By Terry Corbell
BYOD, Mobile-Banking Warnings about Security Prove Prophetic
With businesses allowing BYOD and the escalating malware abuse, cybercriminals are so successful in invading smartphones, it’s leading to a security services industry totaling $1.88 billion.
That’s the finding in an ABI Research 2013 report.
BYOD is the acronym for bring your own device. In trying save money, many businesses mistakenly allow workers to use their own cell phones in their duties at work. (See Do BYOD Headaches Outweigh Benefits? Yes.)
Furthermore, a government task force has warned mobile users about a another malware threat.
The Internet Crime Complaint Center (IC3) warns the malware is especially dangerous for Androids. The malware that tricks Android users are called Loozfon and FinFisher, and IC3 issued security tips for users.
In addition, there’s another warning about mobile banking — even the American Bankers Association in this published report: “Why corporate mobile banking is scary.”
The banking-industry article explains the difference between corporate and retail mobile banking. Corporate mobile banking is used by high net worth executives. Retail mobile banking refers to use by the masses.
Not to be gauche, but in 2009 you saw the warning about retail mobile banking here first.
So now, bankers are concerned about the dangers of corporate mobile banking.
Mobile banking is so risky an IT security guru said don’t do it. That was the online security warning on Sept. 7 from the authoritative Dr. Stan Stahl of Citadel Information Group in Los Angeles.
Dr. Stahl’s analysis in my column included this stern warning: “All in all, cell phone on-line banking is a big NO!!!” (Web Security Checklist and Warning about Mobile Banking.)
It was a very popular column in terms of readership. But it also incurred reactionary-venom from a mobile-banking marketer and his friends. Ordinarily, reader responses are given space to comment on my columns. However, his crude sarcasm regarding Dr. Stahl’s expert analysis and my alleged chutzpah in publishing the column was offensive.
After mulling it over a day or so I decided not to give him space on this site. He had crossed the line of civility.
After more than a year had transpired I had, of course, forgotten about the incident.
Disturbing mobile-banking headline
Then, this disturbing headline in Digital Trends on Nov.5, 2010: “Major mobile banking app security holes uncovered.”
Here’s an excerpt:
You might not want to check your bank account from your phone after all. Mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes, reports research firm viaForensics and WSJ. The bugs center mainly around iPhone and Android versions of the apps, and could potentially allow a hacker to learn your username, password, and some financial information. In other words, this is bad.
Yes, you’re reading correctly about this information technology red flag. Published reports indicate there have been mobile-banking security lapses on iPhone and Android apps at USAA, Chase, Wells Fargo, Bank of America and TD Ameritrade.
Whoa! It’s time to check with Dr. Stahl, a nationally recognized expert, for his typically astute response. (Visit his Web site, www.citadel-information.com, and you’ll understand why I implicitly trust his opinions.)
“This… is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more ‘intellectually humble’ when we talk about how secure something is,” he responded. “Right now, the cyber criminals are winning,” he wrote. “They are winning in part because too many people have a false sense of their own security.”
Dr. Stahl’s security credentials are impressive as a consultant and so is his prior experience, which includes many years in the aerospace industry “securing critical national security software.”
“I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack,” he recalled. “I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake.”
He knows the challenges and expense that go into producing high-quality software.
“We’re taught that pride goeth before the fall,” he added. “That is certainly true in the battle against cyber crime. That’s why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.”
Hmm – intellectual humility. That’s a term I’d also use to describe Dr. Stahl. He’s been my go-to source for authoritative information since 2004. He’s a true gentleman, a philosopher and he’s assertive in responding to security questions.
“Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis,” Dr. Stahl wrote in explaining his approach. “Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise,” he believes. “We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.
“The challenge is that, human nature being what it seems to be, our intellectual humility doesn’t easily carry over to domains where we lack firsthand knowledge and experience,” he opines. “We tend to over-simplify in those places we know little about. This isn’t usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we’re all on the Internet it’s as if the lion is right next door. And he’s hungry.”
Response to mobile-banking marketer
As for the sarcastic, mobile-banking marketer from 2009, Dr. Stahl commented:
“We can’t expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system,” he pointed out. “Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.
“You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches,” he continued. “And, lacking the experience, these otherwise well-meaning men and women don’t understand the necessity of being intellectually humble in the presence of complex software.”
Dr. Stahl’s bottom-line
“That’s why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: ‘Trust. But verify.’ Do him one better: drop the trust.”
Well said, Dr. Stahl. Thank you.
(Disclosure: Dr. Stahl and I are both members of a roundtable of veteran consultants that meet in Los Angeles; Consultants West, www.consultantswest.com, has experts from many sectors.)
From the Coach’s Corner, also regarding Internet security and Dr. Stahl’s analysis, here is the all-time most-read Biz Coach column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.
“Once they get their hooks into you, you’re a dead pigeon.”
Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.