Thursday, 13 June 2013

Why Your Facebook Account Is More Secure Than Your Bank Account

Earlier this month, federal prosecutors unsealed an indictment charging several men with bank theft on massive scale. According to prosecutors, the thieves loaded stolen account data onto magnetic stripe cards, which they then used to steal $45 million from ATMs around the world.
As financial institutions reconsider their security procedures in the wake of the breach, much of the attention will naturally fall on America's reliance on magnetic-stripe cards, instead of the more secure chip-and-PIN (also called EMV) cards used in other parts of the world.
While they're at it, though, the banks should also consider another big security black eye: The fact that it's easier to hack into your bank account than it is to crack your Facebook account.
Protecting Us From Ourselves
It's a fundamental truth of network security that no system can ever be truly safe from intruders. That's because of one universal weak point: the user. As long as people insist on opening phishing emails, picking weak passwords and leaving their PCs unprotected from malware, hackers will find a point of entry.
So recent innovations in online security have focused on solutions that protect consumers from themselves.
One such solution is two-factor authentication, which aims to protect users even if their log-in information has already been stolen. It typically involves sending a second, temporary passcode to your mobile phone, on the assumption that whoever managed to snag your password probably doesn't have access to your phone too. Facebook and Google have both implemented two-factor systems in recent years.
Javelin Strategy & Research, which consults for the financial services industry, surveyed the top 25 largest financial institutions and found that just eight let users set up "out-of-band" authentication on their phones. While that list includes large institutions like Bank of America, Citibank, JPMorgan Chase and PNC, that still leaves another 17 banks that haven't gotten on board, including Capital One, HSBC and TD Bank.
"When we have better security for our Facebook and Gmail, maybe it's time for the banks to step up," says Chester Wisniewski, security researcher for Sophos. "Consumers are genuinely surprised that it's easier to log into your bank than it is your Facebook."
Banks that don't offer two-step authentication will usually attempt to verify your identity by prompting you to answer security questions that you set when you initially created your account. But those questions -- including your mother's maiden name and the name of your favorite pet -- have been criticized as ineffective in the age of social-media oversharing.
"If and when [users] register secret questions with financial institutions, they should not be putting the answers on social media," says Shirley Inscoe, a banking industry analyst for the Aite Group. "A lot of banks are discontinuing the use of those secret questions because bad guys are able to find the answers."
Locks on the Door, Motion Detectors in the Vault
If the bad news is that many banks are behind the times when it comes to preventing access to your accounts, the good news is that log-in security procedures aren't the only lines of defense against fraud.
"You have to assume that [intruders] are going to gain access, so you need a platform of protection that works up against that reality," says Terry Austin, CEO of Guardian Analytics.
Much like the procedures that credit card issuers use to detect card fraud, Guardian builds a profile of how you typically use your online banking account; it can then detect when your account is being used in a way that you don't usually use it. Common giveaways that trip the alarms can range from unusually large transactions to simply navigating to a part of the site that you've never used before.
Even if the algorithms don't stop thieves from making off with your cash, consumers still have one last line of defense: Federal regulations say that in most cases, consumers are not liable for fraudulent transactions on their account.
Still, if someone cleans out your account and you have to wait a week or more to get your funds back, it's a huge disruption to your life. And since the financial institution will incur the cost of the fraud, they too have a clear incentive to stop fraud before it starts.
So that brings us back the original question: If Facebook and Gmail can offer account holders two-step authentication, why have several major banks failed to follow suit with so much money at stake?
Convenience vs. Security
Wisniewski says it's partly a matter of banks not wanting to hinder the convenience of online banking by introducing another barrier to entry -- no bank wants to be the first to make it harder for customers to log into their accounts. Even banks offering two-step log-in don't do so as a default. Bank of America, which was named best in class by Guardian's security report, made me click around a bit before I could find and enable the feature.
And I'm security savvy. The people who need extra security the most -- the careless types who reuse passwords and leave their PCs unsecured -- are the least likely to put enhanced features in place. "If banks make it optional," Wisniewski observes, "the people who don't need it will be the only ones who use it."

Basic fax blunder costs Staffordshire NHS Trust £55,000

A fax sent by mistake cost an NHS Trust in Staffordshire £55,000, after the Information Commissioner’s Office (ICO) levied a fine for the basic error.
The North Staffordshire Combined Healthcare NHS Trust sent sensitive medical details to a member of public via fax when a staff member entered the wrong number when trying to dial the Trust’s Wellbeing Centre department.
The issue came to light when the member of public alerted the Trust and returned the information. The details in the report included patients’ names, addresses, medical histories, and details of their physical and mental health.
An investigation by the ICO found that although the Trust had best practice guidelines that required staff to phone ahead to check numbers and ensure documents were received, staff had not been trained on these procedures.
“Let’s make no mistake, this breach was entirely avoidable. One phone call ahead to the trust’s Wellbeing Centre would have alerted its staff to the fact that the number they were entering was incorrect,” said ICO enforcement group manager, Sally Anne Poole.
“This would have stopped highly sensitive information about the care of vulnerable people being sent to a member of the public on three§ separate occasions.”
The chief executive of North Staffordshire Combined Healthcare NHS Trust, Fiona Myers, said it accepted the findings from the ICO and had established new procedures as a result.

“We have in place systems and policies to safeguard the information we hold which we have strengthened to reduce the risk of such a breach occurring as a result of human error,” she said.

“Moving forwards, to ensure all information is transmitted securely and that a similar incident could not occur, we no longer use fax machines to send patient identifiable information.”
Poole from the ICO added that the fine should serve as a warning to other organisations sending sensitive faxes. The ICO also published a guidance on fax use to try and help others avoid its wrath.
  • Consider whether sending the information by a means other than fax is more appropriate
  • Make sure you double check the fax number you are using
  • Check that you are sending a fax to a recipient with adequate security measures in place
  • If the fax is sensitive, ask the recipient to confirm that they are at the fax machine, they are ready to receive the document, and there is sufficient paper in the machine
  • Ring up or email to make sure the whole document has been received safely
  • Use a cover sheet. This will let anyone know who the information is for and whether it is confidential or sensitive, without them having to look at the contents