The Human Factor in Data Security
Lenhoff, Alan, Independent Banker
As digital-data thieves prey on vulnerable employees and customers, community banks must enhance the personal side of data-security methods
Two Thanksgivings ago, a small American community was attacked by cyberassailants. An international criminal syndicate obtained a list of residents' phone numbers, and all the residents received an automated call directing them to log on to a Web site using their online banking-account user names and passwords.
Of course, the Web site, which had a URL resembling that of the local community bank, was fraudulent. The crooks hoped to drain any accounts of as much money as they could.
Officials with CoNetrix of Lubbock, Texas, the community bank's network-security provider, say they reacted quickly. Company staff called local media to spread the word that the phishing phone calls and Web site were frauds. Widespread problems were averted; only a couple of customers fell for the ruse.
Phishing scams using either e-mails or phone calls to trick consumers and bank staff into supplying private financial information are proliferating and growing more sophisticated. Many are also targeting community bank customers, according to Russ Horn, CoNetrix's chief operations officer, and Mark Eich, principal of informationsecurity services for LarsonAllen LLP, a Minneapolis, Minn., consulting firm.
Eich says that "spear phishing" scams, which target one employee to compromise the bank's network, are becoming more credible. "The perpetrator will send an e-mail to an employee who is 'spoofed' to make it look legitimate," he says. "It looks like it's coming from someone in authority at the bank." The link might contain what is purportedly a news article. When the employee clicks on the link, he or she activates malicious code that tries to execute attacks on the bank from the inside out.
Horn and Eich put social engineering-an umbrella term for all the ways cybercriminals trick individuals into giving out private information-among the fastest-growing threats to community banks' data-security procedures and systems. Beau Woods, a data-security consultant with SecureWorks Inc. of Atlanta, and Raj Patel, partner in Plante & Moran PLLC in Southfield, Mich., see more phishing attacks aimed at customer passwords to conduct fraudulent wire transfers.
Electronic funds transfers and ACH networks have been fertile ground for security threats in 2009, Woods says. He recalls one attack against a bank customer "who basically had a million dollars transferred out of his account at a time when the criminal knew that person would be out of town and unable to take calls from his bank to authorize it.
"The bank made the business decision [to make the transfer] to keep that customer happy and ended up eating a million-dollar loss. These types of attacks against ACH, wire transfer and EFT are certainly progressing."
Patel points to instances in which criminals know how to fly just under the radar with regard to electronic transfers. "Right now I think the single biggest issue with ACH fraud is that there is not enough manual intervention," he says. "If the hackers know that if they keep under, say, the $10,000 Bank Secrecy Act suspicious- transaction threshold, and it won't trigger anything, they'll do ten $8,000 transactions a day. …