Warding off security breaches better than cleanup

By Lisa Allen

Published June 24, 2011

Consumers and businesses are pretty much in the same boat when it comes to online security. It is far easier to protect your finances from theft and fraud than it is to clean up afterward.

If you are a victim or an unwitting accomplice, the acronyms and agencies you’ll encounter as you try to mop up will make your head spin: Federal Trade Commission, Secret Service, FBI, Pennsylvania Attorney General’s Office, credit reporting companies, banks and local police — even the U.S. Office of the Comptroller of Currency.
Businesses are required to maintain “reasonable” procedures to protect their customers’ sensitive information. The criteria varies with the nature and size of the business, the types of information collected, the security tools available based on resources, and the likely risk of theft or fraud, according to the FTC.

Under Pennsylvania law, businesses must notify customers if there has been a security breach and their information might be at risk. If businesses fail to do so, they face fines of up to $1,000 per instance or $3,000 if the potential victim is over age 60, said Nils Frederiksen, spokesman for the Pennsylvania attorney general.

Customers then should ask the credit reporting agencies to put flags on their accounts in the event someone tries to access them.

Just recently, more than 360,000 Citibank accounts across the country were hacked, and information might have been stolen.

“This looks like a plain and simple bug on their web server that their vulnerability testing and software design team should have been able to uncover if they were properly trained in secure coding practices for websites,” said Atul Prakash, a computer science professor at the University of Michigan who tracks banks’ online security efforts.

He suspects Citibank was the victim of a common but flawed practice in which banks link users’ URLs with their account numbers. It’s relatively easy for hackers to crack the code and poke around for other account numbers, too.

Fortunately, there are few instances locally of online fraud and identity theft, said Lt. Robert Fegan of the Harrisburg Police detective division. Most of the culprits are acquaintances or relatives.

“It’s usually just people trying to get out from under their bills,” Fegan said.

In the rare instance in which a business is negligent in protecting the financial data of their customers, the cases are complex, Frederiksen said.

As an example, he pointed to the 2009 settlement between 41 attorneys general and TJX, the parent company of TJ Maxx.

Unauthorized people accessed the company’s computer system and recorded cardholders’ information and account activity. Investigators uncovered vulnerabilities and flaws in TJX’s data security systems that permitted the intrusion and allowed it to continue undetected for nearly a year.

TJX agreed to pay $9.75 million to the states and install a comprehensive information security program. Under the settlement, $5.5 million went to data protection and consumer protection efforts by the states, $1.75 million to reimburse the costs of the investigation, and a $2.5 million fund for state attorneys general for enforcement efforts and policy development in the field of data security and protecting consumers’ personal information.

The people who hacked into the system faced criminal charges.

“When there are large-scale breaches, there are many civil and criminal cases happening simultaneously,” Frederiksen said.

“We don’t typically see massive consumer losses because the costs shift back to the bank,” he said. “Our focus is why it happened and how it happened. Was there negligence, oversight or criminal intent involved?”

From there, investigators will determine whether to pursue civil or criminal cases or both.

In a video, the FTC outlines how businesses can protect their customers’ information:

Take stock. Know what personal information you have in your files, and restrict access to it. Carefully screen those who do have access to it.

Scale down. Keep only what you need for your business.

Lock it. Protect the information in your care. If employees must keep sensitive data on laptops, encrypt and configure it so users can’t download any software or change the security settings without approval from your IT staff. An “auto-destroy” function is triggered when the thief tries to get on the Internet.

Pitch it. Properly dispose of what you no longer need. Shred or burn paper and wipe clean computer files, don’t just delete them.

Make a plan on how to respond to security incidents.

Small businesses often don’t realize how much information they have about their customers, Kristin Cohen, an attorney with the FTC division of privacy and identity protection, said.

“They just don’t think about it. Some collect Social Security numbers, the most sensitive information, for not very good reasons,” she said, then don’t really protect it.

“Some companies are really good about collecting and protecting information online, but forget about the paper versions and just throw (them) in Dumpsters. That happens a lot.” Experts: Bank websites safer, but don’t relax your guard
Area banks continue to improve website security after a report critical of the industry surfaced in 2008.

PNC Bank, the largest in Harrisburg, declined to comment on its specific security measures, but spokesman Fred Solomon pointed to the security assurance tab on the bank’s main page. It outlines how to prevent fraud and what to do if you experience it, among other topics.

When one logs into online banking, PNC posts a personal security image and caption selected by the user to indicate the user is on the authentic site, not an imposter site.

Ed Novak, spokesman for the Pennsylvania Department of Banking, said under banking privacy rules he was unable to discuss any online problems discovered during bank examinations.

Banks across the country have made great strides in improving their online security, said a University of Michigan professor who reported in 2008 that three-quarters of 214 banks surveyed had website design flaws that made sensitive information vulnerable.

“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, said when the report was released.

“Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.”

The survey conducted in 2006 found:

Nearly half — 47 percent — of banks surveyed placed secure log-in boxes on insecure pages. A hacker could reroute data entered in the boxes or create a spoof copy of the page to harvest information. Virtually all banks now use the standard “secure socket layer,” or SSL, protocol on pages that ask for sensitive information, Prakash said. SSL-protected pages begin with https rather than http.

More than half — 55 percent — of banks put contact information and security advice on insecure pages. An attacker could change an address or phone number and set up his or her own call center to gather private data from customers who need help.

About a third — 31 percent — of banks offered to email passwords or statements. The email data path is generally not secure, Prakash said.

Most banks have corrected those flaws, he added.

“I believe many more banks are doing a better job at addressing the basic problems we pointed out, such as using https, for secure access to the log-in pages and transactional pages for their web sites,” Prakash recently said. “My concern is that the attackers have also become more sophisticated since our study.”

Two-factor authentication is the best method, he said.

“Two-factor authentication is most useful if it uses a different channel and device than the one that is likely to be compromised,” Prakash said. “Of the banks I have checked recently, Chase does use it. If you log in from a new computer, it sends you a multi-digit code on your cellphone or to the registered email address. This helps against spear-phishing attacks. Interestingly, Google mail and Facebook now permit users to use two-factor authentication, though you have to opt-in. But most banks do not.”

Phishing is when a hacker tries to get you to reveal financial information by posing what appears to be a legitimate inquiry from a trusted source. Spear-phishing is when they use information posted on social networks sites — for example if someone noted they bought a specific item at a specific store — to further personalize their message. Pharming is when a hacker pushes you off to an imposter website.

Prakash said he isn’t impressed by banks’ use of “secret questions” as added security.
Both PNC and M&T rely on security questions to double-check a user’s identity.

“They may even be dangerous in some cases, since many answers would be easy to guess if you know the victim or can gather data from their social network,” Prakash said. “They only help if used very sparingly and carefully in limited ways.”

M&T Bank does allow businesses to limit the types of transactions that each employee can complete online. It also requires customers to use a secure browser with 128-bit encryption to communicate with the bank, according to its website.

If more people asked banks about their website security efforts, they would use added security layers as a competitive advantage, Prakash said.

However, if you are a victim of fraud while banking online, the Federal Deposit Insurance Corps, or FDIC, can’t help you.

“FDIC insurance only covers depositors in the unlikely event that their bank closes,” FDIC spokesman David Barr said. “We do not cover losses from fraud or theft, unless it is significant enough to cause financial difficulties that the bank ultimately has to be closed. Fraud rarely reaches that level.”

The FDIC offers this advice to protect yourself:

If you bank online, frequently check your deposit accounts and lines of credit to spot and report errors or fraudulent transactions, just as you should with traditional banking.

Don’t download banking software to your smartphone. There aren’t enough security measures in those abbreviated versions.

Most important, install anti-virus software to detect and block spyware and other malicious attacks, and a “firewall” to stop hackers from accessing your computer. Ideally, run those scans daily, or at least weekly.

Many programs are free but priceless in what they could save you in time, effort and anguish.

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: