ABA Banking Journal - December 2008 - (Page 36)
Tech topics vaults and similar kinds of controls in the environment. What do you advise bank employees to do if someone pulls a gun? Well, as they should be shown on a training DVD, bank employees should listen to the perpetrator, try to notice details of appearance for later work with police, but stay calm and quiet and do as they are told. Don’t try to play the hero. No tackling or arguing with the person. Just get the thieves out of there, then call the police. Some tellers are shown where to hit alarms, which is fine, as long as you’re not going to stir up a racket and the police know to act quickly, rather than to simply call the bank and ask if anything’s wrong. I like what you have to say about awareness. What about office space, keeping files locked up and making it difficult for a non-authorized person to grab information, even from dumpsters? Certainly that’s important, but most banks are good with their assets, including documents that they are working with or done with. Banks have an operations protocol called a “dual method of control” which means that at least two people have to be involved in the opening of a vault or the monitoring of office opening and closing procedures. So in many senses, they are covered. Now, you don’t want a fortress, you want a customerfriendly community bank. But again, you want to be protected during business hours just the way you are during the beginning and end of the day if you follow those procedures. The most important thing is doing what’s reasonable. The bank employee needs to be able to do their job yet also pick up on the unusual. If somebody comes in wearing a trench coat and seems off and it’s nearly 90 degrees—that might be indicative of something. There has to be a judgment call. You train in a classroom setting. What else do you recommend? First, I always tell senior management to do what they can afford to do. Treat the employees like the people they are— that middle-aged woman is somebody’s Aunt or Mother. That young college student is somebody’s child. Really think about what steps can protect staff and your customers. And get friendly with your police department. They can’t always be hanging out at Dunkin Donuts. As for training, videos can be effective. What I do like about the classroom is that the way I approach it, I encourage students to think for themselves. That wakes them up. For instance, we do this exercise where we have partners face each other and query Security flaws are probably designed into your online banking website ogo said it: We have met the enemy and he is us. In a carefully crafted study, The University of Michigan reports that 76% of online banking websites contained at least one design flaw that could lead users to make “bad security decisions.” The flaws are not the typical software bug that can be fixed with a patch and a mea culpa. They show up in websites that are designed by security experts and fortified with the latest security protocols, such as SSL, and can unintentionally make it easy for users to expose sensitive data to cybercriminals. The Michigan analysis of online banking programs in 214 U.S. financial institutions focused on the recurrence of five common design flaws that the research team identified in preliminary research. Results: 76% of the sites had at least one design flaw; 68% had two or more flaws; 10% had all By Bill Orr, contributing editor billorr@ibert.org Webnotes The user, assuming that the information is protected, then gives up her Social Security number, birth date, and other private information. The design flaw here is ignoring the well-known security principle of protecting not only the data channel, but also the context used to generate the session keys for the channel. In IT-speak, SSL 2.0 was vulnerable to cipher rollback attack because it did not adequately protect the key negotiation steps, the report says. Presenting secure login options on insecure pages (47%). Login pages and options displayed on insecure pages leave users vulnerable. In this common case, a man-in-the-middle or a domain name hijacker can spoof the entire page and manipulate the secure data (without understanding it), thus gaining control of the dialog. A trusting user might not be looking for positive evidence that sensitive login information is secure, and likely won’t notice its absence. Even more likely, she won’t be WEBNOTES continued on p. 44 five. The five design flaws and the frequency (percent) of their occurrence are: Content information/security advice on insecure pages (55%). To compromise such a system, an attacker “only needs to spoof or modify the page, replacing the customer service phone numbers with bogus numbers.” A fraudster might set up a bogus customer service number with the malicious intention of later collecting information from a customer when she calls in response to, say, a bogus message informing the user of the need to reset her password. Most users will welcome such a message, carefully worded to allay suspicion. This example from the study’s files: “We regret to inform you that we have received numerous fraudulent e-mails which ask for personal account information Please remember that we will never ask for personal account information via e-mail or web pages. . . To activate your [new Identity Theft Protection Program] please call .” 1. 2. 36 DECEMBER 2008/ABA BANKING JOURNAL Subscribe at www.ababj.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.