Radio Shalom 1650AM, Money and Business Show
Samuel Ezerzer and Jack Bensimon
February, 5, 2013
Banking and Securities Regulatory Compliance
“Online Security Threats for Customers of Financial Institutions: Buyer Beware”
with Adam Sculthorpe, Founder of bitVelocity
MONEY AND BUSINESS
Today’s topic of discussion: “Online Security Threats for Customers of Financial Institutions: Buyer Beware”
Recently the US Federal Reserve was hacked and compromised the privacy data of over 4,000 US bank executives. This is a serious breach of privacy where information leakage, including identity theft, can disrupt the lives of many.
Financial institutions are particularly vulnerable to these online security threats, ranging from the US Federal Reserve, to banks taking customer deposits, to investment banks with trillions of customer assets at their disposal.
On our show today we will focus on the types and impact of various online security threats to customers of financial institutions.
My name is Samuel Ezerzer, your host to the Money & Business show on Radio Shalom, CJRS 1650 AM. Thank you for tuning in live with our Business studios headquarters in Montreal, the financial capital and the home to the greatest hockey team, the Montreal Canadians. We have another great show for you today and as always, you can call if you have any questions, comments, or criticisms on today's topic. Please call us direct at 514 738 4100 ext 200 or email me at email@example.com if you have any inquiries. You can also visit our website at http://www.radio-shalom.ca/ – all our shows are
archived there Today’s topic of discussion: “Online Security Threats for Customers of Financial Institutions: Buyer Beware”
Our guest today is Jack Bensimon, Managing Director of Black Swan Diagnostics Inc., an independent securities regulatory compliance consulting firm located in Toronto’s Bay St. core. He has worked in the securities industry for over 19 years, mainly acting as Chief Compliance Officer (CCO) for banks, investment banking and counselling firms, trust companies, and broker-dealers. He has testified as an expert anti-money laundering witness in federal court for a major banking litigation case.
He is a graduate of the University of Toronto, The Wharton School, University of Pennsylvania (Investment Management). Jack has a Master of Laws (LL.M.) in Business Law from the University of Toronto, Faculty of Law. Jack also has an LL.M. in Securities Law and an LL.M. in the General stream, both from Osgoode Hall Law School (York University). He is chair of the subcommittee and board member of the Canadian Technion Society. The Technion-Israel Institute of Technology is based in Haifa, Israel. He can be reached at firstname.lastname@example.org
Adam is a visionary leader in the IT security world with a career spanning more than 25 years. Adam’s first experiences in security was with the Royal Anglian Regiment of the British Army as a signals specialist and then went on to build an IT career.
In the late 1990’s Adam became the sole UK distributor of the first PC Firewall developed by Signal9 Solutions in Kanata, Ontario and then went to work for TNT Worldwide as their first security specialist. He then went on to work for Internet Security Systems (ISS) as a senior security consultant providing services to numerous financial, government, military and corporate clients including Goldman Sachs, Bank of America, Citi Bank and The London Stock Exchange.
After leaving ISS Adam worked at UBS investment Bank before relocating to Canada. In 2004 he pioneered click fraud detection software and services solutions and his research and client stories were featured in The New Scientist, The New York Times, The Register and on National TV and Radio. Adam is currently Founder of a start up called bitVelocity where he is developing cloud-based web hosting solutions that improve search ranking. Adam is also developing privacy testing solutions and internet encryption software.
Jack to Adam: I understand you’ve been working on some privacy initiatives. Tell us about what you’re up to with privacytesting.com
Adam to Jack:
Jack to Adam: There is not a week that goes by without some news story about an institituion being hacked where data privacy is compromised. Have there been any recent stories what concern you and you can share with us?
Adam to Jack:
Jack to Adam: What’s the worst damage these hackers can do to the all-important institution, such as the US Federal Reserve?
Adam to Jack:
Segment I: Introduction to Online Security Threats
[JACK TO ADAM] Q1: What do we mean when we speak of “online security threats”?
An online threat is an individual, criminal organization or government motivated by a financial, political or other agenda to exploit a new or known vulnerability.
[Jack to Adam] Q2: Why are these security issues considered “threats” and not necessarily “risks” for customers of FIs?
Good question, threats are just that – they are a threat that looms over financial institutions requiring the F.I. to either fail to patch a known vulnerability, be unaware and unable to defend against a new vulnerability or make some other mistake. The reason these many threats are not necessarily risks is because for the most part the known vulnerabilities are well managed and new vulnerabilities are reasonably difficult to discover.
[Jack to Adam] Q3: What makes an online security threat more dangerous or pervasive than the next?
The threat is powerless without an exploitable vulnerability, what’s really dangerous is when a threat-source i.e. an individual, criminal organization or government discovers a new vulnerability that’s unknown to their intended target. In this case there’s likely to be an impact on the victim even if the window of opportunity is limited or isolated. Unfortunately when these types of attacks are successful they can often go undiscovered for months or years.
[Jack to Adam] Q4: Can you describe the patching process and its importance in mitigating online security threats?
The patching process is very simple, new vulnerabilities are discovered and fixed by the software vendor and a patch is applied to existing online systems and included in system builds for new machines. Over time new vulnerabilities are discovered and the cycle repeats. The time between discovery and patching is critical because the most successful attacks are automated and optimized to exploit that gap, unfortunately humans aren’t yet capable of working at light-speed, someone needs to fix that although I’m not sure how it might affect rates of pay.
[Jack to Adam] Q5: What are some of weaknesses or vulnerabilities to patching?
You can’t patch what you don’t know about, that’s the biggest issue. This is why I believe privacy testing is so important, it’s a no-brainer to me that we have to assume there’s always a vulnerability we don’t know about and also assume that vulnerability is being actively exploited. Privacy testing focuses primarily on detection of theft and misuse of personal and business data. It’s nice to be compliant and meet standards but these things are no substitutes for testing what’s actually happening to data that enters a system.
Segment II: The Scope of Online Security Threats to FI Customers
[Sam to Adam] Q1: Online security threats seem to be more pervasive among financial institutions compared to other industries. Why is that?
There are many reasons for this, first of all the individual inside attacker threat is higher because the stakes are higher and the risk is higher due to the sheer number of employees and the bad guy’s perceived ability to hide somewhere in the noise so actual attacks in these cases can, have and will be successful to some degree and even though they are rare they often get massive press attention because it makes a great story. In reality FI’s websites are a lot safer than small to mid-sized businesses.
[Sam to Adam] Q2: What are some unique factors or threats to FIs that don’t normally exist in other industries?
Greed and envy, it’s that simple. Financial institutions are often perceived as gigantic, profitable, and greedy and cash rich and this results in a disproportionate number of people that work for these institutions often feeling more entitled to a bigger slice of the cake. Greed breeds greed and the resulting sense of entitlement in some individuals can lead to devastating losses for the financial institution.
[Sam to Adam] Q3: What shape do these security threats normally look like?
These threats come from individuals in positions of power within a powerful environment, it could be a pissed of IT guy who didn’t get the salary increase he wanted so because he’s in control of powerful infrastructure and feels powerful he might do something very damaging, I’ve seen this happen in an investment bank and the losses were significant.
[Sam to Adam] Q4: How are identified patterns used to patch new online security threats in the FI space?
Unusual traffic patterns can be discovered by skilled security staff operating intrusion detection and prevention systems which in turn can lead to in-depth analysis of what an attacker is trying to achieve, it can then be blocked until a patch can be released if it’s the case of a new vulnerability.
[Sam to Adam] Q5: Why should customers of FIs be concerned about the voracity and frequency of online security threats to their accounts and privacy?
Customers should be concerned because losses are occurring every day and it’s becoming increasingly common, just last week two individuals told me they both had their accounts compromised on the same day, one was in Canada and the other in the US and the amounts stolen weren’t trivial one of them was for $12,000. As an account holder you need to take responsibility and be diligent about checking statements and making sure your PC is as secure as it can be. I recommend using Google’s Chrome Browser and I’m launching a new version of Internet Encryptor in the next few weeks that massively enhances it’s security so watch out for that too.
Segment III: The Universe of Common Online Security Threats
[JACK TO ADAM] Q1: HOW DIVERSE IS THE UNIVERSE OF ONLINE SECURITY THREATS IN THE FI SPACE?
It ranges from young kids who get a laugh out of knocking a website offline to governments trying to steal trade secrets and outside of FI’s I’ve been involved in investigations where online systems were being exploited to help smuggle drugs, extort millions from large corporations and even organize attacks to take other people’s lives. I’d say that’s pretty diverse.
[JACK TO ADAM] Q2. WHAT ARE THE THREE MOST COMMON THREATS THAT FI’S NEED TO WORRY ABOUT?
Insider attacks is a big one for FI’s, criminal organizations is another that’s scaling up rapidly but they primarily target the customer because it’s a much weaker and ultimately more profitable and sustainable target and the other increasingly active threat I’ve been trying to get organizations to take seriously for a long time is foreign governments, I handled an incident where a corporation was in the process of doing business with a foreign government and we discovered that government had successfully accessed their servers and stole inside information, the attacker was also trying to get deeper into their systems and was just a couple of steps away from the crown jewels.
[JACK TO ADAM] Q3. WHAT TYPES OF THREATS CAN CAUSE THE GREATEST AMOUNT OF HARM TO CUSTOMERS?
This is such a huge minefield, but indirect social engineering attacks on Facebook accounts are growing. Criminals are taking over targeted accounts and then sending messages to the account holders friends along the lines of “Help I’m in trouble can you please send me some money?” attacks of this nature on vulnerable demographics really bother me, it’s a challenge to educate people to be aware of this type of attack and even if they’re aware it’s very easy to believe bogus claims that appear to come from trusted friends, personally I feel this is one of the most harmful attacks because once the victim understands what happened they are often emotionally affected by it and embarrassed it has happened, it can be very upsetting for the victim and the financial loss can be significant.
[JACK TO ADAM Q4: APART FROM PATCHING THREATS, WHAT MITIGATION MEASURES OR TOOLS ARE USED TO MINIMIZE CUSTOMER DAMAGE?
FI’s have some very sophisticated technology at their disposal including intrusion prevention and behavioral monitoring. There is also a lot of monitoring and logging of internal systems to ensure staff aren’t doing bad things. Overall FI’s are doing a pretty good job but often they’re doing just enough to keep regulators happy and I personally feel they could do more at the customer end, there are online games for example that have much stronger online security measures for their customers than a lot of banks do.
Segment IV: Customers on the Defensive – Measures they can take
[SAM TO ADAM] Q1. WHAT ARE SOME WAYS THAT FI CUSTOMERS CAN PROTECT THEMSELVES IN SHIELDING AGAINST THREATS TO THEIR ACCOUNTS, PRIVACY OR OTHER KEY CUSTOMER DATA?
Get good antivirus software but more importantly keep it up to date, ensure operating system updates are done regularly or automated and use very strong passwords that include upper and lower case, alphanumeric and special characters. If you have the option use a one time password token or a mobile device authenticator. Get Google’s Chrome browser as it has some very strong security features built-in and when I launch the next version of Internet Encryptor get it, especially if you use Wi-Fi.
[SAM TO ADAM] Q2. HOW CAN IT DEPARTMENTS AT FI’S REDUCE DAMAGE TO CUSTOMERS FROM ONLINE SECURITY THREATS?
First of all security begins and ends with people, not technology so IT people need to learn to be more like regular policemen and detectives who are experts in understanding crime and people. Once you understand how people operate, what drives them and the psychology of how a customer operates and how an attacker thinks you’ll be much better at your IT job. Most IT people I know are already amazing at the technology part but they need to work harder on the people part and get out of their logic box.
[SAM TO Adam] Q3. Where are IT departments most deficient in managing online security threats?
I believe there are too many IT staff with cookie cutter security certifications and not enough creative thinkers and security staff with police and intelligence service backgrounds. We need more diversity in our IT security departments and we need to encourage and treat junior analysts reports with the same weight as senior analysts, there’s a tendency for cognitive biases to form in the minds of the more experienced staff and junior staff can often see real issues that more experienced staff have conditioned themselves to filter.
[SAM TO ADAM] Q4. IS THERE A ROLE THAT LEGISLATION CAN PLAY IN ENFORCING FI’S TO PROTECT CUSTOMERS FROM THE CARNAGE OF THREATS?
Yes, I believe legislation is required in all jurisdictions to require organizations to report security breaches publicly. It may seem painful at first but I believe it will help the industry at large learn and improve their threat management practices.
[Sam to Adam] Q5: Are their major differences across jurisdictions (e.g., UK, Canada, U.S.) in how FIs treat online security threats in protecting customer accounts?
Historically European FI’s have been much more proactive and agile in taking threats seriously and responding to them in my experience but over the past few years things have improved significantly, particularly in the U.S.
Segment V: Conclusions – Wrap-Up
[Jack to Adam] Q1: What future threats do you predict will become more pervasive in the FI space? How will they continue to impact the integrity of customer accounts and customer data?
I believe there will be an increase in socially engineered attacks on customers directly and there will be an increase in vulnerabilities and attacks on mobile devices.
[Jack to Adam] Q2: What single online security threat should an FI customer consider switching to another institution?
The threat isn’t going away anytime soon and it’s common to all FI’s my advice is proactively look for a FI that takes security seriously and offers token or mobile device authentication for online transactions. Prevention is better than cure as my grandmother would have advised me.
[Jack to Adam] Q3: Can you tell us what you’re working on at the moment?
I’m working on expanding bitVelocity’s new website hosting and management service that improves search rank and reduces the risks associated with cheap web hosting and in the next few weeks I’ll be launching a new version of my internet encryptor software.
I would like to thank Adam Sculthorpe for speaking on our show and providing insights in discussing the various online security threats for financial institution and how they can impact customer accounts and customer data.
Adam Sculthorpe can be reached at privacytesting.com