GUARDING THE GATE

BLOGS, SOCIAL NETWORKS OPEN ACCESS TO BANK ACCOUNTS
By John Jaser

The Pogo principle is alive and well in the Internet security world. You might remember the friendly cartoon alligator and his smiling exhortation, “We have met the enemy and he is us!”

Bankers, web sites, and countless security-minded businesses have warned their customers repeatedly and even forcefully that they should withhold their personal information from the general public. Yet a recent Computer World article pointed to a simple Google search of MySpace Inc.'s popular social networking site that turned up thousands of maiden and pet's names.

Could we make it any easier for the cyber thieves?

Not long ago, this column warned of the potential for fraud in Instant Messenger applications. At the time, the thrill of anywhere/anytime chat trumped all caution until downloads of screensavers and other IM tidbits resulted in wholesale hard drive wipe-outs. At banks, the specter of regulatory scrutiny deflated the Instant Messenger bubble for good.

What’s going to stop the blog and MySpace babble? Certainly not fraud. For all the noise about TJX and other cyber-fraud targets, consumers kept swiping their cards at Marshall’s. No, it’s regulatory pressure.

Expect the following questions in your soon-to-come regulatory exams: Do you or your staff participate in online blogs or social networking sites? Does your bank monitor staff blog and MySpace posts? What reporting can the bank demonstrate to prove that its staff does not reveal non-public customer information in a blog, MySpace, or LinkedIn?

Sticky questions! But relevant for today’s banker who cannot help but see these online vehicles as holes drilled into the framework of privacy and security so carefully cultivated over the years.

By now, bankers should be well prepared to handle the next hot communications technology. After all, we have seen the hype and subsequent crash many times before. Email, web sites, login pages and Instant Messenger have all planted stars in our eyes only to be replaced by the perennial queasy question, “How are we going to get out of this one?”

It’s time we figured security into each communications channel from the beginning. Blogs? MySpace? LinkedIn? The answer should be no. Employees shouldn’t be there, and they should understand the reasons why. That way they can communicate those reasons to your customers.

The following should help your bank get started:

• Family names and other data posted on sites like MySpace, Facebook and LinkedIn can be used to reset personal passwords. Bank staff and customers should be discouraged from using them.
• Hold seminars to show customers how to hide personal information on blogs and social networking sites. Facebook has several options to prevent their personal information from appearing online. Recommend that your social networking customers use these options to protect their identities from ‘friends’ and more importantly, ‘friends of friends.’
• Develop email and other communications to impress upon your customers that revealing personal information through blogs and social networking sites is dangerous to their financial health.

Bankers know from experience that these measures won’t stop all identity theft or prevent customers from revealing personal information on-line. But starting the conversation and establishing firm policies with your employees is a good first step in holding back this fresh tide of self-inflicted identity theft.