We Need To Talk (About Security)

It’s easy to forget, but the most basic social media channel of all is. . .talking. And when it comes to banking, that’s come to represent a glaring security flaw.

Most financial services institutions are hyper-vigilant about building information security defenses into their online and mobile channels. It’s not just required by law, thanks to dozens of compliance mandates, it’s also good for business. More to the point, as documented on this site, many banks have launched education and marketing campaigns to spread the word about the security measures that they take, and what their customers should do to prevent theft, fraud and other forms of abuse.

However, that still leaves one key variable—call centers. It’s a curious dichotomy: many of us take those anonymous voices on the other end of the phone for granted (unless they can’t provide the answer we need), yet we freely give them all kinds of sensitive data, everything from addresses and social security numbers to account-specific information. Let’s face it, we have to give it to them to get the answers we need.

It’s almost reassuring to know that the calls are being recorded, since this helps improve customer service, and gives us a backup. It also means those calls are being stored and archived somewhere—and that presents a problem.

For the record, there are certainly regulations governing these practices. The PCI-DSS (for Payment Card Security Industry Data Security Standards) Council says such recordings fall under the scope of PCI compliance, but it’s clearly an area that has received less attention with regard to security.

There are several issues here that deserve scrutiny.

First, any kind of information exposed through voice communications offers a goldmine for social engineering scams. The range of tactics used varies widely, but they mostly involve manipulation for the purpose of gaining confidential information.  In the past, these attacks were of a random and mass-market nature. Now, thanks to the wealth of personalized information available through social media channels, they’ve become far more targeted and sophisticated. Every nugget gleaned through hacked voice communications offers a major step forward for the bad guys.

More broadly, so much of call center work is outsourced that it’s sometimes difficult to ascertain where the voice on the other end of the call is physically located, and where the calls are being stored. (In some cases, the company that wins the contract in turn outsources the work to a call center located in a different country.)

While the practice gained popularity as a means of greater business efficiency, outsourcing has in the past few years become a volatile political issue.  Legislation introduced in Congress would, among other mandates, require business to disclose to callers when their calls are transferred abroad, and potentially give them the option to be transferred to a U.S.-based representative. While U.S. employment is clearly the primary driving factor, security is frequently cited as a key issue.

More regulation may be inevitable, but as always, the industry itself is best qualified to implement the best security, not because it’s forced to but because it’s good for business.

Just as technology enables optimal communications, it also enables optimal security. For example, there is software that automatically halts recording when key words with sensitive information are used.

In some ways, call centers represent old-world banking, while the threats they face are quite new. What really matters, however, is that whatever the means of communication, it’s up to us to protect our customers, and that means protecting every kind of data we receive.

National (Banking) Security

Here’s a perfect snapshot of the world today: When Iranian President Mahmoud Ahmadinejad addresses the United Nations, banking IT executives should be paying close attention. While concerns over Iran’s nuclear ambitions pay out on the global stage, even becoming a major issue in the U.S. presidential election, it’s not only the Departments of State and Defense that are involved. There’s ongoing speculation over the details, but it’s become increasingly clear that in the past few months, several U.S. financial conglomerates—Bank of America, JP Morgan Chase and Citigroup, among others—have been under cyber-attack. There’s no official confirmation of the source, but it’s increasingly believed that the hackers were based in Iran.

The specific motives are still unclear, although it’s not hard to accept that economic sanctions that have been imposed are a major factor. For the record, the Iranian government has claimed in the recent past to be building a ‘cyber army,’ and has even called for loyal citizens to hack into Western institutions.

It’s not just banks getting caught in the crossfire. Just this week, Google warned Gmail customers that “state-sponsored attackers” may be trying to compromise their computers. Google didn’t name the state doing the sponsoring, and in this case Iran claims to be among the victims.

We still don’t know much about the recent attacks—just how broad they were, and the extent of the damage caused. For the most part they seem to have been Distributed Denial of Service (DDoS) attacks, which are typically made up of waves of phony traffic that effectively shut down otherwise functional servers and badly disrupt operations. There may not have been outright data theft, but many customers were unable to conduct online transactions, leaving banks with considerable remediation and repair costs.

Industry experts believe the attacks were heavily coordinated and targeted, pursuing weak spots that were likely uncovered through extensive research and surveillance. It’s being reported that thousands of servers were hijacked for the purpose.

The attacks seem to have subsided in the past week, but looking ahead, there’s continuing cause for worry.

First, by all accounts, these were not isolated incidents or the work of malicious kids out to prove their skills. Most DDoS attacks take considerable organization, skill and resources, and the new wave was no exception. These showed sophisticated tactics backed by patience and expertise. The diversity of their origins—the ‘botnets’ could be anywhere—makes the defense even more problematic.

It’s definitely uncomfortable to be considered alongside defense contractors as part of the ‘military-industrial complex’ and become the focus of geo-political tensions. However, the undeniable reality is that the information technology infrastructure underpinning the entire economy makes a choice target. Criminal gangs out for profit are no longer the only digital threats we need to keep in mind. Cyber terrorism is now a potent weapon in international conflicts, and few actions make a more potent political statement than bringing down the financial services industry.

There’s no reason for us to stop doing what we do—that would be handing the bad guys a true victory. However, it would serve us well to be vigilant. There are no guarantees here, but no one should be surprised if there are more attacks, whether through DDoS or new virus strains. Security must be a top priority: We need to help our security specialists build the best defenses possible, and ensure that even with waves of sophisticated assaults, operations are not disrupted.

What We’re Reading: Online Bank Security, Bank Fees and Mobile Wallet

Below are interesting stories the Banking.com staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom.

  • The Future of Leadership

American Banker Magazine

Across banking, there is a sense that the profile of leaders is in flux. The leadership characteristics we value today are not the same as what we valued 10 years ago. And 10 years from now? It’s safe to say that financial institutions will be looking for leaders with swift response times, an appreciation for the impact of new technology, an ability to manage an ever-widening circle of stakeholders, and a knack for collaboration, be it across business silos or with outside partners.

Read more

  • Mobile Banking: Emerging Threats

Bank Info Security

Telecommunications infrastructure. Third-party applications. User behavior. All are among top security challenges for global banking institutions as they expand their mobile banking and payments initiatives. And most challenging of all: These threats fall outside the institutions’ direct control. So, how can banks get a handle on emerging mobile risks? It’s a matter of ecosystem security, says Tom Wills, a senior security and financial fraud analyst at Javelin Strategy & Research

Read more

  • Report: Huge Spike in Mobile Transactions in Past Year

Credit Union Times

Device-focused security company iovation has announced that it has tracked a six-fold increase in financial services transactions that originate on mobile devices from 2011 to 2012. The Portland, Ore.-based company elaborated that in 2011, just 2% of the financial transactions it tracked originated on mobile devices.  In 2012 that percentage has spiked up to 12%. “The interest in mobile banking is overwhelming,” said Max Anhoury, vice president, global sales at iovation. In an interview, Anhoury elaborated that for the purpose of these metrics iovation defined “financial services” fairly narrowly to include retail banking, credit card services, payday lending, money transfer services and prepaid cards.

Read more

  • More U.S. Banks Report Online Woes

Gov Info Security

The online-banking and website outages and glitches reported Sept. 26 by U.S. Bank and PNC Bank are likely the result of foreign attacks, says Bill Wansley, a financial fraud and security consultant at Booz Allen Hamilton. Wells Fargo took a similar hit on Sept. 25, and all three new site outages are likely linked to similar online outages experienced a week earlier by Bank of America and Chase Bank, Wansley says. Late Sept. 26, published reports said that PNC acknowledged some customers reported trouble accessing PNC.com, but that the bank had implemented additional security precautions, based on threats made to take down the PNC site Sept. 27. PNC is now the fifth major U.S. bank suspected of being targeted by the group known as Izz ad-Din al-Qassam Cyber Fighters. The group has been keeping institutions up-to-date about its targets through threats posted on Pastebin.

Read more

  • Banks can only hope for best with DDoS attacks

CSO

Banks can only cross their fingers and hope the defenses they have in place can withstand cyberattacks like the one that disrupted the online banking site of Wells Fargo & Co., experts say. On Tuesday, Wells Fargo became the latest victim in a string of attacks on banks that started last week at J.P. Morgan Chase & Co. and Bank of America Corp.  A group calling itself “Mrt. Izz ad-Din al-Qassam Cyber Fighters” claimed responsibility and threatened to hit U.S. Bankcorp and PNC Financial Services Group on Thursday, said a post on Pastebin. The latest attack took down Wells Fargo’s online banking site intermittently. The bank apologized for the downtime on Twitter and appeared to be back up on Wednesday. DDoS attacks are crude but effective.

Read more

  • Consider The Bank Fees

NY Times Blog

An annual analysis of checking accounts from Bankrate.com finds that the average A.T.M. surcharge – the fee charged by the machine’s operator to a noncustomer – rose 4 percent to a new record of $2.50. This is the eighth consecutive year that the average surcharge has increased. And, for the first time, all of the banks surveyed by Bankrate.com for the report charge noncustomers to use their A.T.M.’s. The surcharge gets even more expensive when your own bank gets into the act, charging you – its customer – for using a competitor’s machine. This fee rose 11 percent, to $1.57.

Read more

  • Gap, Bed Bath, other merchants join mobile wallet service

Reuters

Retailers including Gap Inc and Bed Bath & Beyond Inc have joined a mobile payments network that intends to battle similar services from Google Inc and other companies. The service, also called MCX, is at an early stage and has yet to set a launch date. On Monday, MCX told Reuters it had signed up several new members. In addition to Gap and Bed Bath, they include Dunkin’ Brands Group Inc, Dillards Inc and convenience store operator Sheetz Inc. Mobile payments are expected to rise nearly four-fold to more than $1.3 trillion annually by 2017, according to a recent report by Juniper Research.

Read more

FI Spotlight: Attracting Younger Bank Customers: A Case Study of Yorkshire Building Society

The UK’s Yorkshire Building Society (YBS) is a bank that wanted to be sure they were attracting younger patrons that would become long term loyal customers. When it began looking into traditional marketing approaches geared towards younger consumers, the bank noticed that most banks chose to emphasize savings accounts with competitive rates. Realizing that there was a big assumption on which products in this segment actually wanted, YBS chose to conduct its own market research. Here’s what they did and what they found.

The goal of their market research was to determine the customer orientation of young people. They wanted to find out about the financial requirements of younger customers in order to offer them products that would meet their identified needs. This was a distinct and deliberate shift away from product-led research to a customer-led approach, recognizing that customers are interested in more than just the mix of products and their prices. Consumers also consider non-financial factors that include quality of service, added value and overall customer experience. YBS recognized an opportunity to differentiate itself from competitors by moving beyond the financial value framework.

Yorkshire Building Society
Image source: telegraph.co.uk

The market research began with extensive qualitative focus groups composed of young people in order to find out about their motivations and financial requirements. Two important early findings were that young people have very little desire to save money and that having a debit card is considered extremely important beginning at about age 14. Not surprisingly, the under 12 population is largely dependent upon their parents for all financial decision making. In the 12-15 years of age group, however, young people become more independent and concerned about being able to spend, although with the knowledge that parental protection and advice is nearby. Starting at age 16, most young people have a strong desire to manage their own financial affairs, and this is where the cash card becomes a must-have item.

Another round of focus groups drew upon four distinct market segments organized by life stage: Couples planning to have children, parents who control children’s accounts, youth aged 12-15 that have their own accounts, and young people aged 16-21 with their own accounts. Expectant or new parents were more interested in long-term saving products with an eye on their children’s future, promotions that offered new families relevant “freebies,” and accounts for children that are controlled only by parents.

young bank customers
Image source: mybanktracker.com

By carefully researching the financial requirements of different market segments (in this case, age groups), YBS has been able to develop a comprehensive customer relationship management (CRM) system that keeps messaging highly targeted to the needs of each segment, which is much more effective than a constant barrage of indiscriminate communications.

*This post originally appeared on Instant.ly.

About Elizabeth: Elizabeth A. is a freelance writer whose work on entrepreneurship, tech, and social media has been published by The Huffington Post, PolicyMic, USA Today, and more.  She regularly contributes to the Instant.ly corporate blog.