Attacks. There are many attacks out there, but one of them stands out as it become very popular among the hacker community. Most hackers gain unauthorized access to websites and break into back-end databases through this attack; the SQL injection attack. This attack can happen when the sloppy web designer releases a webpage with an input text box without checking the proper input parameter validation.  An attacker can send and execute SQL commands through input text boxes and gain the access to the back-end database. In online banking websites, there are so many input text boxes starting with the sign-up, sign-in, customer comments, and inside account pages. There should be a code behind all of these text boxes to check proper parameter validation to ensure that the input text does not have any type of SQL commands or parameters embedded in. I have seen so many log-in pages with userid and password boxes that are not validated for proper parameters mentioned above. A bad guy can get unauthorized access and download the entire database. There is a lot of  information out there about SQL injection attacks; you can learn and take precautions as to not become a victim of this. The following are some of the things that you could take as precautions:

• Sanitized the input data. For an example, if the text box is expecting a number, do not allow the user to enter text, vise-versa. Scan the input data through the code to filter out any SQL commands and parameters.

• Again validate the data before executing the back end SQL query to ensure there are no embedded commands in the SQL query variables.

• Encrypt the data such as userId and passwords so hacker can not access them to gain access to the site and the back-end database.

• Ensure that the account setup to execute the back-end database is setup based on least privileges. Not only this account, all user and application accounts should be based on least privileges.

• Ensure all error messages are very generic and do not give any clues to the attacker unnecessary information that can be used to brake in to your website.

Protecting against these types of attacks are easy if you go into building the websites with the right mindset. Let us know if we can continue to help you understand these protections further.

We’re excited to announce the RiskKey is going to be showing its stuff on May 11th in San Francisco at the hottest financial technology conference of the year, FinovateSpring2010! We have 7 minutes to show off what’s great about RiskKey and no Powerpoint slides allowed. We’re humbled by being selected and hope to put next generation compliance app on the map!

Here’s a press release of our announcement!

Guardian Analytics in conjunction with Ponemon recently released their 2010 Business Banking Trust Study (details here).  I am intrigued that the headline touts that “banks have a new troubled asset – their customers.” Forgive me if I am wrong, but customers did not just become a “troubled asset”: not this year…not last year, nor the year before that. Customer churn has always been an issue directly associated with security and thus trust. Perhaps we can revise the statement to say that banks are now aware, or I dare say admitting that security extends beyond passing the GLBA or FFIEC audit. That would be a good place to start.

According to the study “more than half of the respondents (55%) experienced a fraud attack in the last 12 months, 58% of which was enabled by online banking.” Another key finding was that “Banks are unnecessarily exposing themselves to risk and need to change their perceptions of “reasonable security.” I completely agree with this. Reasonable security can be nothing short of daily assessing, monitoring and controlling risks and security compliance. Until security and compliance become continuous, embedded in our cultures, and a way of life we will continue to see breach after breach. Hacking is a way of life, to counter this we need to ensure that we have security policies, strategies and initiatives in place to protect and secure our customer data, our reputation, our revenue, our bottom-line, and our customer trust. And yes in so doing, remain compliant.  So we’ve acknowledge that customer trust is at an all time low. Before this “troubled asset” is completely lost, let’s revamp our security initiatives and make Continuous Compliance a mantra in our Financial Institutions. The study is quite interesting and discusses some great opportunities for Financial Institutions.

Cleaning out some old files on my Macbook I came across some customer service notes from my days @XYZ bank (XYZ=Small/Mid size bank). These suggestions were submitted by Information Technology, Proof (Item Processing) and New Account users. I reduced the list to include the most common we see in our daily interactions with banks.

5 Ideas for Improving Customer Service

1) Have bank staff available to greet customers as they come in the doors.
2) Communicate organizational values periodically to all bank staff as well as customers. A mission statement would also be helpful in this regard.
3) Educate employees on all Bank services offered.
4) Initiate telephone training for new employees and as needed for existing employees.
5) Hold department meetings regularly in order to give supervisors a chance to hear what  customers are communicating to employees.

The 5 suggestions listed are a good base for increasing customer relations and increasing the detection/prevention of social engineering attacks. These are good suggestions for small/Mid size banks that depend on customer service as their market niche.