About Us | Contact Us
View Cart

The Magnificent Seven (M-7 2012!)

By Dan Hadaway | Wednesday, December 19, 2012 - Leave a Comment

Seven 2012 Trends in Bank Technology that will Affect 2013

 

2012’s Magnificent Seven

It’s that time again! Time to define the seven most important trends we’ve watched over the past year. This means that, in most cases, these trends are still trending, and should drive our 2013 tactics.

This year’s top seven trends are (drum roll please):

  1. Continued Breaches Due to Unawareness
  2. Compliance with the Supplement
  3. Corporate Account Takeovers
  4. Orchestrated Attacks Against American Banks (still ongoing)
  5. Mobile Banking (and look for virtual wallet and NFC in 2013)
  6. Increased likelihood of Pretext Calling
  7. Smishing Scams on the Rise

Number One: Continued Awareness Breaches

Our number one 2012 trend is the fact that even now, after all our efforts, banks are still losing data thanks to a lack of awareness on the part of our own employees. It’s the same old number (67%) we’ve always seen, but
digging into the data might enlighten us a bit.

According to our analysis of the publicly known breaches of financial institutions listed at privacyrights.org, 70 data breaches at United States Banks were made public in
2012. Seventeen of those breaches were caused by a malicious insider, meaning that someone with legitimate access intentionally breaches information – such as an employee or contractor. We think banks need to be
realistic that 24% of breaches came from malicious users.

Sixteen of those breaches were “Unintended Disclosures,” meaning that sensitive information was posted publicly on a website, mishandled, or sent to the wrong party via e-mail, fax, or mail. This is what we usually think of when we hear about insider breaches.

Eight of the breaches were due to lost, discarded, or stolen portable devices (laptops, PDAs, Smartphones, etc.). Again, these were at US Banks. More than 10% of the breaches were due to bankers losing their portable device.

Five of the breaches were “paper loss,” where an employee discarded sensitive information in a manner that does not comply with our Destruction of NPI policies. They didn’t use the shred box, and they embarrassed the bank. That leaves 26% of the breaches due to external threats — the threats we most worry about, the hackers and
the corporate account takeovers. Maybe our strategy this year should focus on awareness training, not at the expense of protecting ourselves against the external threats, but in addition to that protection.

Number Two: Compliance with the Supplement

Most of our Clients continue to implement actions to bring themselves into compliance with the FFIEC’s June 2011 Supplement to the 2005 Guidance on Authentication in the Internet Banking Environment. The theme of the supplement is “layers of security.” The layers called for are robust authentication, anomaly detection and response, and customer education.

While they have been forced (yet again) to rely upon (and wait for) their vendors for answers to the authentication layer component of the supplement, most of our Clients are still investigating effective methods for implementing Detect and Response, and are at least talking to their marketing people about the marriage of security and marketing, in the form of Customer Education. We think most community-based banks will be listing Customer Education as a high priority in 2013.

Number Three: Corporate Account Takeovers

The reason Supplement Compliance will be a high priority in 2013 is because of the fact that corporate account takeovers are part of a trend that has bank’s realizing real monetary losses. We have at least three clients who are dealing with this very issue right now. The good news? The supplement was right.

Number Four: Orchestrated Attacks Against American Banks (still ongoing)

The fourth trend we are witnessing in real time is the Distributed Denial of Service attacks on American banks. We’ve all read the press on this. It can happen to us too. We predict that this trend will continue, and we should dust off our incident response plans in case our providers are attacked. I agree with the skeptics that these organized criminals are probably not going to target a small bank in the middle of Indiana. Instead, they will target your provider. So dust off your incident response plans. How are you going to communicate to your on-line banking customers that your system will be “off-line” until further notice?

Number Five: Mobile Banking

The use of SmartPhones only quickened in 2012 and we all agree this will continue long past 2013. All the risks we predicted in 2009 related to mobile banking are alive and well. The difference in the near future will be a result of near field communication (NFC). Look for virtual wallets to not only cause irritating breaches and fraud, but also a loss of market share. Maybe 2013 is too early for your sized community. MAYBE NOT.

Number Six: Increased likelihood of Pretext Calling

2012 was the year that our phone rang off the hook with bankers looking for someone to implement some pretext calling tests. Most of our Clients are experiencing pretext calling on a regular basis. Unfortunately privacyrights.org does not list pretext calling as a source of a breach. Furthermore, most pretext calling breaches go unnoticed, and are one record at a time. But we see them being used not just by the nosy neighbor, but also as part of malicious attacks on banks and bank customers.

Number Seven: Smishing Scams on the Rise

Smishing is the text-message version of phishing, where the bad guys send a text (SMS) to your customers, asking them to either click on a link or, in the cases we’ve seen, call an 809 area code where they can unlock their locked account. While we’ve only seen one smishing scam in 2012, we were struck by how easy it was to pull off, and how difficult it would be to trace evidence back to a perpetrator. With SMS banking becoming more popular, and all we’ve already stated about awareness, customer education, and portable device risk, we see this trend in 2012 being a big driver of issues in 2013.

Note: Privacyrights.org (www.privacyrights.org) is an excellent source of information about information breaches that were made public. The search capabilities on this site make it a great tool for information security officers to help their employees understand WHY controls exist.


Dan Hadaway CRISC, CISA, CISM
Founder and President, Infotex

“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”


If you would like to receive notifications when we post articles, click here.

Latest News
    Today we present a special BONUS awareness poster for YOUR customers (and users).  This update to the April 2022 Awareness Poster takes some cues from the Dan’s New Leaf article: Why Local? Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the […]
    Awareness is 9/11’s of the battle, if we use it! Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . One of my old college buddies hates banks.  He was turned down for a loan a long time ago and just can’t let go.  I actually […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE SERVICE NEWS Dateline: Dayton, IN, June 22, 2022 We are proud to announce that infotex will now be supporting Endpoint Detection and Response (XDR/MDR)! We can manage/monitor solutions you already have or offer one as part of our service while still maintaining a segregated response posture. In recent years […]
    Over 85 percent of surveyed companies report having no  centralized monitoring of networked industrial devices… An article review. If you are involved in IT within your organization, you’re probably aware of the importance of being able to monitor relevant activity from your networked devices, especially if your organization is involved in healthcare, finance, or government.  […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    We always strive to bring you the best content that we possibly can. Your opinion on any content, presentation, service, or anything else you have received from us is important! Please click the button below to let us know how we are doing!  
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]