In my last blog I discussed the Epsilon breach which affected a large number of customers including banks and many others. The latest breach for Sony Playstation gamers was not specific to banking but was of significant nature and can only affect online bank customers if they were careless enough to use the same usernames and passwords that they use with their banks (yes people do that).
The point is that breaches can come from outside the bank through its partners, vendors and relationships. Banks are required to do significant due diligence to ensure a potential partner has best practices in security which is critical. Coming from someone who has done a lot of due diligence on companies over the years it is difficult to get a true deep picture of a company's security posture. Small details can make a big difference. Also, many times there are simply not that many partners who have the capability you are looking for which limits your options.
Epsilon is a good example. Since they were used by many big banks and other large companies you can assume that a lot of due diligence was done before contracts were signed. Yet there was still a compromise. So this is definitely an achilles heel for bank security.
One final point of interest, a recent article from pc pro (link at end of blog) states that the FBI has tied back recent hack attempts of $20M back to China. Once again from experience I can tell you that hacking comes from all over the world but this does not surprise me because China hack attempts far exceeded all others by a large magnitude making the term "Made In China" take on new meaning.
As I have said before the best security comes from you and your habits but it is important to make sure that your bank uses geo-location risk based assessment with out of band authentication protection. You think it would be required but its not yet. If your bank does not and you use online banking, find another bank.
PC Pro Article
Thursday, April 28, 2011
Friday, April 8, 2011
Epsilon Breach Exposes Major Banks and its Customers
You probably have received several alerts from various vendors already about your email being compromised in the Epsilon breach. I know I have received 3 so far which speaks to the magnitude of the breach. Epsilon is currently stating about 2% of their customers. They send out about 40 Billion emails annually for about 2500 customers.
Some of the big banks affected include Citi, Chase, US Bank and Capital One. While no account numbers, ssns or other NPI was exposed it still is a major advantage for phishers because it allows a more personal, detailed and customized attack which increases the rate of success. Of course none of this is a problem if customers simply never respond to any of these emails no matter how legitimate they look. Still we know that a small percentage will and this is what the hackers count on. It is all a game about percentages and having the name or other small bits of information to make the phishing email more legitimate looking which increases the success rate.
For banks, phising attacks become a race against time. From the time they become aware of a phising attack they go to work to let the customers know about the attack and to work with authorities and Internet providers to get the phising sites taken down. This is not as easy as you may think, since these sites may be multiple and are often setup in countries where there are language and response barriers. Meanwhile every day or hour the site stays up the hackers benefit.
So the banks will likely be busy with the new barrage of attacks coming up. Just be sure to remember the security basics to protect yourself.
Some of the big banks affected include Citi, Chase, US Bank and Capital One. While no account numbers, ssns or other NPI was exposed it still is a major advantage for phishers because it allows a more personal, detailed and customized attack which increases the rate of success. Of course none of this is a problem if customers simply never respond to any of these emails no matter how legitimate they look. Still we know that a small percentage will and this is what the hackers count on. It is all a game about percentages and having the name or other small bits of information to make the phishing email more legitimate looking which increases the success rate.
For banks, phising attacks become a race against time. From the time they become aware of a phising attack they go to work to let the customers know about the attack and to work with authorities and Internet providers to get the phising sites taken down. This is not as easy as you may think, since these sites may be multiple and are often setup in countries where there are language and response barriers. Meanwhile every day or hour the site stays up the hackers benefit.
So the banks will likely be busy with the new barrage of attacks coming up. Just be sure to remember the security basics to protect yourself.
Monday, April 4, 2011
Money Moving Away From Big Banks?
An interesting trend in banking is underway with deposits beginning to move from the largest US Banks to local community banks and credit unions. While some of the movement is occurring naturally due to dislike of "too big too fail" banks after the bailout the "move your money" campaign started by Arianna Huffington and friends is having an impact as well.
According to the Huffington Post and Moebs Services Research firm over 4 million accounts have already moved with predictions for another 7-9 million accounts to move by the end of 2011. The Move Your Money Project encourages individuals to divest from the nations largest Wall Street banks to local financial institutions. (MoveYourMoneyProject link)
Since smaller banks tend to lend more to the local community it helps support the local economy and business in the area. This movement seems to be a part of an overall trend not just in banking but in the green movement too. Buy local produce and products to save energy and support your local businesses. Of course online banking is green as well since it means less trips to the branch.
Coming from an online banking proponent I would say that many of the smaller banks and credit unions have improved their technology and services over the years. And in the past, I remember starting with small banks and watching them get eaten up in a food chain that bubbled back up to one of the big boys.
Then there is always the question of security. Are the small local banks as secure as the Wall Street Banks? They certainly don't have the resources to invest in security like the big guys and the recent hacker trends are starting to take advantage of that fact. On the other hand, we still have seen security breaches at the big banks as well.
Finally, what about convenience? Mobile banking apps, iPad apps, P2P payments, Contactless payments... all the exciting changes coming out. Small banks aren't usually the ones to make this happen first. The good news is that the technologies seem to be getting commoditized quicker and are becoming available through third party vendors quicker. For some, this still may be a consideration.
And why not consider someone like USAA? Not really small, but not to big to fail and great services, security and technology and they do good for our service members in the military. (Note: Other than account holder there is no affiliation between USAA and myself).
Overall, we know that moving your money from any bank is not easy . But if you decide to jump on the bandwagon there is a lot to consider. One of the best ways we can make a political statement or really express our opinion is by choosing who we wish to patronize.
According to the Huffington Post and Moebs Services Research firm over 4 million accounts have already moved with predictions for another 7-9 million accounts to move by the end of 2011. The Move Your Money Project encourages individuals to divest from the nations largest Wall Street banks to local financial institutions. (MoveYourMoneyProject link)
Since smaller banks tend to lend more to the local community it helps support the local economy and business in the area. This movement seems to be a part of an overall trend not just in banking but in the green movement too. Buy local produce and products to save energy and support your local businesses. Of course online banking is green as well since it means less trips to the branch.
Coming from an online banking proponent I would say that many of the smaller banks and credit unions have improved their technology and services over the years. And in the past, I remember starting with small banks and watching them get eaten up in a food chain that bubbled back up to one of the big boys.
Then there is always the question of security. Are the small local banks as secure as the Wall Street Banks? They certainly don't have the resources to invest in security like the big guys and the recent hacker trends are starting to take advantage of that fact. On the other hand, we still have seen security breaches at the big banks as well.
Finally, what about convenience? Mobile banking apps, iPad apps, P2P payments, Contactless payments... all the exciting changes coming out. Small banks aren't usually the ones to make this happen first. The good news is that the technologies seem to be getting commoditized quicker and are becoming available through third party vendors quicker. For some, this still may be a consideration.
And why not consider someone like USAA? Not really small, but not to big to fail and great services, security and technology and they do good for our service members in the military. (Note: Other than account holder there is no affiliation between USAA and myself).
Overall, we know that moving your money from any bank is not easy . But if you decide to jump on the bandwagon there is a lot to consider. One of the best ways we can make a political statement or really express our opinion is by choosing who we wish to patronize.
Subscribe to:
Posts (Atom)