Banks Banking on Security Bank of America, Commerce Bancorp, PNC Financial Services Group, and Wachovia were victims of a crime where a person tried to obtain customer data and sell it to law firms and debtcollection agencies. New Jersey police seized 13 computers from the alleged mastermind with 670,000 account numbers and balances.
There is no indication the data were used for identity theft, but it highlights how increasingly difficult it is to protect information against such schemes as the market value of personal information grows. In the past, banks were wary of the cost or customer backlash from adopting network security technologies. Today, banks are beefing up network security as more customers begin to view security as a key factor when choosing a bank.
BANK OF AMERICA
Bank of America is moving toward a stronger authentication process for its 13 million online customers. Bank of America's new SiteKey service is designed to thwart scams in which customers think they are entering data on the bank's Web site, when they are actually on a thief's site built to steal data. This occurs when a worm tells a computer to reroute the bank's URL into a browser to another site that looks exactly like the bank's. SiteKey offers two-factor authentication.
When enrolling in SiteKey, a customer picks an image from a library and writes a brief phrase. Each time the customer signs on, the image and phrase are displayed, indicating that the bank recognizes the computer the customer is using and letting the customer know that they are in fact at the bank's official Web site. The customer then enters a password and proceeds. When signing on from a different computer than usual the customer must answer one of three prearranged questions.
WELLS FARGO & COMPANY
"Out-of-wallet" questions contain information that is not found on a driver's license or ATM card. Wells Fargo is implementing a security strategy that operates based on "out-of-wallet" questions as a second factor for network password enrollment and maintenance. It is also offering network security hardware such as key fobs that change passwords every 60 seconds, and launching a two-factor authentication pilot in which small businesses making electronic funds transfers will need a key fob to complete transactions.
E-TRADE FINANCIAL CORPORATION
E-Trade Financial Corporation provides customers with account balances exceeding $50,000 a free Digital Security ID for network authentication. The device displays a new six-digit code every 60 seconds, which the customer must use to log on. Accounts under $50,000 can purchase the Digital Security ID device for $25. BARCLAY'S BANK Barclay's Bank instituted online-transfer delays of between several hours and one day.
The delays, which apply the first time a transfer is attempted between two accounts, are intended to give the bank time to detect suspicious activity, such as a large number of transfers from multiple accounts into a single account. The online-transfer delay was adopted in response to a wave of phishing incidents in which thieves transferred funds from victims' bank accounts into accounts owned by "mules." Mules are people who open bank accounts based on an e-mail solicitations, usually under the guise of a business proposal.
From the mule accounts, the thieves withdraw cash, open credit cards, or otherwise loot the account. Barclay's also offers account monitoring of customer's actions to compare them with historical profile data to detect unusual behavior. For instance, the service would alert the bank to contact the customer if the customer normally logs on from England and suddenly logs on from New York and performs 20 transactions
Questions
1. What reason would a bank have for not wanting to adopt an online-transfer delay policy?
2. What are the two primary lines of security defense and why are they important to financial institutions?
3. Explain the differences between the types of security offered by the banks in the case. Which bank would you open an account with and why?
4. What additional types of security, not mentioned in the case above, would you recommend a bank implement?
5. Identify three policies a bank should implement to help it improve information security.
6. Describe monitoring policies along with the best way for a bank to implement monitoring technologies.