 |
Internet Safety for Banks - What Can You Do?
By John Jaser,
Internet Services Manager |
|
Is the Internet safe? Bankers have had
reasons a-plenty to ask that question
over the years. Phishing, hijacking, and
botnet armies have undermined the
perceived security of this growing
business channel.
No doubt, bankers were asking the
question yet again when they read the
July 9 headline “Critical flaw rocks the
Internet.” The article revealed that
major hardware and software developers
had been secretly working for months to
fix a fundamental Internet error that
would have turned control of web traffic
over to the hackers.
The flaw concerned the way browsers,
servers and routers translate
www.xyz.com
into the real address, which looks more
like 111.212.056.144. When translated
correctly, the web surfer goes to
xyz.com. When hacked, the web surfer
will go wherever the criminals want him
to go, regardless of the website address
typed into the browser.
Imagine what the ‘phishers’ and other
criminals could do with that! Bank
customers would type in
www.mybank.com and find themselves
at
www.mycriminal.com without ever
knowing the difference. Say goodbye to
passwords, birth dates, and mothers’
maiden names. The hackers could get them
all.
|
 |
The good news is that hardware
and software developers came together, created a
fix and coordinated a release for all computer
software platforms. The patch’s design prevents
hackers from ‘reverse engineering’ the patch,
and technical details about the flaw were kept
secret for a month after the patch’s release to
allow companies time to update their computers.
The bad news is that the flaw was found by
accident. For those of us who keep asking if the
Internet is safe, the answer continues to be “We
just don’t know.” That’s not good enough for the
increasing numbers of customers who are
switching their banking business to the web.
For banks and other financial institutions
to keep the Internet safe for their customers,
each needs to:
-
Subscribe to a daily vulnerability
assessment service such as Hackersafe to
scan the institution's website and mitigate
any vulnerabilities reported. Prompt
attention to coding errors and other flaws
can prevent the bank’s web site from
‘relaying’ hacker code to unsuspecting
customers.
-
Monitor the institution's website for any
unauthorized changes. Your security teams
should review all configuration changes
requested by your institution’s staff and
match those changes with the ones listed in
your institution’s website change report.
These fundamental tools will ensure that
your staff isn’t fiddling where they
shouldn’t be and that that your website
hasn’t been altered by someone you don’t
know.
-
Review your website hosting service’s most
current Internet security report. If your
service doesn’t provide a report, insist on
it. If you don’t get one, your regulators
may insist on it at your next exam.
-
Review reports of blocked traffic and email
usage on a regular basis. We recommend at
least weekly if not daily to detect
potential issues rising from criminal minds.
-
Contract for a vulnerability scan of your
institution's internal network on a regular
basis. If you keep looking, eventually you
will find!
-
Listen to your customers’ reports of unusual
emails and website pages. They are your
early warning system on the World Wide Web.
These measures won’t prevent
massive errors such as the addressing issue
reported above, but you will know sooner than
your competitors that a problem exists, and be
able to protect your customers. That’s what it
takes to keep today’s Internet safe for the
banking business. |
