Event Summary
NetBank (Nasdaq: NTBK), an Atlanta based internet bank, suffered a major credibility blow last week when a customer named Mahesh Rao reported that he had been inadvertently given access to another customer's account, transaction history, social security number, and funds. Rao had to call NetBank five times before the problem was resolved. According to Tom Cable, Chief Technology Officer of NetBank, the problem occurred due to human error. NetBank is an FDIC insured institution. According to Cynthia Bonnette, spokeswoman for the FDIC, "Significant implications for security and privacy are raised by this reported incident."
Market Impact
Incidences like the one at NetBank affect not only the institution in question, but the entire online internet banking community. Consumers read about incidences like this and become skeptical about the security of online banking in general. In a letter to its financial institutions, even the FDIC expresses concern over the risks involved in online banking, and states "Institutions using the internet or other computer networks are exposed to various categories of risk that could result in the possibility of financial loss and reputational loss."
Securing systems and networks is complex. Even if a bank uses due diligence and has periodic security vulnerability assessments by independent auditors, the security audit is only a snapshot in time, and does not necessarily guarantee the organization's future information security picture. Systems are continually being upgraded and patched, and most infrastructure networks are in a constant state of growth. You can secure an entire network, and have the security subverted by an unknowing network engineer extending a network connection around the backend security perimeter.
User Recommendations
When doing online banking, you are putting a lot of trust into the business process integrity of the financial institution. The line has become blurred on whether such an institution is first and foremost a bank, or an internet company. Typically banks know about banking, and internet companies know about networking. It is rare to find companies that excel in both fields.
Before signing up with an institution to do online banking, research their credentials first:
*
Find out what Internet Service Provider (ISP) the bank uses. Look at the ISP's website and see how much attention they give to security. If they offer security consulting services, chances are they understand network security better than ISP's without such services which means they are more likely to better safeguard a bank's website.
*
Any reputable ISP will be happy to answer questions over the phone. Ask them what kind of firewall they use and what type of intrusions detection system they use. You then can at least find out if they are using reputable products (even though you still won't know if the products have been installed and configured correctly.)
*
Ask to see the bank and their ISP's security Incident Response Procedures. If either organization has no such procedures, you can be sure that they haven't spent much time thinking about internet security. If they are able to give you Incident Response Procedures, you can review them against standard best-practice Incident Response Procedures such as those listed in RFC2350, the Internet Society's Expectations for Computer Security Incident Response.
No comments:
Post a Comment