Archive for the ‘Security’ Category

Making Mobile More Secure

Security concerns about mobile banking has apparently been part of the reason for the slowing of growth in the channel.  Fortunately, some very smart people are working on solutions that will help ease those fears.

Apple will be releasing facial recognition technology in their iOS 5 update.  This means that mobile banking apps for Apple products will be able to implement a new layer of security.  I can imagine that developers will jump all over this feature.  One can only hope that vendors will be aggressive with implementing this also.

You can read more about the update over on ReadWriteWeb.

Security Questions Are The Devil

Sign-up for your bank or credit union’s online banking and you’ll most likely be asked to select some security questions and answers.  This is one of the safeguards used to cut down on fraudulent access to customer accounts.  This is also the security feature that I hate the most.

Well, let me amend that.  I hate the current, typical implementation of security questions.  The problem is, all the questions are easy to figure out if you know the targeted customer.  Lately, what I’ve seen is instead of selecting from ten questions, you now have twenty to choose from.  All this means is someone I met after I finished college may not know the answers, but a childhood friend might.

There have already been plenty of high profile examples of celebrity online accounts being hacked through security questions.  The generic choices given aren’t that hard to figure out.  A quick search on Facebook (who uses security questions in typical fashion) will answer a majority of them.  All you have to do is dig through a person’s wall posts and their profile.

A simple solution to all this is to let the user come up with their own questions.  There could even be a list of generic questions to use as a guide.  But it’s a lot better if the user types “What is your favorite cartoon episode” instead of selecting “What was your high school’s mascot”.

Help Us Help You

February 1, 2010 1 comment

Lately I’ve seen quite a few articles about small businesses being targeted through online banking.  Small businesses are facing they same challenges that their banks and credit unions are: they aren’t able to have staff dedicated to watching this threat.  What’s being reported however, is that each side is casting blame.

Now, working for a bank, I can understand their point of view.  Being a customer, I can also see the businesses’ point of view.  From the bank side, if they are offering as secure of a website as possible, they’re doing their part.  This does include using SSL and having security features such as multi-factor authentication, IP address logging and secure tokens.

Businesses also need to do their part.  Some experts have suggested that businesses use only one specific computer for online banking to help minimize their risk.  I think it’s deeper than that.  Small businesses need to start making computer security a higher priority.  I understand that they may not have an IT person on staff.  I also understand that bringing in a consultant can be expensive.  But it only takes one hour of their time to Google information about firewalls, anti-virus software and spam blockers.

If you are going to trust your financial institution to handle your money for you online, you also need to accept your part in the relationship.  Here in 2010, anyone using a computer should have heard that computer viruses are a bad thing.  Taking simple precautions, such as having up to date anti-virus software and using a firewall is a must.  Also, checking your accounts daily can help discover theft quickly.  Remember, banks may not have the staff and/or systems in place.  But a company should check their accounts more than twice a month, when pay checks are sent.

When both parties in the relationship fail to hold up their part, you end with a situation like a bank suing their customer over cybertheft.  In this particular situation, the bank was said to have weak authentication measures.  However, as the theft happened over two or three day period, that means no one at the business checked the accounts daily.

If there were alerts set up, they may not have been triggered.  I did test drive commercial online banking at PlainsCapital and must admit that the alert offerings are pretty lacking.  For instance, there is no way for a business to easily setup a daily balance alert.  But this is the online banking vendor’s fault, not PlainsCapital.

To keep situations like this from happening in the future, here are some things that banks can do:

  1. When adding users, the requests should only come from designated points of contacts.  No “employee” should be able to just ask for access to online banking.
  2. When users are added/changed and passwords changed, an email should be sent to the company administrators.
  3. Either the company administrators should set user access and privileges or the bank sets them according to the administrators

For the businesses:

  1. Make sure all firewall, spam blocker and anti-virus software is up to date.
  2. Make sure anyone with access to online banking understands basics about recognizing spam and understand they they of all people should not just click on links that “friends” send to them.
  3. If your bank/credit union offers alerts, set them as a safety precaution.
  4. If the password you use is on this list, CHANGE IT IMMEDIATELY

Photo by AhhYeah

Categories: Online Banking, Security

Pay Now Or Pay Later

September 6, 2009 Leave a comment

The Lockhorns

A court has allowed a suit to be brought against a bank for lax security with their online banking.  I guess one could say it was only a matter of time.  As financial institutions keep encouraging their customers to use electronic channels, security has to be a top priority.  There have been more than enough security breaches in the credit card industry to serve as a warning.  Software glitches, such as the one suffered by Rudder, hasn’t helped either.

Customers want to feel that their money is safe, which is a primary reason that people use banks.  With online banking, bill pay and PFM usage growing, lax security is not something the financial industry needs.  In some cases I’ve read, lower levels of security seems to be a choice because of the associated costs.  Everything sounds expensive until you have that first major breach.

With Citizens Financial, I don’t know whether their online banking vendor didn’t have a more secure option, or they chose to not  add a more secure service.  If they chose a less secure option because of cost, I bet that choice looks a lot less expensive now.  If their vendor didn’t offer a more secure option, I imagine that will come to light very quickly.

Hopefully, FIs have come to the conclusion that security is just included in the cost of doing business.  If they decide to roll the die and take a chance, the odds are some hacker will find out about it.  This is even more so for smaller FIs because they don’t have the resources.

With mobile payments on the horizon, security is something that can’t be skimped on.  A little more customer confidence in the industry wouldn’t hurt either.

Picture from The Lockhorns

Protecting your PIN

April 10, 2008 4 comments

The Copenhagen Post reports that four business students won an international competition for their invention of protecting the use of PINs on ATMs. The girls, students at Arhus Business College, got the inspiration for the idea after hearing about an elderly woman having her account cleaned out when a thief gained access to her PIN.

Their invention works by using a graphically, innovative screen that changes the positions of the numbers between 1 and 9 after each number is pressed. This way, a “nosy” person can’t determine your PIN just by looking at your finger positions. Also, the screen has a blur feature when looking from a side view.

Personally, I know I’m wary of using my PIN in public because of curious onlookers. I hope they hurry up and get this much needed upgrade in the States. It would be nice if all ten numbers were randomized though.

Categories: ATMs, Innovation, Security

What Keeps You Up At Night?

February 22, 2008 1 comment

CIO has posted the Nine Consumer Technologies CIOs Fear:

1. Portable Storage Devices
2. Consumer E-Mail
3. Instant Messaging
4. Social Networks
5. Smartphones
6. Remote Storage
7. Digital Cameras
8. Web-Based Productivity Applications
9. VoIP Clients

The article goes into more detail about each of the technologies. I was glad to see iPods mentioned in the portable storage devices part. As I’ve said before, those little things could carry all of your financial data in the palm of a hand.

Categories: CIO, iPods, Security

Your Customers’ Information In The Palm Of Your Hand

September 10, 2007 1 comment

People are pretty excited with the news from Apple about the new iPod Touch and refund for $100 for those that bought the iPhone. However, I haven’t seen that many people mention the updates to the classic iPods. In case you didn’t know, you can now buy an iPod that can store up to 160 GB. I’ll let that sink in for a moment…

Ok. Are any of you security minded people worried? If my job involved data security, I’d be a little concerned. I’ve mentioned the dangers of portable music players before. Unfortunately, most security articles, such as here and here, mainly talk about USB drives. I did come across one that mentioned iPods as a risk. Like, some of the people quoted in this particular article, I agree that blocking USB drives isn’t really practical. Informing your fellow employees of acceptable use is the direction I would go in. But hopefully, we won’t be reading about a lost iPod containing databases of customer information. Losing a laptop or backup tapes is bad enough.

Categories: iPods, Security

iPods Are USB Drives Too

July 16, 2007 1 comment

There is an article about the potential danger of USB drives in the July 2007 issue of Bank Systems & Technology. While they discuss the lack of security precautions that are taken by companies on this issue, I couldn’t help but notice that iPods and other MP3 players were not mentioned. Personally, I take my iPod to work everyday and listen to music. I know there are other employees at my bank that bring in their iPods also. In case you didn’t know, the newer iPods can have up to 80 gigs of memory. I don’t know about your financial institution, but that is more than most of the drives on our servers. A typical USB thumb drive holds from 2 to 8 gig of data.

I know of more employees at my bank that have iPods than those that have thumb drives. Granted, there are tools that can secure your computers from iPods, but this may cause an uproar. I know I don’t want to tell a VP that they can’t listen to their iPod through iTunes on their computer because of security issues. However, the security staff and upper management needs to understand the potential risk that music players have on their systems. Especially when that music player can take a few databases right out your front door.

Categories: iPods, Security