
Just about one year ago, the Chase website suffered a major outage. Today, is down again, this time with a revoked security certificate:


This is a major issue, as no bank wants its customers to be presented with the message, “you may be communicating with an attacker.” This is how the browser (Google Chrome) explains the message:

“When you connect to a secure website, the server hosting that site presents your browser with something called a “certificate” to verify its identity. This certificate contains identity information, such as the address of the website, which is verified by a third party trusted by your computer. By checking that the address in the certificate matches the address of the website, it is possible to verify that you are securely communicating with the website that you intended and not a third party (such as an attacker on your network). In this case, the certificate presented to your browser has been revoked by its issuer. This usually means that the integrity of this certificate has been compromised and that the certificate should not be trusted. You absolutely should not proceed past this point.”

It’s unclear at this stage what exactly has caused the problem. This is a major concern to customers who use Chase online banking to pay bills and transfer funds. If Chase doesn’t resolve the issue shortly, it could cost them a pretty penny – they would have to reimburse late fees incurred by customers unable to access online bill pay.

The last time the site went down, Chase told customers that the site was down for “scheduled maintenance” when in fact it was revealed much later that the problem was a software error caused by a third party. Twitter was ablaze with irate customers wanting answers. It was a PR nightmare, one that hopefully will not happen this time around. Hopefully Chase will provide some information shortly and notify customers about what is going on.

UPDATE 1:10 pm: It appears the site is back up.

Hey FFIEC, Is This Really Guidance?

Hey FFIEC, Is This Really Guidance?
Last week the FFIEC issued the long awaited Supplement to Authentication in an Internet Banking Environment. I read through the 12 page report (it’s actually 8 pages with a 4 page appendix), and kept reminding myself that I should try to look at this in a cup half full manner. Yes, I can be a cup half empty kind of a guy, however I must say that this document doesn’t say much that most banks don’t already know. The wording is vague, open to interpretation, and unclear. It’s a great read for someone who is new to the space that wants to get a high level overview of some of the challenges banks are facing. I know that banks are going to be placing a lot of energy into analyzing this document, and making sure they can follow the so-called guidance. The first problem is the title – Supplement to AUTHENTICATION. Authentication is was definitely a big deal back in 2005 when the first iteration of this document was released. At this stage of the game, it really doesn’t mean much. Sure, all banks should have it, and yes they should pay attention to new solutions that can enhance authentication. Today, with current threats and attacks, authentication is about as useful as a security guard that is placed in front of a bank building. The guard can scare people off, and provide the appearance of security. If criminals or terrorists want in, we all know that the guard is nothing more than a useless sentry. So sure, let’s keep on forcing customers to use the familiar image/phrase/challenge question routine for online banking. But let’s accept the fact that multifactor authentication, even using hard tokens, is pretty useless. The document keeps referring to layered security – that’s a good thing. But how long have we been hearing that for? Great that its down on paper given that it’s so critical. It’s the most important step a financial institution can take but a lot more detail and guidance is required here. There was quite a buzz regarding the fact that the document doesn’t discuss mobile banking security. That ties back to the vagueness of the document. Personally, that doesn’t bother me as much. The info in this doc has to be consumed with the understanding that consumers and businesses are using a range of electronic devices – PCs, mobile phones, tablets, etc. Yes, there are going to be security issues that are device category specific. It would have been nice to see things laid out a little more clearly, or at least recognition of this trend. On page 3, the document goes over high risk transactions. The overly structured section misses a key point – as features migrate out of the branch for cheaper self service alternatives (think consumer wire transfers online) the risks increase. Financial institutions need to plan for these changes now and understand that the online channel is already handling higher risk consumer transactions. In my opinion, the most important section of this document should have been customer awareness and education. It takes up approximately half a page. Banks do a very poor job of educating customers, and there are tons of examples to prove it. Since the consumer is the weakest link in the equation, this clearly requires a lot more attention. Can I be a curmudgeon? Absolutely. Is it warranted in this case (objectively speaking of course)? Without a doubt.

BAI Retail Delivery 2010 Roundup

BAI Retail Delivery 2010 Roundup
The BAI Retail Delivery conference is just coming to a close, and I attended along with the my colleagues in the Celent banking team. Attendance definitely appeared to be up over last year. The 2009 event was depressing from an attendance perspective, and I was happy to see the ramp up. The Las Vegas venue is certainly a draw, but based on conversations, there also seems to be more flexibility over last year with regards to travel budgets. With that said, the keynote sessions had tons of empty seats, indicating that either the “Vegas effect” is in play, and/or that there is still plenty of room for attendance to grow. I spent most of my time at the event in productive meetings with clients and prospects. I gathered a ton of information for research. A few key trends emerged from the conference, none of them are all that surprising. They do however point to what folks are thinking about and prioritizing for 2011.
  • Alternative revenue sources. There is lots of scrambling going on given regulatory shifts and the need to grow revenues in the retail banking sector. Many of my discussions were about how banks can grow using the online and mobile channels. There were lots of questions regarding merchant funded rewards and how they can be integrated into online banking using vendors like Cardlytics or BillShrink.
  • Analytics. This is a subject that everyone always seems to be talking about but isn’t doing all that much with. Banks are sitting on tons of data, sitting being the key word. A number of discussions centered around how to leverage this data to build more complete customer views and cross-sell other products.
  • Online banking platform upgrades and PFM. This is now trickling down to the retail front, following a ton of activity in the corporate banking space. Banks are realizing that their online banking offerings are stale, and don’t provide the experience that customers are looking for. This will be a slow moving boat, but the exploration phase has certainly started. Much of this is being fueled by interest in PFM and the desire to integrate it with online banking.
  • Mobile initiatives. Mobile is still a raging topic and was the focus of many discussions. A few key questions came up. Are mobile devices replacing the PC? What role do tablets play? Both these questions were also tied to the biggest dilemma – should I prioritize investment in the mobile channel, online channel, or both? My colleague Red Gillen will address these questions in more detail in a blog entry next week.

A couple of things surprised me:

  • Lack of emphasis on social media. This has been a huge topic lately, and I found that the conference had little emphasis on this. Yes, the founder of Twitter was a keynote speaker, and there were other sessions on this topic, but I didn’t find that banks at the event had that many questions here. Many banks are still clueless when it comes to social media. I actually had one banker tell me that he doesn’t believe that social media will affect his customers. There is obviously a lot of learning for banks to do here in order to grow into the shifts that have already taken place in the online world.
  • Limited concerns and discussions about online banking security and threats. All kinds of fraud has hit the business banking sector this past year. There is a lot that banks can learn from this, and additional safeguards need to be put into place for consumers.

For some further reading, Jim Bruene at NetBanker has compiled his Best of BAI Retail Delivery 2010.

I welcome all comments and thoughts. I also encourage those of you who were in attendance to share your experiences.

Business Online Banking Risks – Banks Need to Proactively Educate Customers

Business Online Banking Risks – Banks Need to Proactively Educate Customers
I just returned from the Digital Insight National Client Conference in San Antonio. I was invited to speak on social media for banking, and I also took some time to attend several of the sessions. One of the sessions I attended was a panel discussion with a group of four commercial businesses. These middle market firms discussed various cash management and online banking issues and described how they run their businesses. Eventually the discussion turned to security and the moderator asked the firms about their security best practices. Each firm described their setup and one of the businesses described a fraudulent incident where a keystroke logger was installed on a computer used for online banking. Three out of the four panelists were unaware of the rash of business online banking fraud that has hit the market (see my blog entries on this here and here). I asked the panel if their financial institution had contacted them recently to make them aware of some of the risks, or if their financial institution had implemented new policies or solutions that they would be required to adopt. The answer of all four businesses – a flat out no. Their banks had not contacted them recently about anything related to security. Needless to say I was not entirely surprised, but I was frustrated by the situation. Business banking is very much about relationships. Banks should be investing in these relationships and at the very least should be providing educational tools and support to their customers. Given what is going on in the market, security education isn’t an option but a strict requirement. Even with the various warnings and advisories that have come out it appears that banks aren’t doing enough to proactively educate their customers. There is a lot at stake and just this week several agencies have issued an ACH and wire fraud advisory. I agree with most of the points of the advisory. However, there is nothing mentioned regarding security education in the section called, “Actions for Financial Institutions.” Additionally, the recommended best practice for businesses is to use a dedicated computer for online banking. This is completely unrealistic and counterproductive. Before you know it we will all need to have separate computers to login to facebook, another to send email – you get the pictures. This scare tactic also has the potential to reduce business online banking adoption. Proactive and ongoing security education, smart practices (e.g. setting dual approval, limits) coupled with multiple layers of security solutions can solve a good chunk of this problem.

Business Swindled Online – Who is to Blame?

Business Swindled Online – Who is to Blame?
I recently blogged about why Businesses Require Better Protection Online. The writeup was based on a warning from the FDIC that was aimed at businesses who bank online. Last week, a firm called Genlabs Corp. had $437,000 fly out of their account. Username, password, and token were compromised as fraudsters gained access to the account. Yesterday evening, Brian Krebs from the Washington Post blogged about the story and provided some additional updates. Turns out a Genlabs computer became infected with a trojan horse that, “allowed the attackers to re-write the bank’s login screen as displayed on the employee’s computer, so that the credentials were intercepted before they could be sent on to the bank’s actual Web site.” A forensics expert who examined the computer determined that standard Windows-based scanning tools were unable to detect the infection. This raises some interesting questions about who is responsible for this mishap. The fraudsters are obviously the criminals, but catching them and recovering the funds is another story. In the meantime, who is responsible for the loss of funds?
  • If Genlabs had software protection (that did not spot the infection) should they be held responsible? Would it matter if their software was up-to-date?
  • Should the anti-virus/malware software company be responsible if their tool was unable to detect the infection, but a competing software tool could (hypothetical)?
  • Should the bank be held responsible since their online security had been compromised?

It’s an interesting discussion topic, and I invite you all to express your thoughts.

Businesses Require Better Protection Online

Businesses Require Better Protection Online
Banks have taken many steps to protect customers online. Multifactor authentication (MFA) , policies for online banking, and consumer education, are among some of the sentries in place. The FDIC however issued a warning last week specifically aimed at the business online banking / cash management space. The alert relates to financial institutions that provide payment services online, and indicates that over the past year there has been an increase in the number of reports and losses related to online EFTs. The alert specifically mentions, “malicious software, including trojan horse programs, key loggers, and other spoofing techniques, designed to circumvent online authentication methods.” This is of particular concern as more banks are attempting to increase usage of the online channel for payments. For example, Celent is seeing a trend towards banks offering small businesses the ability to send wires online. Even consumers in some instances are being offered the ability to send wires online (see the NetBanker blog, “Bank of America to Eliminate Wire Transfers from Branches, Moving Volume to Online Banking.” In Celent’s opinion, small businesses and consumers are quite vulnerable since they do not have a corporate IT department that can update virus protection or teach them what to watch out for. Additionally, most small businesses have not been issued the appropriate MFA solutions required to send a wire or other payment online. Relying on the familiar image/phrase and/or challenge questions won’t cut it. I’m not saying that MFA is perfect – it too can be bypassed. However, Celent does believe in the use of tokens (hard or soft), or out of band authentication when dealing with high value payments. There are several steps banks should take:
  • Banks should implement a transaction monitoring solution (if they have not done so already)
  • Banks should adopt out of band authentication solutions (e.g. replace traditional token by sending a one-time password to a mobile phone via SMS)
  • Banks should consider offering mobile soft tokens (e.g. an application on an iPhone or Blackberry that provides a one-time password). For more details see the following Celent blog entry, “Move Over Token, My iPhone Can do The Trick
  • Banks should revise certain policies and procedures (e.g. require a token, more frequent password resets)
  • Banks should emphasize new customer education tools (e.g. training videos / blogs / podcasts on online risks, importance of virus protection, etc.)

Move Over Token! My Phone Can do The Trick.

Move Over Token! My Phone Can do The Trick.
2009-04-01_1643Banks have been issuing tokens to their business and corporate customers for some time. These multifactor authentication devices typically generate a one-time password that the user is required to provide upon login or to confirm a specific activity (e.g. the release of a wire transfer). Customers with multiple banking relationships end up lugging around a bunch of different tokens. They are easily misplaced, and the cost of these devices can also add up quickly (whether they are being paid for by the bank or the customer). Is there an alternative to the good old token? The mobile phone could be a great alternative in the form of out of band authentication (typically a text message sent to the phone containing the one-time password) or an one-time password generating application that resides on the phone. Out of band authentication hasn’t caught on too quickly in the North American marketplace, but Celent predicts that adoption will gather speed as business users rely more on their mobile devices. The password generating application holds a lot of promise as well. Yesterday, Verisign announced the availability of a one-time password generating iPhone application (dubbed VIP Access) that would be a great alternative to a token. The app will be available for other devices as well (Blackberry, etc.). It can currently be used on select consumer sites (PayPal, EBay, AOL, etc.) and a handful of Australian credit unions (click here for list of supported sites). It will be interesting to see which US bank is the first to use this app for online banking MFA. I doubt US banks will be too keen on integrating this into consumer online banking as the bother factor is too high. Consumers are finicky and can get thrown off by too much technical change and interruption. It’s a great small business banking idea however and could have ramifications in the corporate space, particularly if it’s available for Blackberry models.

Do Tough Times = A Rise in Employee Fraud?

Do Tough Times = A Rise in Employee Fraud?
Tough times bring about some pretty unfortunate acts. Disgruntled employees are a huge risk as they can do quite a number on bank assets and customer information. There is no doubt, the number of internal fraud incidents we are hearing about these days are on the rise. It’s unfortunate but true. However, internal fraud is not a new challenge – it is a problem even in the best of times. We just don’t hear about it as often when times are good. Insider fraud accounts for approximately 60% of bank fraud cases where a data breach or theft of funds has occurred. That is a staggering figure. No bank is immune to the risks presented by disgruntled employees and professional criminals. There are however, multiple steps that banks can take to better protect themselves and stay a step ahead of fraudsters. Given how serious the consequences of fraud can be, banks have to be quite particular about the policies and procedures they put in place. The breadth and depth of fraud solutions are of the essence, as banks must protect their physical and logical assets. In order to block and prevent potential internal fraud, banks should limit the use and display of social security numbers. They should also set policies regarding the use of personal digital storage (e.g. MP3 players, digital cameras, etc.) at the workplace, in addition to developing and adhering to a sound and timely notification process, and requiring ongoing security awareness and training. I have spent a fair amount of time researching this subject, and as you may imagine, have heard some pretty wild stories about insider fraud at banks (confidential of course). I invite you to read my report “Internal Fraud: Big Brother Needs New Glasses” if you would like to learn more about this subject and what banks can do to protect themselves.