BreachExchange mailing list archives
Breached: What happens when a bank’s data is compromised
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 11 Sep 2013 00:07:47 -0600
http://www.bizjournals.com/sacramento/print-edition/2013/08/09/breached-banks-data-compromised.html?page=all It’s a letter that almost seems designed to fan fears rather than allay them. The letter warns about “an information security situation that could potentially affect you.” Someone who shouldn’t have your “personal information” may have it. In the meantime, here’s a fresh credit or debit or membership card for you. Like everywhere else, the Sacramento area has had its share of cyber attacks and data breaches. Some customers of SAFE Credit Union and Yolo Federal Credit Union, as well as service and retail companies such as Sutter Health and Raley’s Inc., received such letters in the past year. The warning letters vary in content but are often vague. What’s usually left unsaid are the details. What kind of data got out? How did it happen? (Yolo Federal's letter said it involved data "at multiple merchant locations.") Is your specific account information OK? Financial institutions made up a minority of companies reporting data breaches — as required by law — to state Attorney General Kamala Harris in 2012. The entire financial sector, which includes insurance companies, accounted for only 30 of the 131 reported data breaches in the state. Retailers accounted for 34. Nonetheless, it always comes back to the financial institution. “Regardless of where a breach occurs, it’s still a financial institutional customer who is at the end of the line,” said Doug Johnson, vice president and senior adviser on risk management policy for the American Banker’s Association. He said he would prefer that banks manage the customer notification instead of a third party providing services to the bank or conducting a transaction through the bank. Broad definition Data breaches can take many forms. Computer hacking is one of the most talked about. In late July, federal authorities indicted four Russians and a Ukrainian on charges of stealing and selling more than 160 million payment card numbers from corporate networks from mid-2005 to mid-2012. But breaches also can be more mundane. Last year TD Bank, based in Cherry Hill, N.J., “misplaced” an unencrypted backup tape with information on more than 260,000 customers. Or the breach could involve data in a laptop computer that has been lost or stolen. “One of the scariest stats is that 75 percent of the insider thieves stole material they were already authorized to access,” said Tony Cox, compliance manager for consulting firm Banker Technologies in Tustin. Since 2003, California law has required any organization to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. “Personal information” means the person’s name in combination with a Social Security number, driver’s license, or account number and its access code or password. Loss of encrypted data doesn’t have to be reported. The attorney general’s office must be notified when breaches involve more than 500 people. Few organizations are in a hurry to report them, however. California law says only that notice must be given “in the most expedient time possible and without unreasonable delay.” Sometimes that turns out to be months after the breach. In some cases, the attorney general pointed out, law enforcement agencies request a delay to aid their own investigations. Institutions that have been affected, even indirectly, don’t like to talk about it. A SAFE Credit Union spokesman said the credit union won’t discuss security matters. Yolo Federal didn’t respond at all when contacted for this story. Those who haven’t had to file such reports are a little more forthcoming. Bank of Sacramento has been fortunate so far, said Jeff Lund, the bank’s information security officer. Like many banks, it has fended off data breaches by layering one security measure over another: firewalls, user authentication and multiple factors such as pass phrases and picture identification for logging into an account. “I think there is probably a bigger problem, not so much in hackers breaking in and stealing information directly from a financial institution as it is phishing and getting information from customers,” he said. The bank also tries to educate its customers on protecting their information. Fraud trends seem to start with big banks and work their way down to smaller institutions, said Johnson of the ABA. That can serve as a kind of early warning system for small banks, which don’t have the same resources as a Chase or a Wells Fargo. On the other hand, a small bank is more likely to be more familiar with its customers and spot an anomaly without needing a lot of technology, he said. Shifting landscape Cox’s firm classifies data as being in one of three states: At rest, which means it’s sitting on a server and not being processed; in transit from one place to another; or on a screen being viewed by someone. “Once you’ve identified where the data is, you can put protections on it,” he said. But technology is constantly changing, and banks have to constantly adapt, Cox said. For the problem of authorized access mentioned earlier, banks are responding with systems that monitor files and record actions no matter who is looking at them. The introduction of free email services created a big hole for data to leak through. “I can’t use the bank’s email system because there is a log. But what if I log into Yahoo.com and jump on their mail client? Now all the system knows is that I was on the website, not what I was doing on the website,” Cox said. So banks now routinely block internal access to free email sites. The falling price of USB drives opened up another hole. It hardly costs anything now to get a thumb drive with a gigabyte of memory. “What the industry has done is either block USB drives so they don’t work, or accept only USB drives that have biometric encryption on it for it to work,” he said. Now the cloud is raising concerns with sites like Dropbox, which allow computer and smartphone files to be accessed remotely. Web filtering helps, but people also can get to such sites on their smartphones. “Everybody wants to bring their smartphones and tablets,” Cox said. “A lot of banks are struggling how to balance this because, on one hand it’s great. I’ve got employees who are buying their own equipment and I don’t have to. The downside is how do you control it?” Then there’s the Google Glass headset. Right now it’s easy to spot, but in five years it may look like any ordinary pair of glasses, Cox said. A person may stroll past a computer and record what’s on the screen for review later. Changing social norms also have posed a problem. Cox had a client bank where a new 20-something teller was impressed by the size of a cash shipment that had just arrived. “Without even thinking, she whipped out her phone and took a picture of it and posted it on Facebook,” Cox said. “In her mind, that’s just what you do. People take pictures of their food. She didn’t understand what was the big deal.” Banks, consultants and the attorney general all agree that the biggest deterrent is data encryption. “But you would be surprised at the times when it is not being done or the system is failing,” Cox said. Some systems require manual activation of encryption rather than making it the default. Sometimes it’s a question of inadequate training. It takes three elements — training, technology and policies — to seal up the holes in a system. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Breached: What happens when a bank’s data is compromised Audrey McNeil (Sep 12)