Articles

As the instantaneous success of Apple’s iPad seems to confirm Steve Jobs’ striking resemblance to King Midas, many banks have broached the subject of whether or not iPads could or should be introduced on their networks…and why not? Their user-friendly interface draws in even the most technologically fearful executive or Board member. Their size has found the perfect median between our current mobile devices – easier to transport than a laptop and easier to read email or browse the web on than a smartphone. There is also the environmental benefit as pulling up documents or Board packets on an iPad saves money and trees previously spent on printing. It can’t hurt that the iPad’s sleek and cutting edge design will send the message that you too are avant-garde. But…let’s be honest…the most compelling reason we want an iPad is the same reason we want most things: all the cool kids are getting one.

In the 1990s, we learned about the value of Internet real estate. Many banks, not foreseeing the significance of an Internet presence, did not register their domain names in time to secure an ideal one. The effects of this are still with us today. While it is debatable whether social networking sites such as Facebook or Twitter will have business value to banks, the popularity of these sites is growing at a much quicker rate than the Internet did a couple of decades ago, and social networking domains are being reserved at an staggering rate.

On January 26, 2010, six employees of a regional community bank received an email purporting to be about a recent wire transfer. Three of the email’s recipients were suspicious of the message and reported it to their IT group. The bank’s IT group verified the email was a phishing attack and deleted it from the six employee email accounts; however, one of the employees had already forwarded it to the bank’s wire person.

The email included an attachment called "detailspdf.zip" containing a file called "detailspdf.scr." This file is a Trojan, malware used to download further files onto the attacked computer. The wire transfer employee tried to open the file (assuming it was legit since it was forwarded to her by a bank officer). Apparently, the trojan then downloaded the additional programs the attacker needed to steal the username/password to login to their wire transfer website. With the login information, the attacker attempted to transfer funds to accounts overseas. In this case, at least part of the attack was prevented by a requirement for different individuals to initiate and approve all wire transfers. The attack appears to have originated from England.

Almost half of Americans have a Facebook or MySpace account, and the number rises to three-quarters for those ages 18 to 34. Facebook boasts a staggering 400 million active users, with half of them logging on in any given day. Unique visitors to Twitter increased 1,382 percent from 475,000 unique visitors in February 2008 to 7 million in February 2009.

These statistics are staggering. It is no wonder many marketing departments at community banks are creating business pages on various social networking sites. But what are the data security risks to community banks from these sites?

I trust your information security policies include a policy and procedures for the disposal of all sensitive information in a secure manner once any retention requirements are met. But, there is a high probability gigabytes of data may have escaped your disposal plans and been wheeled out of the bank right under your nose. Before I divulge this mysterious data location, let's examine some important elements of a Data Destruction Policy.

Where Is My Confidential Data Located?

Presumably, your information security risk assessment includes a threat related to the improper disposal of customer or bank nonpublic information, both paper-based and electronic. To ensure you have adequately controlled this threat, you must first identify the location of all confidential information. However, this identification process has likely failed to identify and control one location of electronic nonpublic information. But, I'm not ready to let that cat out of the bag yet.

Social networking sites like Facebook, MySpace, Twitter, and LinkedIn are a topic on everybody's lips today. Our kids communicate with them; our customers are on them; our employees request them, but how do they fit into my bank's strategic plan, and what are the risks associated with these sites? In this article, we will look at the security and technology concerns related to social networking sites.

Each year, McAfee Labs produces a Threat Predictions report listing the top threats they forecast for the coming year. This year, McAfee listed social networking threats as the top two in their report: "1.) Social networking sites such as Facebook will face more sophisticated threats as the number of users grows. 2.) The explosion of applications on Facebook and other services will be an ideal vector for cybercriminals, who will take advantage of friends trusting friends to click links they might otherwise treat cautiously."

With the explosion in new communication platforms, hackers are moving swiftly to capitalize in every way they can. While Facebook, MySpace, Twitter and other social networking/blogging sites used to be the domain of Generation Y, the trend is now for people of all ages to use these sites to keep in touch and spread information. However, the problem is you never know exactly what information is being spread and to whom.

For instance, consider the case of two employees of a large US financial firm that made news a few months ago. For simplicity's sake, we will call them Jack and Jill. Both had Facebook accounts, were Facebook friends, and sometimes communicated outside of work. Sounds like an innocent friendship, right? It was, until hackers were able to take control of Jack's Facebook account. The hackers then sent Jill a simple message, "Look at the pictures I took of us at the company picnic." Jill clicked on the link, expecting to see pictures from the picnic. Instead, she downloaded malicious software, allowing the hackers to take control of her company laptop. I'm sure you can see where this is headed: The attackers were then able to use her credentials to access the company’s network. The breach went undetected for approximately two weeks.

According to Fast Company magazine, a laptop is stolen every 53 seconds. To put that into perspective, around three and a half laptops will have been stolen while you’re reading this article. Only 3% of all stolen laptops are ever returned. If you’re like the growing number of hyper-productive Americans today, you can see a great need for laptops and other mobile devices having access to your network. Reports are revised in the passenger seat of the car; research is done while waiting for a plane; emails are read and written while waiting in line for food. It is easy to see the value in such things, but how do you balance the risk associated with allowing these devices to access your confidential and valuable information, while also allowing them to leave the safety of your office? The cost of replacing a lost or stolen laptop or iPhone is really minimal compared to the loss of information or potential unauthorized access to information. There are both technical and nontechnical solutions available to help you maintain security while still enjoying the benefits of mobile devices.

The first 30 minutes of the low-budget, 1980s film When a Stranger Calls are possibly the scariest 30 minutes I experienced growing up...The movie begins with a girl showing up to a couple's house to babysit for the evening. After putting the kids to bed, she receives a call from someone saying, "Have you checked the children?" She thinks the caller might be her boyfriend trying to trick her, but soon realizes she should be scared. The man continually calls back, so she calls the police and asks them to monitor her phone. The next time he calls, she tries to keep him on the phone long enough for the police to trace the call, but eventually gets scared and hangs up. The scariest 10 seconds of the scariest 30 minutes of my life happen when the police immediately call her back and say, "Ma'am, the call is coming from inside the house."