By Kevin Doyle, CISSP, CISA, CISM, ISSMP Security Audit and Assessment Manager
A few years ago, I wrote an article for my employer’s web site when the “phishing” was the latest threat in the banking world. The article was mainly about each party’s responsibilities and expectations. To me, the lines were pretty clear at the time.
Financial Institutions were responsible for securing their online banking application and systems, monitoring for and responding to social engineering attacks that were threats to their users, and for educating users on their responsibilities. On the other hand, the users (whether that is businesses or consumers) were responsible for securing their environment and monitoring for threats on their end.
But, “lit” happens (as in litigation). The recent lawsuits and countersuits by financial institutions against their customers and by customers against their financial institutions have blurred the lines. And, to some degree, as in most litigation, both parties have legitimate points. Mistakes have been made. Below seem to be the biggest mistakes made by both parties.
1. Financial Institutions Burying Customer Security Responsibilities in the Agreements
Most online banking agreements state that the bank is responsible only for compromises within their own control (i.e. database servers are hacked, encryption keys compromised, etc.). On the other hand, most agreements, also state that the customer is responsible if their login credentials are compromised (because they disclosed them to an unauthorized party or whether they were compromised by a virus, Trojan horse program, or some other malicious code), AND that results in unauthorized transfers out of the account. However, to just put those terms in boilerplate agreement language is proving to be a point of contention between financial institutions and their customers. Financial institutions are heavily regulated and must have their security “ducks in a row”. Many of their users do not fall under that type of scrutiny. While true that all businesses should perform due diligence, managing risks and implementing controls is often a product (or a victim) of the budget and the economy. Unfortunately, in some of these cases unauthorized transfers can be economically devastating to businesses, especially the small and medium sized businesses. If financial institutions are not more diligent in telling users their responsibilities, the users can come back and say that they weren’t adequately informed.
2. Financial Institutions Not Investing Enough in Risk Management
The FFIEC Guidelines require financial institutions to be diligent in assessing risks to information critical to the financial institution. The fact is that in some of these cases, even after being required to implement two-factor authentication, better controls could have prevented some of the incidents. Some incidents such as man-in-the-middle attacks or social engineering attacks can be stopped by financial institution controls such as out-of-band authentication, callbacks, geo-location controls, and token authentication.
3. Customers Not Reading the User Agreements Adequately
Ouch! This is an error that I’m even guilty of. I admit that I do not read every software end user license agreement that pops up on my computers. I also do not read everything that I sign, much to the chagrin of my spouse. However, even in our rush to activate that online service that makes our lives more convenient, there are inherent risks on the Internet. There has simply been way too much publicity about incidents of fraud and identity theft for businesses to simply skim through an agreement and sign. Ultimately, it is a lack of stewardship for not knowing enough about risks to your business, especially one as publicized as this.
4. Small to Medium Sized Businesses Are Accepting/Ignoring Way Too Much Risk
Small to medium sized business owners have been hiding behind the lack of resources card too long. You would have to have your head buried in the sand to not at least hear about incidents such as TJ Maxx, Heartland, etc. Identity theft is consistently publicized, and protections are heavily advertised. A small marketing firm in New York recently declared bankruptcy because of losses from fraudulent wires. They were infected by a Trojan horse program that spoofed their bank’s web site and enabled criminals to clean out their accounts with fraudulent wire transfers. Security is not cheap, but it can be justified. And it can be affordable for those who shop around. If you choose to ignore security risks, or if you did a risk assessment and decided to accept risks rather than implement simple controls such as awareness training for staff, not updating antivirus protection, and not applying security updates and patches, the results can be devastating.
5. Not Educating Enough
Finally, financial institutions started down the road of making security a market differentiator with some of the identity theft commercials and advertisements a few years ago. By reaching out to their communities and showing that they care, financial institutions can demonstrate leadership for security within their communities and their users. Talk to your business customers about the controls that banks know that they must have (dedicated off-network computers for banking, use routers, firewalls, and physical and virtual access controls to protect those computers, etc.) Every incident is also an opportunity to improve. And, to apply some of the lessons learned toward consumer online banking offerings as well.