Monday, January 31, 2011
The ROI of Security Compliance
Study Finds Compliance Cuts Costs, Improves Operations
January 31, 2011 - Tracy Kitten, Managing Editor Share
Tripwire's Shenoy says security compliance improves the bottom-line.
A review of security practices and investments at 46 global companies across the financial, retail, healthcare and government spaces finds that compliance with industry security standards actually saves money over the long-term. Sponsored by Tripwire and conducted by the Ponemon Institute, the new study reviewed security investments made over a 12-month period. The findings have been published in a new report, "The True Cost of Compliance," released today by security and compliance automation solutions provider Tripwire.
While compliance with the Payment Card Industry Data Security Standard was the most-often reviewed for the study, since PCI-DSS impacts any entity that accepts payment cards, the study also looks at other guidelines and standards, such as HIPAA and Sarbanes-Oxley.
What the study finds, says Rekha Shenoy, vice president of strategy for Tripwire, is that across the board, regardless of industry or standard, companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than companies that are categorized as non-compliant.
"There were not many differences among industries. They are all spending money for compliance, but they are not all getting secure," Shenoy says. "It was the ones that invested in security practices that were reaping the benefits -- those that focused on securing the business, rather than focusing on compliance alone."
Focus on security, and compliance will follow. "When you automate compliance and you are always in a compliant state," Shenoy says, "you are always secure and you are doing 'good' for the business."
During this interview, Shenoy discusses:
•How internal audits improve consistent security compliance;
•The fluid nature of security compliance;
•How investments made by financial institutions are proving for other industries and agencies the benefits of automated compliance audits.
Shenoy is Tripwire's vice president of strategy. Shenoy joined Tripwire in April 2007. Before Tripwire, Rekha held positions in corporate development, product management and marketing for performance management solutions, database tools and mainframe solutions, and in market research at BMC Software Inc. in Houston, where she drove strategic decisions around new technologies. She also worked at Questia Media Inc. and Compaq Computer Corp. Shenoy holds a mater's degree in business administration, with a focus on marketing and finance, from Rice University. She holds a bachelor's degree in computer science and engineering from the University Visvesvaraya College of Engineering in Bangalore, India.
January 31, 2011 - Tracy Kitten, Managing Editor Share
Tripwire's Shenoy says security compliance improves the bottom-line.
A review of security practices and investments at 46 global companies across the financial, retail, healthcare and government spaces finds that compliance with industry security standards actually saves money over the long-term. Sponsored by Tripwire and conducted by the Ponemon Institute, the new study reviewed security investments made over a 12-month period. The findings have been published in a new report, "The True Cost of Compliance," released today by security and compliance automation solutions provider Tripwire.
While compliance with the Payment Card Industry Data Security Standard was the most-often reviewed for the study, since PCI-DSS impacts any entity that accepts payment cards, the study also looks at other guidelines and standards, such as HIPAA and Sarbanes-Oxley.
What the study finds, says Rekha Shenoy, vice president of strategy for Tripwire, is that across the board, regardless of industry or standard, companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than companies that are categorized as non-compliant.
"There were not many differences among industries. They are all spending money for compliance, but they are not all getting secure," Shenoy says. "It was the ones that invested in security practices that were reaping the benefits -- those that focused on securing the business, rather than focusing on compliance alone."
Focus on security, and compliance will follow. "When you automate compliance and you are always in a compliant state," Shenoy says, "you are always secure and you are doing 'good' for the business."
During this interview, Shenoy discusses:
•How internal audits improve consistent security compliance;
•The fluid nature of security compliance;
•How investments made by financial institutions are proving for other industries and agencies the benefits of automated compliance audits.
Shenoy is Tripwire's vice president of strategy. Shenoy joined Tripwire in April 2007. Before Tripwire, Rekha held positions in corporate development, product management and marketing for performance management solutions, database tools and mainframe solutions, and in market research at BMC Software Inc. in Houston, where she drove strategic decisions around new technologies. She also worked at Questia Media Inc. and Compaq Computer Corp. Shenoy holds a mater's degree in business administration, with a focus on marketing and finance, from Rice University. She holds a bachelor's degree in computer science and engineering from the University Visvesvaraya College of Engineering in Bangalore, India.
Sunday, January 30, 2011
CBP: Overheid moet privacy beter beschermen
28 January 2011 Redactie www.security.nl
Bedrijven en overheden moeten kunnen aantonen dat zij de persoonsgegevens van hun klanten en van de burgers zorgvuldig gebruiken en adequaat beveiligen, zo laat het College Bescherming Persoonsgegevens op Databeschermingsdag weten. De gegevens van Nederlandse burgers komen in duizenden bestanden voor. Door de almaar toenemende digitalisering en globalisering wordt dit woud van verwerkingen steeds ondoorzichtiger.
Volgens het CBP is het voor het individu niet meer te doen om inzicht te hebben in al deze verwerkingen, laat staan daar het overzicht van te behouden. De toezichthouder benadrukt dat bedrijven en overheden daarom nu aan zet zijn. "Zij moeten kunnen aantonen dat zij de persoonsgegevens van hun klanten en van de burgers zorgvuldig en volgens de regels van de wet verzamelen en gebruiken."
Het CBP ontving het afgelopen jaar vele signalen van burgers over het plaatsen van persoonsgegevens op internet en over het onzorgvuldig omgaan met persoonsgegevens. Bedrijven en overheid moeten daarom de betrokkenen helder, volledig en op een toegankelijke manier informeren over het doel van het verwerken van hun gegevens en meedelen aan welke derden zij die gegevens verstrekken. "Alleen dan kunnen burgers hun rechten uitoefenen, zoals het verbeteren van hun gegevens of het laten verwijderen ervan."
Meldplicht
Naast het geven van betere informatie moeten bedrijven en overheden nog meer, meent het CBP. Zij moeten aangesproken kunnen worden op wat zij doen met de persoonsgegevens van hun klanten en de burgers. "Zij moeten bij het ontwerpen en ontwikkelen van nieuwe producten en diensten rekening houden met privacy-eisen. En zij moeten, zeker met het oog op de toenemende verwerking van gegevens online, ervoor zorgen dat persoonsgegevens veilig worden verwerkt."
In het geval er toch iets mis gaat bij de beveiliging en persoonsgegevens op straat komen te liggen, pleit de toezichthouder ervoor dat zo’n datalek onmiddellijk moet worden gemeld. "Zodat snel maatregelen genomen kunnen worden om misbruik van de gegevens te voorkomen."
Bedrijven en overheden moeten kunnen aantonen dat zij de persoonsgegevens van hun klanten en van de burgers zorgvuldig gebruiken en adequaat beveiligen, zo laat het College Bescherming Persoonsgegevens op Databeschermingsdag weten. De gegevens van Nederlandse burgers komen in duizenden bestanden voor. Door de almaar toenemende digitalisering en globalisering wordt dit woud van verwerkingen steeds ondoorzichtiger.
Volgens het CBP is het voor het individu niet meer te doen om inzicht te hebben in al deze verwerkingen, laat staan daar het overzicht van te behouden. De toezichthouder benadrukt dat bedrijven en overheden daarom nu aan zet zijn. "Zij moeten kunnen aantonen dat zij de persoonsgegevens van hun klanten en van de burgers zorgvuldig en volgens de regels van de wet verzamelen en gebruiken."
Het CBP ontving het afgelopen jaar vele signalen van burgers over het plaatsen van persoonsgegevens op internet en over het onzorgvuldig omgaan met persoonsgegevens. Bedrijven en overheid moeten daarom de betrokkenen helder, volledig en op een toegankelijke manier informeren over het doel van het verwerken van hun gegevens en meedelen aan welke derden zij die gegevens verstrekken. "Alleen dan kunnen burgers hun rechten uitoefenen, zoals het verbeteren van hun gegevens of het laten verwijderen ervan."
Meldplicht
Naast het geven van betere informatie moeten bedrijven en overheden nog meer, meent het CBP. Zij moeten aangesproken kunnen worden op wat zij doen met de persoonsgegevens van hun klanten en de burgers. "Zij moeten bij het ontwerpen en ontwikkelen van nieuwe producten en diensten rekening houden met privacy-eisen. En zij moeten, zeker met het oog op de toenemende verwerking van gegevens online, ervoor zorgen dat persoonsgegevens veilig worden verwerkt."
In het geval er toch iets mis gaat bij de beveiliging en persoonsgegevens op straat komen te liggen, pleit de toezichthouder ervoor dat zo’n datalek onmiddellijk moet worden gemeld. "Zodat snel maatregelen genomen kunnen worden om misbruik van de gegevens te voorkomen."
Friday, January 28, 2011
Application security hardening for mobile and embedded software
Application security hardening for mobile and embedded software
By Yvette Francino
SearchSoftwareQuality.com
.ContentSyndicationDigg This Stumble Delicious Google Fusion .Security is a growing concern as the number of mobile devices such as smart phones, tablets, gaming devices and other devices which are run with embedded software is ever-increasing. Applications are being downloaded by the billions, and hackers are finding ways to gain access to modify license agreements or download machine code and then reverse engineer to gain access to source code. How do organizations protect themselves from this type of piracy? Read on.
Hardening your application
Certainly, there are many tools and techniques used to address security. In Security Lesson: Beating Web application security threats, Kevin Beaver discusses tools such as vulnerability scanners and static analysis tools that can be used to protect your Web applications.
But often that’s not enough.
Bob Walder, Research Director at Gartner, says:
As security attacks become more financially motivated, and as organizations get better at securing their networks, desktops and server infrastructures, there has been a shift in attacks to the application level. To address these new risks, enterprises must modify their application development (and procurement) processes so that, ideally, application security defects are detected and remediated prior to deployment of the application.
Thus, this is not just about anti-piracy measures for developers, but also about protecting enterprises against subverted applications (inserting Trojan code, for example) -- either their own applications or those purchased from ISVs.
Application hardening and shielding products provide protection for an organization's software-based assets (especially those placed on machines, sites and locations that the organization doesn't control) from tampering, reverse engineering and attacks. They can also provide several types of application-level security without requiring developers to natively modify source code.
Application hardening tools are those tools designed to protect your code from hackers by using techniques of obfuscation, encryption or authentication. You want to look for a product that will ward against tampering, piracy, reverse-engineering, malware insertions and unauthorized use.
With these types of tools, security is injected into your code, specifically with the purpose of detecting and preventing application-level intrusions.
Defending against attacks
Obfuscation
Obfuscation is used to hide structure and code flow within an application. By modifying the original code or inserting new code that will disguise the original code, the hacker will be unable to reverse engineer or tamper with the original source code.
Gartner’s Walder says this of hardening tools:
At their most basic level, the technologies include obfuscation tools to protect the application code as the increasing use of intermediate language representations (such as Java and .NET) enables hackers to easily reverse-engineer intellectual property (IP) embedded in software.
More advanced capabilities include the ability to inject security protection directly into the application without requiring developers to modify the source code. This can be applied proactively (for example, obfuscating the application to protect against and alert for tampering, or implementing the type of input filtering that the developers should have written to protect against exploits) or reactively (injecting protection as a result of a vulnerability discovered in production, or performing some predetermined action based on exploitation attempts).
This set of technologies captures two diverse needs. Code obfuscation is the more widely adopted and more mature method of protecting applications, but estimated adoption rates are still in the high single digits, because most organizations are unaware of its benefits until they directly experience the theft of IP or an attack from an application compromise. Furthermore, for application protection techniques that rely on the insertion of code, development organizations may be reluctant to allow the injection of new code into an application from a source other than a developer.
Authentication and attack detection
Checksum
Checksum is used as a way of detecting the integrity of an application and its data. A procedure is used that will yield a “checksum” from data. Then when that data is transmitted, the checksum algorithm can be run again to ensure the data was not altered, either accidentally or intentionally. Variants to checksum functions are hash functions, fingerprints, randomization functions, cryptographic hash functions and digital signatures. Though related, each of these has its distinct uses and priorities.
Anti-debug
This is a technique of detecting tools used that might be used by hackers to compromise data. Security schemes that use anti-debug may block the application from executing if tools such as a kernel-mode debugger are present.
Though this may prove somewhat beneficial, in his post, Anti-debugger techniques are overrated, Nate Lawson warns not to depend simply on anti-debug techniques in your protection scheme.
The reality is that they are either too simple and thus easy to bypass or too specific to a particular type or version of debugger. When designing software protection, it’s best to build a core that is resistant to reverse-engineering of all kinds and not rely on anti-debugger techniques.
Alert and react to attacks
You need tools to defend from attacks and detect when code has been attacked. A third area you want to look for in your protection tool is how it reacts when an attack is discovered. Is it able to repair the tampered code with the original code? What errors are produced when attacks are detected? Is there capability to send alerts to the appropriate people?
Mobile and embedded software
With the vast number of mobile devices and applications, downloads number in the billions and unprotected code is a prime target for hackers intent on stealing intellectual property.
According to Charles Kolodgy, Research Vice President of Secure Products at IDC:
I don't see much difference in the protection profile required for standard web applications and those of mobile applications. The key is what kind of manipulation of the software can occur that will result in attackers being able to use an application as an avenue to collect information that they can then use for monetary gain. The real problem with mobile applications is that there are so many of various quality levels that it is difficult to know what is a good application and what might have been created to gain a foothold on your device.
Though embedded software running on specialized devices is not at as high of a risk, due to less consumer exposure, it still can be very important to protect the intellectual property. Biometric devices and military devices are two examples of embedded software which require a high level of protection.
Kolodgy notes the growing concern for increased security throughout the SDLC:
There is a growing appreciation that applications need to be developed in a secure manner. There are beginning to be requirements, from the government but also from industry (see PCI/DSS) that are requiring that software be tested against a minimum level of security. Security testing is being integrated into the SDLC.
20 Jan 2011
.
By Yvette Francino
SearchSoftwareQuality.com
.ContentSyndicationDigg This Stumble Delicious Google Fusion .Security is a growing concern as the number of mobile devices such as smart phones, tablets, gaming devices and other devices which are run with embedded software is ever-increasing. Applications are being downloaded by the billions, and hackers are finding ways to gain access to modify license agreements or download machine code and then reverse engineer to gain access to source code. How do organizations protect themselves from this type of piracy? Read on.
Hardening your application
Certainly, there are many tools and techniques used to address security. In Security Lesson: Beating Web application security threats, Kevin Beaver discusses tools such as vulnerability scanners and static analysis tools that can be used to protect your Web applications.
But often that’s not enough.
Bob Walder, Research Director at Gartner, says:
As security attacks become more financially motivated, and as organizations get better at securing their networks, desktops and server infrastructures, there has been a shift in attacks to the application level. To address these new risks, enterprises must modify their application development (and procurement) processes so that, ideally, application security defects are detected and remediated prior to deployment of the application.
Thus, this is not just about anti-piracy measures for developers, but also about protecting enterprises against subverted applications (inserting Trojan code, for example) -- either their own applications or those purchased from ISVs.
Application hardening and shielding products provide protection for an organization's software-based assets (especially those placed on machines, sites and locations that the organization doesn't control) from tampering, reverse engineering and attacks. They can also provide several types of application-level security without requiring developers to natively modify source code.
Application hardening tools are those tools designed to protect your code from hackers by using techniques of obfuscation, encryption or authentication. You want to look for a product that will ward against tampering, piracy, reverse-engineering, malware insertions and unauthorized use.
With these types of tools, security is injected into your code, specifically with the purpose of detecting and preventing application-level intrusions.
Defending against attacks
Obfuscation
Obfuscation is used to hide structure and code flow within an application. By modifying the original code or inserting new code that will disguise the original code, the hacker will be unable to reverse engineer or tamper with the original source code.
Gartner’s Walder says this of hardening tools:
At their most basic level, the technologies include obfuscation tools to protect the application code as the increasing use of intermediate language representations (such as Java and .NET) enables hackers to easily reverse-engineer intellectual property (IP) embedded in software.
More advanced capabilities include the ability to inject security protection directly into the application without requiring developers to modify the source code. This can be applied proactively (for example, obfuscating the application to protect against and alert for tampering, or implementing the type of input filtering that the developers should have written to protect against exploits) or reactively (injecting protection as a result of a vulnerability discovered in production, or performing some predetermined action based on exploitation attempts).
This set of technologies captures two diverse needs. Code obfuscation is the more widely adopted and more mature method of protecting applications, but estimated adoption rates are still in the high single digits, because most organizations are unaware of its benefits until they directly experience the theft of IP or an attack from an application compromise. Furthermore, for application protection techniques that rely on the insertion of code, development organizations may be reluctant to allow the injection of new code into an application from a source other than a developer.
Authentication and attack detection
Checksum
Checksum is used as a way of detecting the integrity of an application and its data. A procedure is used that will yield a “checksum” from data. Then when that data is transmitted, the checksum algorithm can be run again to ensure the data was not altered, either accidentally or intentionally. Variants to checksum functions are hash functions, fingerprints, randomization functions, cryptographic hash functions and digital signatures. Though related, each of these has its distinct uses and priorities.
Anti-debug
This is a technique of detecting tools used that might be used by hackers to compromise data. Security schemes that use anti-debug may block the application from executing if tools such as a kernel-mode debugger are present.
Though this may prove somewhat beneficial, in his post, Anti-debugger techniques are overrated, Nate Lawson warns not to depend simply on anti-debug techniques in your protection scheme.
The reality is that they are either too simple and thus easy to bypass or too specific to a particular type or version of debugger. When designing software protection, it’s best to build a core that is resistant to reverse-engineering of all kinds and not rely on anti-debugger techniques.
Alert and react to attacks
You need tools to defend from attacks and detect when code has been attacked. A third area you want to look for in your protection tool is how it reacts when an attack is discovered. Is it able to repair the tampered code with the original code? What errors are produced when attacks are detected? Is there capability to send alerts to the appropriate people?
Mobile and embedded software
With the vast number of mobile devices and applications, downloads number in the billions and unprotected code is a prime target for hackers intent on stealing intellectual property.
According to Charles Kolodgy, Research Vice President of Secure Products at IDC:
I don't see much difference in the protection profile required for standard web applications and those of mobile applications. The key is what kind of manipulation of the software can occur that will result in attackers being able to use an application as an avenue to collect information that they can then use for monetary gain. The real problem with mobile applications is that there are so many of various quality levels that it is difficult to know what is a good application and what might have been created to gain a foothold on your device.
Though embedded software running on specialized devices is not at as high of a risk, due to less consumer exposure, it still can be very important to protect the intellectual property. Biometric devices and military devices are two examples of embedded software which require a high level of protection.
Kolodgy notes the growing concern for increased security throughout the SDLC:
There is a growing appreciation that applications need to be developed in a secure manner. There are beginning to be requirements, from the government but also from industry (see PCI/DSS) that are requiring that software be tested against a minimum level of security. Security testing is being integrated into the SDLC.
20 Jan 2011
.
Monday, January 24, 2011
NIST Issues Guidance on Cryptographic Algorithms
NIST Issues Guidance on Cryptographic Algorithms
Click For More Info
SP-131A: Guide to Transition to Use of Cryptographic Algorithms
January 24, 2011 - GovInfoSecurity.com
The National Institute of Standards and Technology issued Monday new guidance on cryptographic algorithms and key lengths.
SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths provides an approach for transitioning from the use of one algorithm or key length to another, as initially addressed in part 1 of SP 800-57.
SP 800-131B – known as Transitions: Validation of Transitioning Cryptographic Algorithms and Key Lengths – is under development and will address the validation of cryptographic modules during the transition period. Part 1 of SP 800-57 is being revised for consistency with SP 800-131A. SP 800-57 (part 1) and SP 800-131B will soon be available for public comment.
Click For More Info
SP-131A: Guide to Transition to Use of Cryptographic Algorithms
January 24, 2011 - GovInfoSecurity.com
The National Institute of Standards and Technology issued Monday new guidance on cryptographic algorithms and key lengths.
SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths provides an approach for transitioning from the use of one algorithm or key length to another, as initially addressed in part 1 of SP 800-57.
SP 800-131B – known as Transitions: Validation of Transitioning Cryptographic Algorithms and Key Lengths – is under development and will address the validation of cryptographic modules during the transition period. Part 1 of SP 800-57 is being revised for consistency with SP 800-131A. SP 800-57 (part 1) and SP 800-131B will soon be available for public comment.
Sunday, January 23, 2011
Wednesday, January 19, 2011
Cryptography in the Cloud
As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info
When Moving to the Cloud, Don't Overlook Cryptographic Security
January 14, 2011 - Tom Field, Editorial Director Share
Ralph Spencer Poore: There's no better way to secure critical data than through cryptography, especially when that data is stored in the cloud.
Ralph Spencer Poore, an information security veteran with decades of experience in cryptography, is a proponent of employing cryptographic security in cloud computing.
"Information in motion and information at rest are best protected by cryptographic security measures," says Poore. "In the cloud, we don't have the luxury of having actual, physical control over the storage of information, so the only way we can ensure that the information is protected is for it to be stored cryptographically, with us maintaining control of the cryptographic key."
But know what you're looking for when you seek a cloud provider who promises cryptographic security, Poore says. "Cryptographic security measures must not be left to the imagination of the party in the cloud," he says. "Do your homework. Really understand what the capabilities are of any organization to which you're outsourcing."
Among the unique challenges are jurisdictional issues. "Because the cloud has the potential of being international, and because cryptographic technology is considered by most nations to be 'munitions' or a similarly restricted category, cryptographic implementations may have jurisdictional limitations and potential liabilities," Poore says. "The client relying on the cloud should ensure that such issues are clearly addressed by contract."
In an interview about cryptographic security in the cloud, Poore discusses:
•How cryptography relates to cloud computing;
•Challenges to overcome when employing cryptographic security;
•Key questions to ask of cloud service providers re: cryptography.
Poore is Chief Cryptologist for Cryptographic Assurance Services LLC (Arlington, TX). He has over 35 years of information security experience, including over 20 years of applied cryptography. He has written extensively on the subject and his work is cited in academic papers, national standards, professional journals, and books.
Podcast Options
Play Streaming Audio
Download MP3 File
iPod and mobile devices
Related Podcasts in:
Technology
- Cloud Computing
- Encryption
When Moving to the Cloud, Don't Overlook Cryptographic Security
January 14, 2011 - Tom Field, Editorial Director Share
Ralph Spencer Poore: There's no better way to secure critical data than through cryptography, especially when that data is stored in the cloud.
Ralph Spencer Poore, an information security veteran with decades of experience in cryptography, is a proponent of employing cryptographic security in cloud computing.
"Information in motion and information at rest are best protected by cryptographic security measures," says Poore. "In the cloud, we don't have the luxury of having actual, physical control over the storage of information, so the only way we can ensure that the information is protected is for it to be stored cryptographically, with us maintaining control of the cryptographic key."
But know what you're looking for when you seek a cloud provider who promises cryptographic security, Poore says. "Cryptographic security measures must not be left to the imagination of the party in the cloud," he says. "Do your homework. Really understand what the capabilities are of any organization to which you're outsourcing."
Among the unique challenges are jurisdictional issues. "Because the cloud has the potential of being international, and because cryptographic technology is considered by most nations to be 'munitions' or a similarly restricted category, cryptographic implementations may have jurisdictional limitations and potential liabilities," Poore says. "The client relying on the cloud should ensure that such issues are clearly addressed by contract."
In an interview about cryptographic security in the cloud, Poore discusses:
•How cryptography relates to cloud computing;
•Challenges to overcome when employing cryptographic security;
•Key questions to ask of cloud service providers re: cryptography.
Poore is Chief Cryptologist for Cryptographic Assurance Services LLC (Arlington, TX). He has over 35 years of information security experience, including over 20 years of applied cryptography. He has written extensively on the subject and his work is cited in academic papers, national standards, professional journals, and books.
Podcast Options
Play Streaming Audio
Download MP3 File
iPod and mobile devices
Related Podcasts in:
Technology
- Cloud Computing
- Encryption
Tuesday, January 18, 2011
Wednesday, January 12, 2011
Fraud Prevention Requires Mind Shift
Most Banks Focus on Compliance, Not Security
(http://www.bankinfosecurity.com/articles.php?art_id=3257&opg=1
January 12, 2011 - Tracy Kitten, Managing Editor
Share
What financial industries need is a shift in the way they think about fraud-prevention. It's security first, compliance second.
That's the way Adam Dolby, who heads up online security and authentication systems for Gemalto North America, sees it. Dolby says banking institutions in the U.S. have for too long focused on regulatory compliance, rather than centering their attention on solutions that actually detect and prevent fraud.
"There has been a number of solutions that were presented as a way to get to compliance that really led people down a bit of the wrong path," he says. "It almost created the illusion of security, rather than delivering security solutions. So, some of the fraud solutions that have been deployed really haven't done anything to mitigate the actual occurrence of fraud. What they have done is provide a bit of a false sense of security."
That false sense of security has had a domino effect, because it's led many institutions to be caught off guard. For instance, some of the steps put in place to comply with regulatory mandates, such as one-time passwords, have actually helped fraudsters to compromise transactions.
After reviewing results from Information Security Media Group's The Faces of Fraud Survey, Dolby says financial institutions are falling victim to what he calls the "CSI phenomenon."
"This is like trying to act against crime but starting with a dead body and investigating backward, rather than actually trying to stop people from getting whacked in the first place," he says.
During this interview with Information Security Media Group, Dolby discusses:
•How U.S. institutions could learn from their overseas financial counterparts;
•Needed investments in fraud-detection technology;
•The role stronger authentication will play in the future.
Dolby oversees online security and authentication systems via channel relationships for Gemalto North America, where he builds and maintains regional partnerships. Dolby also supports Gemalto's business and security objectives, through consumer education and advocacy on Gemalto's online resource www.JustAskGemalto.com. Before Gemalto, Dolby worked in the banking industry, serving in executive management roles for online banking and partnering with the world's leading financial institutions. Dolby's experience encompasses management of multiple e-banking systems including ACH, wire, treasury management, consumer e-banking, card networks and ATMs.
Current Fraud Detection
TRACY KITTEN: What fraud trends can the financial industry expect to face in 2011? I'm here today with Adam Dolby, who oversees online security and authentication solutions for Gemalto North America. Building on newly released results from Information Security Media Groups, the Faces of Fraud survey, Dolby shares his thoughts about surprising and not-so-surprising trends in financial fraud and investments banks and credit unions are expected to make in security solutions in the New Year. Adam, you've reviewed some of the results from our fraud survey and this one caught a number of the experts' eyes. Seventy-five percent of respondents said they learn about fraud from their customers or members. What does that tell us about fraud detection, and is the industry continuing to rely too heavily on customer and member notification?
ADAM DOLBY: I certainly thought that this particular question, and the fact that it led study, was very interesting. If 75 percent of respondents are saying that they are learning about fraud from their customers, what it is really issuing is a bit of an indictment on the industry as a whole, and the measures of fraud detection and prevention that are existing in the market place today. You could sort of equate this a bit to, say, maybe the CSI phenomenon, for those of you who watch the show, where we are seeing evidence of a dead body first and relying on people to report the crime, rather than preventing the crime from happening in the first place.
KITTEN: How much fraud do you think, Adam, is slipping through the cracks as a result of the way financial institutions are learning about fraud?
DOLBY: I think that is an excellent question and perhaps a bit of a scary one. Knowing how well customers, in general, look at their statements and their banking activity, I would suppose that quite a substantial amount of fraud is actually slipping through the cracks; whether it's undetected or late detected or perhaps under-detected remains to be seen. Also of issue in here is not necessarily where fraud occurs, but just where accounts have been entirely taken over and customers have no method for verifying what transactions have taken place. I think all of those factors here paint a bit of a grim picture on what the industry looks like as a whole, with regard to fraud and Internet banking; but it also means that there is quite an opportunity to be able to act on what the results of this study are.
Fraud Detection and Audits
KITTEN: You also noted that you found it interesting that 25 percent of the survey's respondents said they discover fraud during audits. Why is that interesting, and what does it tell us about current fraud-detection mechanisms, or the lack thereof?
DOLBY: I found that number a bit interesting, perhaps a bit differently, in that I thought 25 percent was actually a bit high. If we're actually discovering fraud one out of four times during an audit, rather than a customer reporting it or any detection or prevention mechanism addressing the issue, then, really, one out of four are saying that there is fraud being detected substantially after the fact. Money has actually moved out of an account. What is particularly troubling there is that no detection mechanism or the customer is finding it when it occurs. It is actually slipping through almost all of the cracks and being found sort of at the last possible moment, during an audit of either the account balancing or any other system detection. So, yes, I think it is good amount that it is being found that late, and I think that it is a bit troubling. That means it has gotten past the initial detection systems, including the eyes of the customer.
ACH Fraud: 'Unprepared to Fight'
KITTEN: ACH and wire fraud is a growing problem. That is not a surprise. But banks and credit unions in the survey said they feel very unprepared to fight ACH and wire fraud.
DOLBY: Really, to date, there has been a bit of hesitancy to move forward with really aggressive fraud-prevention measures, rather than detection. I would say that the challenge for the industry, at this point, is to move toward solutions specifically designed to address the spectrum of money-movement fraud -- whether it's ACH, wire, account-to-account transfers, or any other type of money-movement -- and really making sure that we're addressing all of those problems before it's possible for them to happen. I think the other challenge, quite frankly, has been that there have been a number of other issues that have plagued the financial industry, including the relative instability in that space over the last few years. From a simple perspective, people have had other things to worry about. But at this point, I think we really have to recognize that security is an ongoing battle. It is certainly a necessary part of delivering financial services online that every bank should have a plan and staff to address. As an industry, we need to make sure that we're looking at and making long-term investments aimed at stopping fraud as it can occur today, but also as it can occur tomorrow and the day after tomorrow. We also need to look at what other vectors that it can take; whether it is starting as simple as phishing and moving to more advanced malware and key logging, and making sure that we're addressing the transaction set that has seen fraud today and will see fraud tomorrow.
KITTEN: This is something that we have discussed in the past, not something that is directly related to the survey results, but it does have a tether of sorts. You've noted that authentication is a problem, especially as it relates to ACH and batch transactions. One-time passwords have, in some ways, you've said, assisted fraudsters. Can you explain and tell us what you think institutions should be investing more in when it comes to ACH-fraud prevention?
DOLBY: I think one of the point of clarification is that the initial investment in, not necessarily just one-time passwords, but some very basic fraud analytics have created a bit of a green-field opportunity for those folks who know how to execute a sophisticated technology-based attack on a financial institution, be that "man-in-the-middle" or "man-in-the-browser." So, with that sort of opportunity presenting itself to those folks who really know how to execute that technology-based attack, what it means is that they have an opportunity to sort of get by those security measures, as the earlier pieces of the study would indicate, and really go after the money. What it requires is a bit of a shift in thinking, from the part of both security companies as well as financial institutions. And then we have to look at, "How do we defend every type of transaction within the banking infrastructure?" The early emphasis, and rightfully so, was on protecting wire transfers, because those are one-to-one movements of money and payment options; but we've historically defended wire transfers very well at a very basic level.
I could pick up the phone and call you and say, "Hey, Tracy. Do you want to move money to Francesca in Massachusetts?" And you would have the opportunity to say "yes" or "no" and approve that transaction. But you can't do that for transaction batches, in particular, ACH. If you think of a large payroll being transmitted weekly, it's not possible or even feasible to go in and verify every transaction and all of the account holder information for everyone in that direct-deposit file. So, if that becomes the weakest link in the security chain, it will become the vector that we're seeing attacked most often. What that means is we have to look at security solutions that are aimed at protecting large amounts of alphanumeric data, which the solutions that are currently in place, whether that is OTP or fraud detection or prevention mechanisms and analytics, are not designed to protect. Really, what it requires is a shift in thinking: Looking at more PKI-oriented technology, which is really designed to protect massive amounts of information, and also alphanumeric information, so that it would protect payee information, account-number information and or anything else that is contained in a database, in transit and at rest.
Budget Constraints
KITTEN: Going back to the survey results, financial institutions noted in their responses that budgetary constraints and inadequate technology were listed as the most-often to blame for lacking fraud detection. Are banks really strapped for fraud-detection investments, or are they just investing in the wrong types of solutions?
DOLBY:I thought that piece was very interesting as well, and I think it is probably a mix of the two. For me, I think fraud detection is a bit of misnomer, because I think in order to build your fraud-detection solution, you have to at least see some instances of fraud to build your model off of. In the banking industry, again, if you go back to sort of the crime-scene model, one body is too much, in my opinion. Just seeing any financial loss for any particular customer is a potential PR nightmare, let alone the dollars that can be lost. So, from that standpoint, I think what has really happened is there has been a bit of a tendency, and we saw this with the FFIEC guidance that came out several years ago, to think more around compliance, rather than looking at true security-based solutions and how we can actually prevent fraud from occurring in the first place. Solutions certainly exist. Really, what it requires is a bit of a shift in thinking. Institutions need to accept the fact that security is a piece of the necessary puzzle to deliver online services. They need to have a bit of that forward-looking, forward-thinking mentality that says, "I need to invest in what amounts to an insurance policy for each customer that merits it," and pick the level that is appropriate for those customers. I don't believe in a one-size-fits-all approach. So, you would have a blend of security solutions for your customer base or even for particular users within an individual business, for example, and move forward in a way that really treats security as that necessary part of the puzzle, rather than something that has to get done to get examiners off our back.
I also think there has been a number of solutions that were presented as a way to get to compliance that really led people down a bit of the wrong path, where it almost created the illusion of security, rather than delivering security solutions. So, some of the fraud solutions that have been deployed really haven't done anything to mitigate the actual occurrence of fraud. What they have done is provide a bit of a false sense of security, and to me that is almost worse than no security at all. When your security solution is compromised, you have quite a bit a shake in confidence from your customer base and, perhaps, a very difficult time getting them back.
Reputation Loss
KITTEN: I'm going to build on that just a little bit, talking about reputation loss and customer confidence. Forty percent of our survey's respondents said that reputation loss and customer confidence were adverse side effects of fraud. What does that tell you about investments banks and credit unions should be making in fraud prevention, to not only cut their hard costs but also their soft costs, which would be the customer and member losses?
DOLBY: Security is a necessary part of delivering online banking. If you could save half of, or even a third of, your customer base that is potentially vulnerable from a compromise, I think that is a huge number. In fact, having that many customers vulnerable to outside influences is huge in and of itself. So, if one individual or a group of individuals has it in, so to speak, for any financial institution, or just sees that bank as the weakest link in the security chain, that is a tremendous number of your base that you are going to have to not only spend money on to try to keep, not to mention the money that will have to be spent to respond to any media leaks or announcements that go out about publicized attacks. At a time when customers are already looking for a reason to be aggravated with the financial industry, it really creates a potential point of compromise that is extremely dangerous for the industry as a whole. Even if you as an individual are not compromised, there is the possibility that others in your peer group, if they are compromised, you could still have shaken confidence. For a bank, their customer based could be shaken, because they are going to question the security measures their bank has in place. So, certainly, it is a very interesting and challenging time. Fortunately, there are security solutions that exist that can make fraud virtually impossible. It certainly requires some investment from the financial perspective, but it also requires a bit of a mind shift on the part of the customers themselves. Customers need to realize, "Hey, for me to access my online banking, it may be a bit different than it was in the past. It may require me to carry a device." So, there is an educational campaign aspect to this that has to occur as well. But, certainly the fact that 40 percent of respondents are saying loss of customer confidence and loss of the customer himself is a problem is huge. That is a huge number of people to be potentially vulnerable, if you are a financial institution is attacked.
KITTEN: Now, I'm going to go back to the customer education piece for just a moment. We talked about this earlier, and it's come up in this last question here. Customer education is effective, but can only go so far. Yet it seems that banks and credit unions say education and awareness are the best fraud prevention measures they have in place. Why is technology not seen as a critical investment, when it comes to fraud prevention, and do you see that as a being U.S.-centric perspective? Is fraud prevention addressed or viewed in a similar way by financial institutions throughout the world?
DOLBY: I'm a huge proponent of customer education, and I think it is going to be even more essential going forward. Customers are continually educated on what to look for, whether it is phishing e-mails or not clicking on links, etc. I think for a proactive institution, the opportunity to position the bank as a resource for that type of information, especially if they have a small-business customer portfolio, is excellent. There is an opportunity to continue to educate them about protecting VPNs and firewalls and all of those things. However, customer education can only do so much, as you say, and it's a bit like expecting individuals to not transmit the flu by telling them they need to wash their hands all the time. Well, certainly we do that, but we also have a flu vaccine, and really, that is where technology comes into play. As we deliver that vaccine and prevent the spread of that infection, we control the sickness.
I think it seems to be more of a U.S.-centric mentality; outside of the U.S., you see very rapid expansion and adoption of authentication solutions and stronger authentication solutions for customers, both at the corporate and retail levels. At the retail level, it is almost unheard of in the U.S. There are a few banks that have taken proactive measures, but they are very few and far between.
I think technology is seen as too expensive and, perhaps, a bit too complex. I think that is, in large measure, a bit of a red herring. I think if you really look under the covers of solutions, you'll find they are very customer friendly. And if you present them to a user in the correct manner, they will be very accepting of those solutions. We've seen technology presented out to customers in a way that would lead to some negative feedback. For example, I've seen financial institutions that will say, "Do you want to use thing to connect to Internet banking or nothing. Well, human nature is going to say, "I don't want to carry anything else to do this if I can get away with it." Certainly, if you present security in that manner, it's not received well; but if you go to the same customer and say, "Would you like to be able to access your bank securely and guarantee that no one can commit fraud on your account?" That is a much different presentation of the technology.
I would also take it a step further, in that we have a set of regulations called Reg E in the U.S., where we have a number of consumer protections that actually dumb down, a bit, the level of sophistication on the part of the end-user and their awareness of security. That's because the bank is ultimately responsible when fraudulent movements of money occur. That is why you see a strong push on the corporate side, which is not covered by Reg E, for security solutions. On the retail side, there aren't many security solutions or very many strong authentication solutions deployed, because those consumers are protected by Reg E. Really, what we've done is said, "Security is going to be the bank's concern, and when you go to try to alter the user experience for those people that are protected by that regulatory protection, they don't have to adopt any additional measures and more protected measures for accessing their accounts. So, there are a number of forces at work. There is certainly an environmental issue in the U.S. that is a bit unique and I do believe that education is a good step and a necessary step. But, really, in terms of that actually fixing your problem or helping fraud prevention, I think that first question of 75 percent of institutions learning about fraud from their customers and members says it all. To learn about fraud from their customers is still troubling. It's clearly still happening and to expect your customer to prevent is a bit naïve.
2011 Agenda
KITTEN: In closing, Adam, I would just like to ask where you see the industry heading over the course of the next year? Banking institutions are looking for more fraud prevention and security tools. Why, in your opinion, is knowledge so lacking, and what can the industry do in 2011 and beyond to break this cycle?
DOLBY: Yeah, I certainly think it is a bit incumbent upon providers to make sure that we are doing our best to educate folks, whether that is through conducting a podcast like this or webinars, etc. Really, that is our responsibility to educate, not to simply go out and promote a product. We need to educate the industry about the threats that exist and talk to customers about what challenges there are and how they can be addressed.
I do think we'll see better responsiveness from the industry in 2011, if only because the industry continues to settle with a bit of consolidation here and there. But, really, the uncertainty has passed for a lot of folks and they can start to really focus on security now, instead of worrying about if they have a job. I also think there is certainly a growing awareness. I've seen it all the way up to the board level, where they clearly understand the risks involved with Internet and doing business on the Internet. We have to make sure we are protecting customers in the appropriate manner. I also think it's been a bit of a struggle to really bring in some of the foreign influence, where we've seen banks adopt strong authentication for 10, sometimes 15, years now. We'd like to show banks here what they've done and get response for what's happened environmentally overseas. It can prove that customers will adopt this technology and use this technology, and actually do more transactions online. That mentality has changed. Having been in the industry for eight or so years now, I know when I first started doing this, if you talked about a bank in the Netherlands that was using strong authentication, banks in the U.S. would say, "What does that have to do with me?" They never considered that it is just one Internet. But now you see that awareness improving. Banks are willing to look overseas for expertise. So, I do think 2011 will be a much stronger year in the authentication space. I think it is important to learn lessons from around the world.
(http://www.bankinfosecurity.com/articles.php?art_id=3257&opg=1
January 12, 2011 - Tracy Kitten, Managing Editor
Share
What financial industries need is a shift in the way they think about fraud-prevention. It's security first, compliance second.
That's the way Adam Dolby, who heads up online security and authentication systems for Gemalto North America, sees it. Dolby says banking institutions in the U.S. have for too long focused on regulatory compliance, rather than centering their attention on solutions that actually detect and prevent fraud.
"There has been a number of solutions that were presented as a way to get to compliance that really led people down a bit of the wrong path," he says. "It almost created the illusion of security, rather than delivering security solutions. So, some of the fraud solutions that have been deployed really haven't done anything to mitigate the actual occurrence of fraud. What they have done is provide a bit of a false sense of security."
That false sense of security has had a domino effect, because it's led many institutions to be caught off guard. For instance, some of the steps put in place to comply with regulatory mandates, such as one-time passwords, have actually helped fraudsters to compromise transactions.
After reviewing results from Information Security Media Group's The Faces of Fraud Survey, Dolby says financial institutions are falling victim to what he calls the "CSI phenomenon."
"This is like trying to act against crime but starting with a dead body and investigating backward, rather than actually trying to stop people from getting whacked in the first place," he says.
During this interview with Information Security Media Group, Dolby discusses:
•How U.S. institutions could learn from their overseas financial counterparts;
•Needed investments in fraud-detection technology;
•The role stronger authentication will play in the future.
Dolby oversees online security and authentication systems via channel relationships for Gemalto North America, where he builds and maintains regional partnerships. Dolby also supports Gemalto's business and security objectives, through consumer education and advocacy on Gemalto's online resource www.JustAskGemalto.com. Before Gemalto, Dolby worked in the banking industry, serving in executive management roles for online banking and partnering with the world's leading financial institutions. Dolby's experience encompasses management of multiple e-banking systems including ACH, wire, treasury management, consumer e-banking, card networks and ATMs.
Current Fraud Detection
TRACY KITTEN: What fraud trends can the financial industry expect to face in 2011? I'm here today with Adam Dolby, who oversees online security and authentication solutions for Gemalto North America. Building on newly released results from Information Security Media Groups, the Faces of Fraud survey, Dolby shares his thoughts about surprising and not-so-surprising trends in financial fraud and investments banks and credit unions are expected to make in security solutions in the New Year. Adam, you've reviewed some of the results from our fraud survey and this one caught a number of the experts' eyes. Seventy-five percent of respondents said they learn about fraud from their customers or members. What does that tell us about fraud detection, and is the industry continuing to rely too heavily on customer and member notification?
ADAM DOLBY: I certainly thought that this particular question, and the fact that it led study, was very interesting. If 75 percent of respondents are saying that they are learning about fraud from their customers, what it is really issuing is a bit of an indictment on the industry as a whole, and the measures of fraud detection and prevention that are existing in the market place today. You could sort of equate this a bit to, say, maybe the CSI phenomenon, for those of you who watch the show, where we are seeing evidence of a dead body first and relying on people to report the crime, rather than preventing the crime from happening in the first place.
KITTEN: How much fraud do you think, Adam, is slipping through the cracks as a result of the way financial institutions are learning about fraud?
DOLBY: I think that is an excellent question and perhaps a bit of a scary one. Knowing how well customers, in general, look at their statements and their banking activity, I would suppose that quite a substantial amount of fraud is actually slipping through the cracks; whether it's undetected or late detected or perhaps under-detected remains to be seen. Also of issue in here is not necessarily where fraud occurs, but just where accounts have been entirely taken over and customers have no method for verifying what transactions have taken place. I think all of those factors here paint a bit of a grim picture on what the industry looks like as a whole, with regard to fraud and Internet banking; but it also means that there is quite an opportunity to be able to act on what the results of this study are.
Fraud Detection and Audits
KITTEN: You also noted that you found it interesting that 25 percent of the survey's respondents said they discover fraud during audits. Why is that interesting, and what does it tell us about current fraud-detection mechanisms, or the lack thereof?
DOLBY: I found that number a bit interesting, perhaps a bit differently, in that I thought 25 percent was actually a bit high. If we're actually discovering fraud one out of four times during an audit, rather than a customer reporting it or any detection or prevention mechanism addressing the issue, then, really, one out of four are saying that there is fraud being detected substantially after the fact. Money has actually moved out of an account. What is particularly troubling there is that no detection mechanism or the customer is finding it when it occurs. It is actually slipping through almost all of the cracks and being found sort of at the last possible moment, during an audit of either the account balancing or any other system detection. So, yes, I think it is good amount that it is being found that late, and I think that it is a bit troubling. That means it has gotten past the initial detection systems, including the eyes of the customer.
ACH Fraud: 'Unprepared to Fight'
KITTEN: ACH and wire fraud is a growing problem. That is not a surprise. But banks and credit unions in the survey said they feel very unprepared to fight ACH and wire fraud.
DOLBY: Really, to date, there has been a bit of hesitancy to move forward with really aggressive fraud-prevention measures, rather than detection. I would say that the challenge for the industry, at this point, is to move toward solutions specifically designed to address the spectrum of money-movement fraud -- whether it's ACH, wire, account-to-account transfers, or any other type of money-movement -- and really making sure that we're addressing all of those problems before it's possible for them to happen. I think the other challenge, quite frankly, has been that there have been a number of other issues that have plagued the financial industry, including the relative instability in that space over the last few years. From a simple perspective, people have had other things to worry about. But at this point, I think we really have to recognize that security is an ongoing battle. It is certainly a necessary part of delivering financial services online that every bank should have a plan and staff to address. As an industry, we need to make sure that we're looking at and making long-term investments aimed at stopping fraud as it can occur today, but also as it can occur tomorrow and the day after tomorrow. We also need to look at what other vectors that it can take; whether it is starting as simple as phishing and moving to more advanced malware and key logging, and making sure that we're addressing the transaction set that has seen fraud today and will see fraud tomorrow.
KITTEN: This is something that we have discussed in the past, not something that is directly related to the survey results, but it does have a tether of sorts. You've noted that authentication is a problem, especially as it relates to ACH and batch transactions. One-time passwords have, in some ways, you've said, assisted fraudsters. Can you explain and tell us what you think institutions should be investing more in when it comes to ACH-fraud prevention?
DOLBY: I think one of the point of clarification is that the initial investment in, not necessarily just one-time passwords, but some very basic fraud analytics have created a bit of a green-field opportunity for those folks who know how to execute a sophisticated technology-based attack on a financial institution, be that "man-in-the-middle" or "man-in-the-browser." So, with that sort of opportunity presenting itself to those folks who really know how to execute that technology-based attack, what it means is that they have an opportunity to sort of get by those security measures, as the earlier pieces of the study would indicate, and really go after the money. What it requires is a bit of a shift in thinking, from the part of both security companies as well as financial institutions. And then we have to look at, "How do we defend every type of transaction within the banking infrastructure?" The early emphasis, and rightfully so, was on protecting wire transfers, because those are one-to-one movements of money and payment options; but we've historically defended wire transfers very well at a very basic level.
I could pick up the phone and call you and say, "Hey, Tracy. Do you want to move money to Francesca in Massachusetts?" And you would have the opportunity to say "yes" or "no" and approve that transaction. But you can't do that for transaction batches, in particular, ACH. If you think of a large payroll being transmitted weekly, it's not possible or even feasible to go in and verify every transaction and all of the account holder information for everyone in that direct-deposit file. So, if that becomes the weakest link in the security chain, it will become the vector that we're seeing attacked most often. What that means is we have to look at security solutions that are aimed at protecting large amounts of alphanumeric data, which the solutions that are currently in place, whether that is OTP or fraud detection or prevention mechanisms and analytics, are not designed to protect. Really, what it requires is a shift in thinking: Looking at more PKI-oriented technology, which is really designed to protect massive amounts of information, and also alphanumeric information, so that it would protect payee information, account-number information and or anything else that is contained in a database, in transit and at rest.
Budget Constraints
KITTEN: Going back to the survey results, financial institutions noted in their responses that budgetary constraints and inadequate technology were listed as the most-often to blame for lacking fraud detection. Are banks really strapped for fraud-detection investments, or are they just investing in the wrong types of solutions?
DOLBY:I thought that piece was very interesting as well, and I think it is probably a mix of the two. For me, I think fraud detection is a bit of misnomer, because I think in order to build your fraud-detection solution, you have to at least see some instances of fraud to build your model off of. In the banking industry, again, if you go back to sort of the crime-scene model, one body is too much, in my opinion. Just seeing any financial loss for any particular customer is a potential PR nightmare, let alone the dollars that can be lost. So, from that standpoint, I think what has really happened is there has been a bit of a tendency, and we saw this with the FFIEC guidance that came out several years ago, to think more around compliance, rather than looking at true security-based solutions and how we can actually prevent fraud from occurring in the first place. Solutions certainly exist. Really, what it requires is a bit of a shift in thinking. Institutions need to accept the fact that security is a piece of the necessary puzzle to deliver online services. They need to have a bit of that forward-looking, forward-thinking mentality that says, "I need to invest in what amounts to an insurance policy for each customer that merits it," and pick the level that is appropriate for those customers. I don't believe in a one-size-fits-all approach. So, you would have a blend of security solutions for your customer base or even for particular users within an individual business, for example, and move forward in a way that really treats security as that necessary part of the puzzle, rather than something that has to get done to get examiners off our back.
I also think there has been a number of solutions that were presented as a way to get to compliance that really led people down a bit of the wrong path, where it almost created the illusion of security, rather than delivering security solutions. So, some of the fraud solutions that have been deployed really haven't done anything to mitigate the actual occurrence of fraud. What they have done is provide a bit of a false sense of security, and to me that is almost worse than no security at all. When your security solution is compromised, you have quite a bit a shake in confidence from your customer base and, perhaps, a very difficult time getting them back.
Reputation Loss
KITTEN: I'm going to build on that just a little bit, talking about reputation loss and customer confidence. Forty percent of our survey's respondents said that reputation loss and customer confidence were adverse side effects of fraud. What does that tell you about investments banks and credit unions should be making in fraud prevention, to not only cut their hard costs but also their soft costs, which would be the customer and member losses?
DOLBY: Security is a necessary part of delivering online banking. If you could save half of, or even a third of, your customer base that is potentially vulnerable from a compromise, I think that is a huge number. In fact, having that many customers vulnerable to outside influences is huge in and of itself. So, if one individual or a group of individuals has it in, so to speak, for any financial institution, or just sees that bank as the weakest link in the security chain, that is a tremendous number of your base that you are going to have to not only spend money on to try to keep, not to mention the money that will have to be spent to respond to any media leaks or announcements that go out about publicized attacks. At a time when customers are already looking for a reason to be aggravated with the financial industry, it really creates a potential point of compromise that is extremely dangerous for the industry as a whole. Even if you as an individual are not compromised, there is the possibility that others in your peer group, if they are compromised, you could still have shaken confidence. For a bank, their customer based could be shaken, because they are going to question the security measures their bank has in place. So, certainly, it is a very interesting and challenging time. Fortunately, there are security solutions that exist that can make fraud virtually impossible. It certainly requires some investment from the financial perspective, but it also requires a bit of a mind shift on the part of the customers themselves. Customers need to realize, "Hey, for me to access my online banking, it may be a bit different than it was in the past. It may require me to carry a device." So, there is an educational campaign aspect to this that has to occur as well. But, certainly the fact that 40 percent of respondents are saying loss of customer confidence and loss of the customer himself is a problem is huge. That is a huge number of people to be potentially vulnerable, if you are a financial institution is attacked.
KITTEN: Now, I'm going to go back to the customer education piece for just a moment. We talked about this earlier, and it's come up in this last question here. Customer education is effective, but can only go so far. Yet it seems that banks and credit unions say education and awareness are the best fraud prevention measures they have in place. Why is technology not seen as a critical investment, when it comes to fraud prevention, and do you see that as a being U.S.-centric perspective? Is fraud prevention addressed or viewed in a similar way by financial institutions throughout the world?
DOLBY: I'm a huge proponent of customer education, and I think it is going to be even more essential going forward. Customers are continually educated on what to look for, whether it is phishing e-mails or not clicking on links, etc. I think for a proactive institution, the opportunity to position the bank as a resource for that type of information, especially if they have a small-business customer portfolio, is excellent. There is an opportunity to continue to educate them about protecting VPNs and firewalls and all of those things. However, customer education can only do so much, as you say, and it's a bit like expecting individuals to not transmit the flu by telling them they need to wash their hands all the time. Well, certainly we do that, but we also have a flu vaccine, and really, that is where technology comes into play. As we deliver that vaccine and prevent the spread of that infection, we control the sickness.
I think it seems to be more of a U.S.-centric mentality; outside of the U.S., you see very rapid expansion and adoption of authentication solutions and stronger authentication solutions for customers, both at the corporate and retail levels. At the retail level, it is almost unheard of in the U.S. There are a few banks that have taken proactive measures, but they are very few and far between.
I think technology is seen as too expensive and, perhaps, a bit too complex. I think that is, in large measure, a bit of a red herring. I think if you really look under the covers of solutions, you'll find they are very customer friendly. And if you present them to a user in the correct manner, they will be very accepting of those solutions. We've seen technology presented out to customers in a way that would lead to some negative feedback. For example, I've seen financial institutions that will say, "Do you want to use thing to connect to Internet banking or nothing. Well, human nature is going to say, "I don't want to carry anything else to do this if I can get away with it." Certainly, if you present security in that manner, it's not received well; but if you go to the same customer and say, "Would you like to be able to access your bank securely and guarantee that no one can commit fraud on your account?" That is a much different presentation of the technology.
I would also take it a step further, in that we have a set of regulations called Reg E in the U.S., where we have a number of consumer protections that actually dumb down, a bit, the level of sophistication on the part of the end-user and their awareness of security. That's because the bank is ultimately responsible when fraudulent movements of money occur. That is why you see a strong push on the corporate side, which is not covered by Reg E, for security solutions. On the retail side, there aren't many security solutions or very many strong authentication solutions deployed, because those consumers are protected by Reg E. Really, what we've done is said, "Security is going to be the bank's concern, and when you go to try to alter the user experience for those people that are protected by that regulatory protection, they don't have to adopt any additional measures and more protected measures for accessing their accounts. So, there are a number of forces at work. There is certainly an environmental issue in the U.S. that is a bit unique and I do believe that education is a good step and a necessary step. But, really, in terms of that actually fixing your problem or helping fraud prevention, I think that first question of 75 percent of institutions learning about fraud from their customers and members says it all. To learn about fraud from their customers is still troubling. It's clearly still happening and to expect your customer to prevent is a bit naïve.
2011 Agenda
KITTEN: In closing, Adam, I would just like to ask where you see the industry heading over the course of the next year? Banking institutions are looking for more fraud prevention and security tools. Why, in your opinion, is knowledge so lacking, and what can the industry do in 2011 and beyond to break this cycle?
DOLBY: Yeah, I certainly think it is a bit incumbent upon providers to make sure that we are doing our best to educate folks, whether that is through conducting a podcast like this or webinars, etc. Really, that is our responsibility to educate, not to simply go out and promote a product. We need to educate the industry about the threats that exist and talk to customers about what challenges there are and how they can be addressed.
I do think we'll see better responsiveness from the industry in 2011, if only because the industry continues to settle with a bit of consolidation here and there. But, really, the uncertainty has passed for a lot of folks and they can start to really focus on security now, instead of worrying about if they have a job. I also think there is certainly a growing awareness. I've seen it all the way up to the board level, where they clearly understand the risks involved with Internet and doing business on the Internet. We have to make sure we are protecting customers in the appropriate manner. I also think it's been a bit of a struggle to really bring in some of the foreign influence, where we've seen banks adopt strong authentication for 10, sometimes 15, years now. We'd like to show banks here what they've done and get response for what's happened environmentally overseas. It can prove that customers will adopt this technology and use this technology, and actually do more transactions online. That mentality has changed. Having been in the industry for eight or so years now, I know when I first started doing this, if you talked about a bank in the Netherlands that was using strong authentication, banks in the U.S. would say, "What does that have to do with me?" They never considered that it is just one Internet. But now you see that awareness improving. Banks are willing to look overseas for expertise. So, I do think 2011 will be a much stronger year in the authentication space. I think it is important to learn lessons from around the world.
Monday, January 10, 2011
Healthcare and security
Healthcare Information Security ArticlesTop 10 Health InfoSec Stories for 2010
A Look Back at the Past Year's Biggest Events
January 10, 2011 - Howard Anderson, Managing Editor, HealthcareInfoSecurity.com
Share
Healthcare privacy and security issues rose to the forefront in 2010 thanks, in large part, to the HITECH Act, which led to many new regulations as well as a public list of major health information breaches.
HealthcareInfoSecurity.com has compiled a list of the past year's most noteworthy trends and events in an interactive slide show.
In one of the most significant events of the year, federal rules were issued to launch the HITECH Act's electronic health records incentive payment program. One rule defining "meaningful use" of EHRs requires hospitals and physicians to conduct a risk assessment and then take steps to mitigate risks identified.
A new federal list of major health information breaches surpassed 200 cases by year's end, drawing attention to the need for breach prevention efforts.
Meanwhile, as more organizations relied on social media for marketing and education, concerns about privacy threats grew. One hospital fired staffers for discussing a patient online. And as regional and statewide efforts to facilitate health information exchange continued, federal regulators grappled with a long list of issues, including how to obtain patient consent for data exchange.
A Look Back at the Past Year's Biggest Events
January 10, 2011 - Howard Anderson, Managing Editor, HealthcareInfoSecurity.com
Share
Healthcare privacy and security issues rose to the forefront in 2010 thanks, in large part, to the HITECH Act, which led to many new regulations as well as a public list of major health information breaches.
HealthcareInfoSecurity.com has compiled a list of the past year's most noteworthy trends and events in an interactive slide show.
In one of the most significant events of the year, federal rules were issued to launch the HITECH Act's electronic health records incentive payment program. One rule defining "meaningful use" of EHRs requires hospitals and physicians to conduct a risk assessment and then take steps to mitigate risks identified.
A new federal list of major health information breaches surpassed 200 cases by year's end, drawing attention to the need for breach prevention efforts.
Meanwhile, as more organizations relied on social media for marketing and education, concerns about privacy threats grew. One hospital fired staffers for discussing a patient online. And as regional and statewide efforts to facilitate health information exchange continued, federal regulators grappled with a long list of issues, including how to obtain patient consent for data exchange.
Sunday, January 9, 2011
Subscribe to:
Posts (Atom)