Earlier this month, federal prosecutors unsealed an indictment charging several men with bank theft on massive scale. According to prosecutors, the thieves loaded stolen account data onto magnetic stripe cards, which they then used to steal $45 million from ATMs around the world.
As financial institutions reconsider their security procedures in the
wake of the breach, much of the attention will naturally fall on
America's reliance on magnetic-stripe cards, instead of the more secure
chip-and-PIN (also called EMV) cards used in other parts of the world.
While they're at it, though, the banks should also consider another
big security black eye: The fact that it's easier to hack into your bank
account than it is to crack your Facebook account.
Protecting Us From Ourselves
It's a fundamental truth of network security that no system can ever
be truly safe from intruders. That's because of one universal weak
point: the user. As long as people insist on opening phishing emails,
picking weak passwords and leaving their PCs unprotected from malware,
hackers will find a point of entry.
So recent innovations in online security have focused on solutions that protect consumers from themselves.
One such solution is two-factor authentication, which aims to protect
users even if their log-in information has already been stolen. It
typically involves sending a second, temporary passcode to your mobile
phone, on the assumption that whoever managed to snag your password
probably doesn't have access to your phone too. Facebook and Google have
both implemented two-factor systems in recent years.
Javelin Strategy & Research, which consults for the financial
services industry, surveyed the top 25 largest financial institutions
and found that just eight let users set up "out-of-band" authentication
on their phones. While that list includes large institutions like Bank
of America, Citibank, JPMorgan Chase and PNC, that still leaves another
17 banks that haven't gotten on board, including Capital One, HSBC and
"When we have better security for our Facebook and Gmail, maybe it's
time for the banks to step up," says Chester Wisniewski, security
researcher for Sophos. "Consumers are genuinely surprised that it's
easier to log into your bank than it is your Facebook."
Banks that don't offer two-step authentication will usually attempt
to verify your identity by prompting you to answer security questions
that you set when you initially created your account. But those
questions -- including your mother's maiden name and the name of your
favorite pet -- have been criticized as ineffective in the age of
"If and when [users] register secret questions with financial
institutions, they should not be putting the answers on social media,"
says Shirley Inscoe, a banking industry analyst for the Aite Group. "A
lot of banks are discontinuing the use of those secret questions because
bad guys are able to find the answers."
Locks on the Door, Motion Detectors in the Vault
If the bad news is that many banks are behind the times when it comes
to preventing access to your accounts, the good news is that log-in
security procedures aren't the only lines of defense against fraud.
"You have to assume that [intruders] are going to gain access, so you
need a platform of protection that works up against that reality," says
Terry Austin, CEO of Guardian Analytics.
Much like the procedures that credit card issuers use to detect card
fraud, Guardian builds a profile of how you typically use your online
banking account; it can then detect when your account is being used in a
way that you don't usually use it. Common giveaways that trip the
alarms can range from unusually large transactions to simply navigating
to a part of the site that you've never used before.
Even if the algorithms don't stop thieves from making off with your
cash, consumers still have one last line of defense: Federal regulations
say that in most cases, consumers are not liable for fraudulent
transactions on their account.
Still, if someone cleans out your account and you have to wait a week
or more to get your funds back, it's a huge disruption to your life.
And since the financial institution will incur the cost of the fraud,
they too have a clear incentive to stop fraud before it starts.
So that brings us back the original question: If Facebook and Gmail
can offer account holders two-step authentication, why have several
major banks failed to follow suit with so much money at stake?
Convenience vs. Security
Wisniewski says it's partly a matter of banks not wanting to hinder
the convenience of online banking by introducing another barrier to
entry -- no bank wants to be the first to make it harder for customers
to log into their accounts. Even banks offering two-step log-in don't do
so as a default. Bank of America, which was named best in class by
Guardian's security report, made me click around a bit before I could
find and enable the feature.
And I'm security savvy. The people who need extra security the most
-- the careless types who reuse passwords and leave their PCs unsecured
-- are the least likely to put enhanced features in place. "If banks
make it optional," Wisniewski observes, "the people who don't need it
will be the only ones who use it."
Thursday, 13 June 2013
The North Staffordshire Combined Healthcare NHS Trust sent sensitive medical details to a member of public via fax when a staff member entered the wrong number when trying to dial the Trust’s Wellbeing Centre department.
The issue came to light when the member of public alerted the Trust and returned the information. The details in the report included patients’ names, addresses, medical histories, and details of their physical and mental health.
An investigation by the ICO found that although the Trust had best practice guidelines that required staff to phone ahead to check numbers and ensure documents were received, staff had not been trained on these procedures.
“Let’s make no mistake, this breach was entirely avoidable. One phone call ahead to the trust’s Wellbeing Centre would have alerted its staff to the fact that the number they were entering was incorrect,” said ICO enforcement group manager, Sally Anne Poole.
“This would have stopped highly sensitive information about the care of vulnerable people being sent to a member of the public on three§ separate occasions.”
The chief executive of North Staffordshire Combined Healthcare NHS Trust, Fiona Myers, said it accepted the findings from the ICO and had established new procedures as a result.
“We have in place systems and policies to safeguard the information we hold which we have strengthened to reduce the risk of such a breach occurring as a result of human error,” she said.
“Moving forwards, to ensure all information is transmitted securely and that a similar incident could not occur, we no longer use fax machines to send patient identifiable information.”
Poole from the ICO added that the fine should serve as a warning to other organisations sending sensitive faxes. The ICO also published a guidance on fax use to try and help others avoid its wrath.
- Consider whether sending the information by a means other than fax is more appropriate
- Make sure you double check the fax number you are using
- Check that you are sending a fax to a recipient with adequate security measures in place
- If the fax is sensitive, ask the recipient to confirm that they are at the fax machine, they are ready to receive the document, and there is sufficient paper in the machine
- Ring up or email to make sure the whole document has been received safely
- Use a cover sheet. This will let anyone know who the information is for and whether it is confidential or sensitive, without them having to look at the contents