The Twelve Days of Secure Banking

The Twelve Days of Secure Banking
Wish List from Financial Institutions to Our Customers

As the weather outside gets colder and the year draws to an end, we’re thinking of what would be some of the things we’d like to give and receive as gifts during the holidays. While your personal list may be longer than this, here’s the 12 things we wish all of our customers and employees would do … loosely based on “The Twelve Days of Christmas.” Hum along if you don’t sing.

On the first day of banking, my customer gave to me:
“A strong and frequently changed password”

While most customers use the same password for every single website, including their online bank account, encourage your customers (and employees) to regularly change their passwords, and, more importantly, NOT USE THE SAME PASSWORD FOR EVERYTHING! Strong passwords that combine alpha, numeric and symbol characters are best. The best ones are at least eight digits or longer, thus harder to crack with simple dictionary attacks. Even better is to devise a passphrase, where each letter and number stands for a word. An example of this is: I Will L*ve My Bank 4 Ever (IWL*MB4E). Encourage your customers to do this to protect their privacy. Passwords or passphrases should be difficult for someone else to guess, and should always be kept secret. Remind your customers that your bank or credit union will NEVER ask them to reveal their password or other personal information such as account numbers, either by email or phone. (Obviously, if they call you or log on to your site, they should realize certain verification information will be required.)

On the second day of banking, my customer gave to me:
“Two Encrypted USB drives”

Where these handy little devices are timesavers, everyone should realize that they are little, and they can be and usually are misplaced or lost. Gasp! Reminder your customers (and employees) not to store confidential info, like passwords or credit card numbers or any personal information on USB drives or other media like CDs or floppy disks unless it is encrypted, or password protected in case it does get lost or misplaced.

On the third day of banking my customer gave to me:
“Three virus-free emails”

Many people are now aware of the dangers of computer viruses and other malware. If your PC hasn’t been infected, or you don’t know someone who has been hit, you’re extremely lucky, or you’re a Luddite who doesn’t touch computers. Your customers (and employees) need to know this-- the only computer 100% safe from viruses and other malware is the one that has never been turned on. All computers and laptops sold today usually come with some type of anti-virus and anti-malware software preloaded. If your customers don’t have anti-virus software on their machines, advise them to get it. It’s not a 100% guaranteed they won’t get infected, but it’s a good start. Also – good advice, install a firewall from a reputable company, setting it to make your computer’s ports invisible (stealth mode).

On the fourth day of banking my customer gave to me:
“Four phone calls”

Your customers are your frontline for reporting suspicious email. Phishing emails are hitting customer inboxes of banks and credit unions of all sizes. Inform your customers if they even THINK an email from your bank smells “phishy” to pick up the phone and call your institution. The old military security adage goes “Trust But Verify.” Let them know they should call to verify that your institution really did send them that email. It’s worth the phone time because our entire business is based on trust, and if your customers know they can call you to check, that is building trust in your business. It also gives you the extra security of knowing your customers will call you in the event a phishing attack is made against your online site. For those of you who think because you’re not a big institution or are in the middle of the country, it doesn’t matter how far away you are from the city lights, to a phisher, any bank or credit union’s IP address and its customers are targets. If you haven’t already, put educational information on your website about phishing for your customers.

On the fifth day of banking my customer gave to me:
“Five paper shredders!”

Holders of debit and credit cards issued by your bank have responsibility. There is a misconception that the majority of credit card and debit card fraud happens online, or swiped by an unscrupulous vendor with a card reader called a skimmer. According to a recent Javelin Strategy & Research survey, for the half of victims of identity-based fraud who knew where their information had been obtained, the most common source was a "lost or stolen wallet, checkbook, or credit card." It also showed that another source of id theft and credit fraud comes from, yep, the old paper trail of trash. The gift of a paper shredder is something everyone should consider, at least for themselves. Credit card bills, offers with blank checks for transfer balances, bank statements, or any other information that would be gold for an id thief should be shredded once it is paid, or no longer needed. Give a paper shredder this year to everyone you know! And get a mailbox with a lock on it to protect incoming statements.

On the sixth day of banking my customer gave to me:
“Six Reputable Weblinks”

Education is everything when it comes to safe Internet use. Remind your customers (and employees) that despite having loaded their anti-virus and other anti-malware software onto their computer, they still should be careful where they go on the internet. Spyware, Trojans, and keyloggers are often hidden in free software downloads or free screensaver sites, and unless they read the fine print in the End User License Agreement (EULA) and can speak fluent lawyer and technobabble, they should only go where it’s safe, aka reputable, well known sites. And no matter what your customers have done in the past, the wise thing to do is type in the name of the website, rather than clicking on a link inside any email that looks like it is from a popular website. Always err on the side of caution, the few extra keystrokes to type in the name of the retailer or institution can save them from being directed to a fake website.

On the seventh day of banking my customer gave to me:
“Seven scanned email attachments”

How did we ever live without the instantaneous delivery capability of the Internet? Getting documents, photos and other types of attachments quickly is what makes everyone so darn productive. However, customers (and employees) should know this instantaneous delivery has a flip side, those attachments from your co-worker or business client may contain more than you bargained for, viruses, Trojans and other malware can be hidden payload. The best way to avoid this is to only open attachments that you are expecting, and scan them first with your anti-virus software. Many ISPs now offer scanning as part of their email packages, but don’t depend on that alone. If you don’t scan, that productivity surge you’re experiencing will grind to a halt when your PC is infected, or even worse, becomes a compromised and turned into a “bot” computer and then part of a botnet.

On the eighth day of banking my customer gave to me:
“Eight spam-free inboxes”

Everyone gets spam in their inboxes. It’s everyone’s headache. Even though in early 2004 Bill Gates predicted that spam would effectively be stamped out in two years, spam’s end has yet to be seen. Your customers (and employees) will sigh and hit the delete button most of the time. Educate them that any strange looking email from unknown sources should be DELETED, not opened and then deleted, just deleted. Spam filters don’t always work on the more elusive spam emails, but they do help. Many ISPs also offer spam filters, and, again they also don’t always catch all it. Spam can also come through instant messaging. “Spim” as it is known, also usually offers the same type of viral or malware loaded links within the IM. Avoid those unknown to you in IMs and if possible, block the address in your contact list. Until Bill Gates and the other computer gods figure out how to eliminate spam or knock the spam kings off their thrones, spam will be something in our inboxes. The worst thing you can do with a spam email is open it or worse, reply to it. The spammers will then know they have a live email address!

On the ninth day of banking my customer gave to me:
“Nine computers backed up”

This is one important item that many of us forget to do on a regular basis. If you’ve ever had your computer drive crash, or experienced the dreaded “Blue Screen of Death” (BSOD) you’re probably shaking your head in agreement. Customers (and employees) may not know how to backup their own computers, but there is plenty of software out to help them do it. Even keeping a copy of all the most important documents on a password protected CD or USB is better than nothing. Another thing to consider is if there are other people using the computer (including kids) doing routine backups is just the smart thing to do. Backups are like insurance, there if you need to replace something of value.

On the tenth day of banking my customer gave to me:
“Ten computer updates”

While we are accustomed to updating our institution’s software and operating systems, our customers don’t always keep up with the latest updates from Microsoft, Macintosh, anti-virus software or the other less frequently used software. Setting your computer to accept and update automatically is now not just wise these days, but necessary. The number of zero-day exploits turning up warrant this move by everyone. The more technically superior will already know to check for and update with patches, but for the rest of us, we need to set our computers to update automatically.

On the eleventh day of banking my customer gave to me:
“Eleven password protected screensavers”

Some people like using screensavers, others don’t. But as an additional layer of security against prying eyes when away from your computer screen, a password protected screensaver (but not one of the free ones downloaded from the internet) is something that everyone can, (and should) use.

On the twelfth day of banking my customer gave to me:
“Twelve months of safe computing”

Developing information security awareness among your customers is a key to safe computing. The old TV cop show Hill Street Blues had the desk sergeant end the morning roll call with, “Hey, Let’s be careful out there.” A phrase all users could keep in mind when using computers. A final note: Testing a computer’s anti-virus software and other security measures to check if activated isn’t hard, yet not everyone knows how to check their computer’s ability to fend off an unwanted visitor (hacker). This website: www.grc.com offers “ShieldsUP!” one of the more popular and trusted (and free) Internet security checkups of firewall and port settings. Your customers (and employees) may want to browse through their anti-virus provider’s website to check if testing is available.

Definitions:

Luddite: is a person who fears or loathes technology, especially new forms of technology that threaten existing jobs. Today, the term Luddite is reserved for a person who regards technology as causing more harm than good in society, and who behaves accordingly.

Botnet: A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer "robot" or "bot" that serves the wishes of some master spam or virus originator. Most computers compromised in this way are home-based. According to a report from Russian-based Kapersky Labs, botnets -- not spam, viruses, or worms -- currently pose the biggest threat to the Internet. A report from Symantec came to a similar conclusion. According to the Symantec Internet Security Threat Report, through the first six months of 2006, there were 4,696,903 active botnet computers.

Zero Day Exploits: A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network