Security Breaches Hitting Home: Phishing, Information Leaks Keep Security Concerns at Red Alert

The bad news is getting unnerving. Take Bank of America s February loss of government worker data and add to it a dash of Choicepoint's "data leaks" occurring in April. Then consider the Troj/BankAsh-A virus--a Trojan set up to steal bank account passwords. As of this writing, LYCOS.co.uk had tracked and stopped 3.3 million incidents. Oh, yes, let's not forget the latest stats issued by the Anti-Phishing Working Group on new attacks, though rising by a mere 2% in April, attacks are still rising. What about the recent Hackensack, N.J., case where bank workers were paid $10 for each account they turned over to the alleged chief architect of the crime, Orazio Lembo, Jr.? He is said to have purchased 500,000 customer records from several banks, including Wachovia, Commerce, and PNC Bank. Looked at as a group these incidents suggest a security flame-out and the perception that electronic information housed in computers is vulnerable. They also suggest that fraud seems to be mutating at a rate--and in ways--that is unexpected. All this hasn't gone unnoticed by Congress, the states, bank regulators, and the courts. (A feature article beginning on page 56 explores the legislative and legal fallout in detail.) You also get the sense that "something" needs to be done about all of it, said Peter Neumann, principal scientist at SRI's Computer Science Lab, and author of Computer-Related Risks. Neumann and other public intellectuals in the security field conversed on security matters at a recent panel discussion and dinner in New York City hosted by security vendor PGP Corp. The group included Bill Cheswick, who worked on operating system security for 30 years, and Ira Winkler, who's books include, Spies Among Us and Corporate Espionage. While not devoted strictly to the banking industry, the evening's discussion touched on financial examples, including information theft and phishing, which have plagued the industry. Security a bigger deal now Compliance pressures have led bankers (and the rest of corporate America) to seek out better ways to secure data while continuing to deliver online services and to generally function, as most companies do, in an increasingly paperless way. Or at the least, companies are to the point where active grousing about fallout from recent security faux pas have made outwitting fraudsters, hackers, and malicious insiders a higher priority, according to Neumann. Statistics from others bear this out. Celent Research, Boston, estimates that IT security spending by North American banks will reach $1.8 billion this year, a 12.2% increase over 2004. Broader interest and better spending in a once esoteric field has come none too soon for security experts. "Computers are tied to infrastructure and the core operations of business and have absolutely become a part of the fabric of how we function as a society," Neumann says. "Yet comparatively few [in society] are aware of the risks imposed by distributed computing. That puts all of us in a more vulnerable position." Who's to blame? Meanwhile, fraud and security breaches are increasingly acknowledged by bankers to be a multi-channel problem (see ABABJ, April 2005, p.54). Individual breach scenarios, no matter the differences in method or channel attacked, are increasingly viewed as an assault on brand equity and the overall perception of "e-safety." Yet, when it comes to the internet, there is disagreement over who is at fault for schemes that careen out of control and what needs to be done to create a safer environment. "Users need to become more responsible," Winkler asserted. "The way that would be drivers take driver's ed and need to get licensed, a new computer owner should be required to learn security basics before they are allowed to connect. …