About Us | Contact Us
View Cart

Twenty Eleven

By Dan Hadaway | Monday, December 26, 2011 - Leave a Comment

Top Ten 2011 Bank Information Security Issues

Our third year coming up with a “year-end article” for Dan’s New Leaf exudes a few new “controls” that we’ve implemented to mitigate “year-end article risk!”  Yes, new controls!

I actually had enough foresight to poll my management team.  I couldn’t be there for the brainstorming meeting, so they sent me an e-mail with “Top 10-ish” in the subject.  I guess the “ish” part reflects that they proposed twelve different issues as the top ten concerns!  This “ish” must have been included to address any accusation that we don’t know how to count!

So we pruned and combined, and then made a major decision.  See, last year I predicted Mobile Banking would dominate 2011, not realizing that the supplement would be released in June.  So, we decided that rather than incorrectly predicting what will happen in 2012, we are going to list the top ten things that happened in 2011, which should impact what we do in 2012!

Here they are!

Number 1:  June 28th  2011
I’m sure everybody’s “top ten things in banking” list includes this one day, the day the supplement was released with very little warning and lots of teeth.  The best way to sum this up is from a comment that was made during the Examiner Panel at the 2011 Indiana Bankers Association IT Security Conference held in Fishers, Indiana:

“We’re no longer just the eyes and ears of the federal government.  This [supplement] makes us the eyes, the ears, AND the voice of the federal government.”

This person was referring to the way the supplement combines awareness training with guidelines for how we authenticate our customers.  Proving that “2011 was the Year of the Supplement,” three implications of the supplement made our top ten list:  1) Customer Awareness Training (The Voice), 2) Authentication Risk Assessment, and 3) Detect and Response.

Number 2:  Our Bank Becomes the Voice of the Federal Government
Customer Awareness Training.  It’s finally a requirement!!!  As much as Infotex has pushed for this particular business process since the turn of the century, we rarely saw the response that we are now seeing thanks to the June 2011 Supplement to the 2005 Authentication Guidance.  We have already released a white paper on the subject, and we’ve been working diligently on a “customer awareness training strategy” boilerplate and hope to release one soon.  We believe that by the end of first quarter 2012, you should have your strategy in place, and you should be starting to meet the tactical objectives of that strategy.  It may be a subject of your next examination!

Number 3:  Google Keeps Creating
The innovation at Google just keeps coming and coming, with the new Android Operating System and the September 2011 introduction of Google Wallet, a new standard competing with other major giants in the “wallet capabilities” space for mobile banking applications.  Most human beings are now wise to the extreme search advantages that come with integrating a search engine with your browser, and Chrome is becoming as standard on endpoints as IE was five years ago.  We predict that Google Wallet substantially impact mobile banking, and that small bankers may be offering wallet capabilities sooner than you think!

Number 4:  Near Field Communication
As a person who saw first-hand the devastation caused by the “beta vs. vhs” format wars in the early 1980’s, I watch with great interest as the Mobile Banking marketplace tries to “discover” a standard that all will settle on when it comes to the mobile wallet.  Google’s recent introduction of Google Wallet notwithstanding, which uses NFC as it’s architecture, we are seeing NFC as an up and coming buzzword, and I expose myself to reputational risk by predicting that NFC may become the standard that is adopted by most mobile banking application formats.

What makes NFC stand out to me includes not only the technology itself, which promises to offer tap-n-go convenience in the “point of purchase checkout process,” but also the organizations who are members of the NFC Forum, including:  Microsoft, Sony, Visa, Mastercard, American Express, AT&T, Google . . . the list goes on.

Number 5:  Fair and Partly Cloudy No More
Cloud computing, already hailed as the great ROI in business technology, expanded its appeal to the consumer market in 2011.  Apple’s embrace, coupled with the cost and convenience advantages in almost every area of technology, has caused cloud computing to be the primary architecture for future development.   Now:  how will we bankers become the voice of the government with our Customer Awareness Training programs related to cloud computing?  The risks we have identified apply to the consumer as much, if not more.  How will these risks intersect with branchless banking?  We believe that your customers storing data “in the cloud” may become an item on your next risk assessment!

Number 6:  Mobile Malware

Not only does the notion of Zitmo (Zeus in the Mobile) frighten us bank information security officers, but the fact that 80% of smart phones have NO malware prevention software puts the notion of key loggers and text interceptors (can you say one-time-password) on the top ten radar.  We’re seeing clients struggle with the risk management issues.  The lack of control slaps them in the face, as they recognize that while customer awareness training may lower impact especially on the legal risk side, it does nothing to lower likelihood since we can’t force our customers to use good practices.

Or can we?

Can this three word question be explored in 2012?  Are there ways we can coordinate a Contractual / Network-Access-Control approach to enforcing customer awareness controls?

Number 7:  Authentication Risk Assessments
The propensity to require drill-down risk assessments as we were required to do for Red Flags, Social Media, and Mobile Banking was inherent in the June 2011 Supplement to the 2005 Authentication Guidance.  If you haven’t already done so, you should inventory all “branchless banking assets” at the transaction level, calculate inherent risk as it pertains to authentication (using factors described in the original guidance), inventory authentication controls, and calculate residual risk.  We’ve got a template, give us a call!  We believe your examiners may be asking for this next year!

Number 8:  Detect and Respond
One other far-reaching implication of the Supplement to the 2005 Authentication Guidance is the notion that we now need to detect anomalies in high-risk transaction assets and respond in some manner that will confirm authentication.  We’re seeing smaller clients try to work out manual capabilities, but we believe the anomaly detection vendors cheered on June 28th, 2011.  We think detect and respond may be a very hot topic in 2012.

Number 9:  Gesture Recognition
Okay, this might not impact  you in 2012 per se, but it’s so cool we included it anyway!  Biometrics has been the ever-elusive but always-promising solution to authentication and 2011 shows us a bit of an advance with the new Android Operating System’s release.   But biometrics will also be leveraged for regular input.  Human gestures used as input, made popular in the gaming market with such systems as the Nintendo Wii and Microsoft’s Xbox Kinect, are seen as an innovation that will continue to evolve . . . revolt might be a better word . . . over the next few years.  While we certainly don’t list gesture recognition as a control in our authentication guidance, we believe mobile biometrics and human gesture input may eventually cross over into banking applications.  Imagine your customers logging into on-line banking with their Wii.

Imagine doing a dance to unlock your car.

Number 10:  Event Log Management
Our final (and self-serving) declaration is that in 2011 we saw auditors and examiners take a more detailed look at how bank information security professionals are watching their event logs.  Of course, this is also the year that infotex finished our own ELM Visualization Interface, which we believe will position us well to help you respond to this new challenge.  And notice, I used “will” instead of “may” in that last sentence!


Well there it is, our top ten list for twenty eleven.  And you can see that yes, we installed new “risk management controls” such as using “may” and “should” instead of “will” in our predictions (lowers likelihood), looking backwards instead of forwards as much as possible (lowers impact), and, of course, using “we” and “us” and “our” as much as possible (transfers risk)!

See, I’m a risk manager at heart, even when I write top ten lists!


Founder and President, Infotex


“Dan’s New Leaf” is a “fun blog to inspire thought in the area of IT Governance.”

Latest News
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]