Home > RSM Resources > Articles > Advantage > Information Technology > Bankers beware: New breed of bank robber targets data, not cash

RSM Resources

Back to RSM Resources
Information Technology
Bankers beware: New breed of bank robber targets data, not cash
 
Bankers beware: New breed of bank robber targets data, not cash

These days, the information that banks accumulate in their computer systems can be more valuable than the cash they store in their vaults —and a whole new breed of bank robber is out to steal it.

To protect themselves and their customers from the staggering financial and legal consequences that can result from information theft, bankers may have to fundamentally change how they think about issues such as security, technology and innovation, say the experts.

Anyone who has ever opened a bank account or applied for a loan knows firsthand how much private information banks require from their customers, including addresses, Social Security numbers, credit-card numbers, driver’s license information and financial data.

Information thieves also are aware of the vast amount of personal data that banks store and may view these institutions as potential one-stop shops for large-scale identity theft.

According to the Anti-Phishing Working Group, which tracks Internet fraud, scammers target financial services more than any other industry. In December 2005, 89.3 percent of all Internet identity-theft attacks targeted the financial industry, including banks, credit unions and credit-card associations.

Common scams include:

Phishing. Sending e-mails falsely claiming that the sender is a legitimate organization attempting to collect personal information such as user IDs and passwords from individuals.

Spear phishing. Directing phishing attacks to the employees of a particular company (for example,sending e-mail purportedly from the internal IT department, requesting a password change).

Pharming. Using a false internet-address ruse called "domain spoofing" to trick users into thinking they are on a known, secure site while they enter private and financial information.

The following information will help bankers better understand the unique challenges their industry faces in the war against information theft and establish a workable battle plan to help protect customers, employees and institutions.

A fundamental change: Two-factor authentication
Most banks in the United States require customers to furnish a user name and password to access funds and personal account information. However, bank regulators have determined that this method isn’t good enough and have given the industry less than a year to implement sweeping security improvements.

The Federal Financial Institutions Examination Council, an umbrella group of regulators that includes the Federal Reserve System and Federal Deposit Insurance Corp., informed banks that the single-factor authentication (for example, a user name and password) most banks employ provides insufficient protection against account fraud and identity theft. The council ordered all banks to implement higher-security two-factor authentication by December 2006. Two-factor authentication pairs something the customer possesses (such as a hardware token, a fingerprint or a smart card) with something the customer knows (such as a password or personal ID number) to provide greater protection during online banking transactions.

U.S.banks already employ two-factor authentication at ATM machines, where a customer must insert a card and enter a PIN number in order to complete a transaction. But U.S. customers are not used to such measures applying to their personal computers, and experts warn the transition might be bumpy. Implementing such a system brings a new set of questions bank officials must answer. For example, how should banks distribute required tokens or hardware devices? How should they deal with a lost or stolen device? How can they best communicate new systems to customers who have little or no experience with this kind of security? Experts say the success of two-factor authentication may depend on how well banks are prepared to answer these questions.

Re-examining IT security
While banks must, of course, maintain regulatory compliance, experts warn that banks simply cannot afford to be reactionary when it comes to information security. Regulators increasingly are paying attention to IT issues, and bank officials must remain vigilant to stay abreast of the ever-changing threats they face and take steps to prevent problems before they occur.

While it used to be common practice for bank examiners to count the cash in a bank’s vault during a review, few examiners bother in this age of credit cards and electronic funds. Today’s examiners are much more likely to be technologically savvy and demand proof that an organization has taken the appropriate steps to safeguard funds and information from both internal and external threats.

Experts advise against waiting for the examiner’s dreaded "memo of understanding" before thinking about these important issues. Conducting a thorough risk assessment at least once a year is an important step to determine information security gaps and identify ways to fill them.

A good IT security assessment will address the following:

Regulatory compliance. Is your bank compliant with all current and pending IT regulatory requirements?

External network security. Does your computer system have a firewall? Is your network vulnerable to penetration from the outside? Do you have an intrusion-detection and response policy in place?

Internal network security. Which employees have access to secure information? How does your institution process and manage user IDs? What is your policy on passwords (confidentiality, change frequency, characteristics, and so on)? Is sensitive data centralized and protected on a single server? Would a laptop theft result in a breach of data security?

Policy review. What controls are in place to prevent information fraud by trusted employees? Are your IT personnel knowledgeable about the latest security threats and safeguards? Do your employees know how to spot security risks or information scams? Do your customers?

You might choose to do all or part of your assessment in-house to save money, but experts recommend at least pursuing a hybrid solution, such as inviting an external expert to do some of the work each year or all of the work every two years.

Additionally, when seeking an external consultant, make sure to select somebody who understands the unique needs of banks, has experience in the industry, and has real-world knowledge about what works and doesn’t work for information protection. The money you invest in information security today may protect you from huge losses, regulatory fees and legal liability in the future.
RSM McGladrey Inc. and McGladrey & Pullen LLP have an alternative practice structure. Though separate and independent legal entities, the two firms work together to serve clients’ business needs. RSM McGladrey is not a licensed CPA firm.

RSM McGladrey Inc. is a member of RSM International - an affiliation of separate and independent legal entities.

2007 RSM McGladrey Inc. All Rights Reserved. Contact us toll-free at 800.274.3978