Garland Group Blog

Archive for November, 2009

Security Buzz Words | Money Mules

The Community November 11th, 2009 3 Comments

An interesting article in Wired drew my attention to this post on the Internet Crime Complaint Center (IC3) website.  Here’s the Cliff Notes version:   Bad people put malware consisting of remote control software and key loggers on a targeted business user’s computer.  They gather ID’s and passwords and other authentication data. The bad people then use the backdoor into the customers machine to initiate wire transfers and ACH transactions to (here’s that new buzz word) Money Mules who have been duped into “work at home” schemes and are tasked with transferring funds received to the offshore accounts of the aforementioned bad people.

Unfortunately we’ve seen this before.  In fact, the only forms of fraud or security breaches we’ve seen has been with this sort of activity where the end user’s machine has been compromised and used to initiate wire transfer or ACH originations.  Equally as unfortunate, the recommendation from the IC3 and guidance from federal and state regulators leave a huge gap that makes financial institutions and their customers vulnerable.

In the security biz we call that “residual risk” –  that is, the risk or danger of something occurring, after mitigating steps are applied.  Here the mitigating steps suggested are Signature-Based Intrusion Detection and Anti-Virus Systems (IC3) and  financial institutions should implement multi-factor authentication, layered security, or other controls reasonably calculated to mitigate those risks (FFIEC).  Those both sound great, the trouble though is 1) effective IDS hard to implement and usually expensive and 2) the multi-factor authentication mechanisms provided by online banking vendors are woefully lacking in any reasonable means to authenticate users.

I hear the rebuttal from financial institutions all the time: “customers hate it” “we have challenge questions and certificates placed on the users machine”, “we have a picture the user chooses” and ”we’re using everything that vendor provides”.  I’ll focus on the 2nd and 3rd first; neither of these options mitigate the vulnerabilities identified.  Certificates, challenge questions and site identification pictures have been in place were this type of fraudulent activity has occurred.  The bottom line is this: if an attacker has access to a users machine those types of authentication measures are easily defeated.

The first and last comments we hear (customer acceptance and vendor supplied options) rely on education of your customers: explaining that authentication measures are imposed for their protection; and taking ownership of risks presented by the offerings you present to customers.

So what’s the mitigation strategy that bridges the gap?  Evaluating true 2nd factor authentication for high risk transactions.  In every instance we’ve come across, the use of RSA style tokens for authentication would have prevented the attacker from gaining access to the customers online banking accounts.  Does your financial institution have business customers that initiate wires and ACH transactions from their workstations? Are you prepared to assume the risk of lost funds and the resources required to address such a breach?  If you don’t offer true 2nd factor authentication for high risk clients maybe it’s time to address that residual risk.

Compliance lessons from Kobe Bryant?

The Community November 9th, 2009 5 Comments

MVP

Despite my disdain for Kobe Bryant (it has nothing to do with him and everything to do with his team; sorry I am not a Laker fan) I learned something about compliance from him this past week.  Kobe is a great basket ball player, an MVP with four championship rings, yet he is always looking to improve his game.  Instead of becoming complacent, with his rings and MVP title, this past summer he sought the help of another great, Hakeem Olajuwon, to help him with his game.   Wow, what passion, humility and drive.

I immediately thought of the stamp of approval we get from regulatory auditors. Compliant! That’s our MVP title – FFIEC compliant, PCI complaint, HIPAA Compliant.  Unfortunately as soon as the auditor leaves a new season starts and that title becomes obsolete.  As a result organizations must make security a priority and strive to be compliant not just during audit ‘season’, but EVERYDAY. There is always a new threat, a new virus and a new scam. Let’s take a page from Kobe’s book and approach our security initiatives with passion, drive and diligence. Let’s not get complacent with ‘titles’ and check marks but use them to challenge us to keep our customer data safe. Let’s make security and compliance continuous. 

Perhaps I don’t dislike Kobe as much after all….hmmm

Facebook/Myspace: Being Social via Security Holes

Courtney November 9th, 2009 0 Comments

Facebook Security

The short of this article is that allowing flash applications in facebook/myspace is similar to the security issues we see with running “ajax” in browsers.

The long of the article is that an application is allowed to execute code within the flash environment. Normally, this behavior is limited to the local flash environment so the threat is limited. However, it has recently been discovered that there are ways to reach outside of the environment and access other domains. Aside from the obvious risk, there is the side effect that any attacks executed this way would appear to be perpetrated by the victim’s account rather than the attacker. Myspace and Facebook appear to be acting quickly to resolve the issue.

This brings into question once again the security versus productivity debate. You can prevent access to these sites and thereby sidestep the security risks. However, locking the sites down may result in losing talented individuals to other companies that do allow access to these sites. The only right answer is the answer your organization comes to after appropriate risk assessment.

Sponsored Post: What is OFM?

The Community November 5th, 2009 3 Comments

eu_top_logo

OFM — Online Financial Management — applications are the next step beyond PFM (personal financial management) programs. For community and mid-market banks and credit unions trying to compete with top-5 national institutions, offering an OFM application on their online banking site can be a huge differentiator. According to Digital Insight’s 2nd Annual Online Financial Management survey, 80% of consumers want to manage their own finances online with their financial institution, an increase from 68% in 2008.

At Digital Insight, we define OFM as applications that expand the PFM concept to also include programs for small business owners such as invoicing, payroll, and preparation of legal forms. This is particularly attractive to the nearly 23 million US small businesses that have less than 5 employees and to the 41% of Americans who run a small business in addition to their main job.[1]

For consumers and small business owners, the key attractions of OFM include aggregation — the ability to manage all their finances and many of their business functions on one Web site with one log in — as well as greater control of their finances with planning and budget management features, and the security of using a site hosted by their financial institution.

In our research with our own OFM products, FinanceWorksTM and Small Business FinanceWorksTM, we’ve seen nearly 80% of FW users say the product has made them more likely to stay with their bank or credit union and recommend it to others. FinanceWorks users are 4x more profitable than the average customer, and they hold 30% more outstanding loans. So we view OFM offerings as delivering a significant competitive advantage, especially for mid-market financial institutions trying to compete with huge national firms.

We’re interested in the community’s thoughts on this subject and what your experiences with OFM, if any, have been. For those that offer OFM products to their customers, what are the trends you’re seeing? What motivated you to offer these products? If you’re not offering OFM, are you considering it? If so, how is the evaluation process going? At the BAI Retail Delivery conference? Stop by booth #801 to learn more or visit ofm.financeworks.com.

[1] Digital Insight February 10, 2009 Press Release

« Older Entries
Newer Entries »