No-Tech Hacking Poses Threat to Financial Institutions, Two Authors Say
BALTIMORE -- The titles of the books tell a story--"The Spies Among Us" by Ira Winkler and "No-Tech Hacking" by Johnny Long.
Both Winkler, president of Internet Security Group in Baltimore, and Long, a security researcher at Computer Sciences Corp. in Falls Church., Va., make the point that while the topic of data security usually stirs thoughts of someone at a remote location breaking electronically into a computer to steal information, not every intrusion involves the latest technology.
For example, in an interview with InfoWorld, Winkler stressed how easy it can be for someone to tailgate by following an authorized employee into the building. Long noted in the same article that restrictions on smoking in most buildings have created huddles of employees gathered outside a back entrance for a smoking break. He indicated it's not that hard to blend into the group when they return to work.
Other techniques involve posing as a visitor, anyone from an outside IT consultant to a telephone repairman or electrician. Actual employees can be paid to steal information.
"There's a lot to be concerned about," Winkler told Credit Union Times. "Frankly, in many ways hacking into a bank or credit union computer is probably one of the smaller concerns. I'm not saying it's not important. I am saying it's relatively small given the overall threat."
"You [the criminal] are after money one way or the other. The big thing about hacking banks or credit unions, you're hacking accounts to transfer money out. In order to access an account, you need the account information, not necessarily by hacking into a bank computer."
Financial institutions have to approach security as risk management, Winkler continued. If security is defined as freedom from risk, a bank or credit union is never going to be free from risk. However, security can be very cost effective given the potential loss. For example, in one actual incident, bags of financial data fell off a truck. What would have been the cost of a shredder? Winkler asked. Trivial compared to the loss and embarrassment.
It's not unheard of, he noted, for people to obtain jobs inside financial institutions for the purpose of robbing them. Janitors and guards may have ready access to trash with account numbers, credit reports and other important details. Today a lot of those jobs are outsourced.
"Businesses are outsourcing customer service to, for example, India. That can create a major security nightmare. You have to consider you are basically giving people who are making 25 cents an hour access to very valuable data," Winkler said.
He noted a criminal may gain $8,000 in a typical robbery, while an inside job may net $80,000.
"Are you performing background checks on your people? Are you monitoring them? Where are your putting sensitive documents? Is your shredder conveniently near where critical documents should be destroyed? Is data that should be locked up available to the janitor or other people?" he asked.
Ron Knode, director in the Global Security Solutions unit at Computer Sciences Corp. and a Leading Edge Forum research associate, indicated a number of studies show more than half of all security breaches are actually the result of physical issues. For example, a laptop loaded with critical data is lost or stolen.
Knode pointed out a survey released at the end of 2007 showed credit card and bank information was the most popular item on the criminal underground network of stolen data. The money today, he said, is in selling information about banking activity.
Credit unions and banks organize their data to provide easy access to financial information. If records fall into the wrong hands, that also makes it easy for criminals.
Knode approaches security from two directions--the physical direction and the logical direction. The two are converging, and the businesses that have been the most successful in their security efforts are the ones who have made that convergence.
On the physical side, some credit unions and others are protecting themselves with Internet protocol video monitoring. There's no need for closed-circuit television. Cameras and microphones can report to a central console based on the data network. There are also multifactor access control mechanisms using handprint geometry, biometrics and voiceprints.
"But you don't want to make it inconvenient. You want people to come into your building; you want them to open accounts. But if a member needs access to additional areas such as a safe-deposit box, a different factor of identification and authentication is used," Knode said.
All physical access may be hooked into a central card that controls access to facilities and data. The smart card can be tailored to each employee and their need for entry to specific areas or information. There's a record of who went where and when.
On the logical side, several major credit unions have introduced single sign-on with one password. The same card that allows you to sign onto the computer may also provide physical access to the building, combining logical and physical security. It may even record training you have completed.
It can also block tailgating. If you walk into a credit union without using the card, then try to log onto the computer even with a card, it won't work. The system doesn't recognize you because, as far as it is concerned, you aren't there.
As for cost, Knode argues that today's security approaches can offer efficiency and productivity.
"It's a lot larger payback than anyone expected," he said. "In most enterprises, the people who control our logical systems--our computers and networks--are one group of people and we have to ask them, for example, to give us an account. The folks who control our building access and clearances are another group, and we have to ask them to give us an access card or key or something to get us into a building.
"There's a big payoff going to a single sign-on because you don't have to get nine or 10 passwords. But when you do physical and logical access convergence, the provisioning payoff is almost off the charts."