Keeping up with the
security arms race

Locked$ImageData breaching is big business. It is, as I wrote last week, something of an arms race. When we strengthen our armor, we don’t send the bad guys home in ignominious defeat; we send them off to upgrade their armor-piercing weaponry so they can return for another foray.

The financial fraud arms race is as old as currency itself, and there’s no reason to expect it ever to end. Last week, HEI Hotels became the latest large-scale victim, following in the footsteps of notables like MySpace, the Internal Revenue Service, The Home Depot, Target, Neiman Marcus, and others.

The above are not anomalies. If you’re in the mood for being alarmed, click here to view “World’s Biggest Data Breaches: Selected losses greater than 30,000 records. Lest bankers seek solace in the thought that breaches are more a retail than a banking problem, click “banking” in the filter box at the upper right.

But before you decide that your best option is to wait out the arms race under your desk in fetal position, I have good news. There is much that banks can do to protect themselves, merchants, and consumers.

Here are a few tips:

Keep up with security technology. Bad guys regrouping and returning notwithstanding, it turns out that we good guys are pretty good at keeping pace and, at times, a step or two ahead. To ignore the state of the art is to look for trouble. That should go without saying, but you’d be surprised how many financial institutions give data security more lip service than action. To be sure, upgrading is costly in terms of software, hardware, retraining personnel, and, sometimes, retraining consumers. But the cost of keeping current is a bargain compared with the costs—which include legal, insurance, and client confidence costs—of a serious breach.

Keep up with security news. A host of business and financial publications are available and useful. Still in the mood for a good but needful scare? Try UBM Technology’s DarkReading.com. You might also follow UBM’s blackhat blog and consider attending a blackhat® convention.

Never assume the security arms race has been won. The much-heralded credit card chip has a track record of reducing but not eliminating fraud.

If your financial institution is small, don’t fall into the trap of thinking you’re an unlikely target. Smallness may increasingly make you a more likely target. Like anyone, hackers prefer the course of least resistance. More hackers are turning their attention to smaller banks and other smaller businesses that tend not to be able to afford the best protections or not to bother with them. Which means you must bother with them and find a way to afford them.

Beware the isolation trap. Data security is its own field of expertise. Even if you employ your own, first-rate team of tech geniuses, their combined expertise cannot approach that of companies entirely focused on digital banking technology. (Note: Should you accuse me of using my blog to make a blatant, shameless pitch for the likes of my employer, Fiserv, I’m offended at the accusation—even though that’s exactly what I’m doing. I highly recommend checking out our compliance and fraud management page among others.)

Be proactive in educating your merchant and consumer clients. This is as much a marketing as a security measure. Security concerns have been known to hold people back from adopting mobile banking technology. Educating clients on security precautions increases mobile technology adoption.

For merchants, PC Magazine’s Max Eddy reported on an interesting piece of advice: Do not use chip reading terminals that still have magnetic stripe reading capability. According to Eddy, during a recent Black Hat conference, security guru Peter Fillmore showed that terminals which read both chips and stripes leave an exploitable security gap. Fillmore also demonstrated the ease of capturing data from tap cards.

For what it’s worth, Eddy reported that Fillmore had reluctant, high praise for Apple Pay:

“I want to kick at Apple Pay but I can’t,” Fillmore joked. “It’s one of the best methods for these transactions … and is generally more secure than your cards.”)

Fillmore said that Apple Pay has a lot going for it since it has a separate secure element chip and performs the transactions on that secure chip. But Fillmore reasoned that Apple Pay is susceptible to the attacks he demonstrated because the cards themselves are insecure. It would depend on the cards loaded into Apple Pay and if an attacker found a way to force someone to make a particular transaction in order to snag the data.

For consumers, U.S. News & World report contributor Anisha Sekar suggests that financial institutions advise them in the basics: only buy from websites whose URL starts with “https,” set up alerts for every card and digital transaction, sign card backs, avoid use of public Wi-Fi, and, to limit personal liability, notify the bank immediately of a lost or stolen card.

I urge you to take heed. I don’t want to see you on the next version of the World’s Biggest Data Breaches: Selected losses greater than 30,000 records. There are better ways to earn recognition.

Leave a Comment