During my 20 years in information systems in the banking sector, I spent several in information security and was continually amazed at how vulnerable our systems were to both internal and external threats.
It was literally true that retail consumer banking transactions traveled between servers in non-encrypted files and that the specific record formats were stored openly in “security plans”. Meaning, all that would be required to intercept and capture consumer account data, was an internal employee working anywhere in security, and an eternal programmer with rudimentary coding skills, along with a third employee working pretty much anywhere in the data center. As long as you didn’t have a criminal record (they run criminal background checks) you could get a job there. And, if you already worked there, earning say, $36K a year, what number would get your attention in exchange for compromising your moral compass? $1 million? Chump change to terrorists. Destroying banking systems is a much larger threat than taking down airplanes.
Based on my belief that the bank for which I was working was probably the best at applied technology, these risks never prompted me to switch my banking business to another bank. And, nothing has happened so far to violate that blind trust. But, it did make me nervous.
On balance, banking and financial enterprises have taken information security much more seriously in recent years. But that doesn’t mean banking is safe. The big move to online banking has exacerbated the risks. Interestingly, the volume of vulnerabilities for a bank is directly proportionate to the number of account holders it calls customers. And, it gets more complex every day.
Today, the weakest link is the customer, who has that direct tunnel into key apps, is extremely vulnerable and hasn’t a clue. Most customers, including small businesses, don’t understand how easy it is for malware to get onto a PC, and are generally unconscious about malware as a direct threat to their checking and savings accounts.
Banks and financial institutions now play a continuous cat-and-mouse game with the malware attackers which has evolved to the point where not only traditional firewalls and antivirus systems have become obsolete, but also the enhanced authentication techniques established by the Federal Financial Institutions Examination Council (FFIEC) are ineffective to prevent malware hacking.
Bad guys have figured out how to get around all those protections, and banks have begun to see significant losses, especially from small businesses. They are not as sophisticated or well-protected as larger institutions, but they have a lot more money in their accounts than individuals.
Most of these attacks are enabled through the curiosity and trust of technologically unsophisticated customers. One of the most popular methods (because it works) is phishing e-mail. It offers a customer a benefit; they click on a link and unbeknown to the customer, the malware is downloaded. The other most popular method is being linked to a site via an offer, and once the customer arrives, their PC becomes immediately affected via a drive-by download. They won’t know that happened either.
Once the malware is in place, it watches to see what the customer is doing, and then it takes over the session, where it lies in the background, submitting transactions to the institution and blocking the customer from seeing them. Or, it will take the customer’s login credentials and wait for them to log out of their session. It displays a page as if they’ve logged out, but it’s still logged in and generating transactions.
The good news is that because the banks have a much greater exposure than you do, they are busy working 24/7 to solve for these attacks as they arrive and before they show up.
The bad news is that if I were an Al Qaida terrorist, I would concentrate my energy on taking down just a single bank for like, three days. It would really not be that hard. In fact, it would be a lot easier than blowing up an airplane or planting a nuclear warhead on a container.
Try to imagine the panic that would result from Chase Bank suddenly issuing a stop payment on all inbound checks for just one 24 hour period. Or, imagine what all banks might do if one of them found that all of their consumer accounts have been compromised.
It wasn’t that long ago that a major bank employee stopped for a hamburger and left his laptop in his convertible. It disappeared with 25,000 consumer checking account records on it.