New Cybercrime Serves as Warning to Take Defensive Precautions

 

Nov. 14, 2011 

Cybercrime is only getting worse, as reported in two major stories in the past week.

In New York, six Estonians and one Russian were charged by authorities with cybercrimes on a massive scale. Victims include the National Aeronautics and Space Administration, other government agencies, businesses and 500,000 people. 

In the U.K., 13 people were sentenced to jail terms over their use of malware in banking fraud totaling 2.9 million British pounds, or $4.6 million. Hundreds of people were victimized. 

These stories are another lesson to take cybercrime seriously.

For best practices in thwarting cybercriminals, I always turn to nationally recognized security expert, Dr. Stan Stahl, of Citadel Information Group in Los Angeles.

His tips:

1. Keep systems patched with the latest updates. (His security blog, Weekend Vulnerability and Patch Report, lists major updates for software typically found in small offices and home computers.)
2. Run up-to-date anti-virus anti-malware software – or what is even better, a strong intrusion detection and prevention solution.
3. Use strong passwords for access to sites with sensitive information. Password length is more important than randomness; size matters. ‘2HelloPepper#’ is a much stronger password than “Ab$%16vF” plus it’s a lot easier to remember.

“Be extremely sensitive to social engineering attacks,” Dr. Stahl adds. “Don’t open email attachments or click on links in emails unless the email is from someone you know and is expected.”

For more of Dr. Stahl’s insights, visit his Web site.

(Note: Dr. Stahl is a fellow member of Consultants West, www.consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are more security strategies:

Security Precautions to Take Following Citibank’s Second Reported Online Breach

Why Many Healthcare Workers Are Responsible for Alarming Trend: Medical ID Theft

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study

Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy?

“Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.”

-Chris Pirillo

_________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records

 

Nov. 6, 2011

The personal information of 16,288 patients at UCLA’s network of hospitals and clinics are in the wrong hands following a burglary of a doctor. The information was on the computer hard drive stolen from a doctor’s home, according to an article in the The New York Times (U.C.L.A. Health System Warns About Stolen Records).

Medical records of the patients included addresses, birth dates and medical information covering July 2007 to July of this year.

The possible good news: The personal medical data was encrypted.

But the alarming news: A piece of paper containing the password was missing from the doctor’s home.

“Rule 1 is never write down passwords,” warns nationally known security expert Dr. Stan Stahl, of Citadel Information Group in Los Angeles. 

“Rule 2 is – if you’re going to break Rule 1 – do it securely,” he adds. 

“If you must write a password down, write it on a piece of paper the size of a credit card and keep it in your wallet with your credit cards and your driver’s license,” explains Dr. Stahl. “And just write the password: write ‘15Blah-blah-blah’ not ‘my laptop password is ‘15Blah-blah-blah’.” 

You can get more of Dr. Stahl’s insights on his security blog and his Web site.

(Note: Dr. Stahl is a fellow member of Consultants West, www.consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are additional cybersecurity tips:

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study

Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy?

Security Precautions to Take Following Citibank’s Second Reported Online Breach

Our Mobile-Banking Warnings about Security Prove Prophetic

“If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”

-White House Cybersecurity Advisor, Richard Clarke

 

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

 

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft – Study

 

A study discloses a disturbing trend – nearly four out of five small companies are storing unsecured data about their customers. That’s an indictment of such businesses, and is alarming news for consumers about their vulnerability to credit card fraud and identity theft.

The 2011 study was conducted by the National Cyber Security Alliance (NCSA).

“How can this be,” you ask?

Nationally known security expert Dr. Stan Stahl, of Citadel Information Group in Los Angeles, knows why.

“Citadel works with small business leaders every day and – based on our experience – the reason small businesses don’t take cybercrime seriously is that they see it primarily as something their IT people are managing, not yet realizing the critical importance of their own leadership,” says Dr. Stahl.

“This includes establishing clear policies and standards for information use, explicitly assigning cyber security management responsibility to a member of the senior management team, providing cyber security awareness training and education to all information users, and ensuring that IT personnel are effectively managing the security of the IT infrastructure,” he adds.

The alarming results in the study first came to my attention after reading Small Businesses Don’t Take Cybersecurity Seriously, which was mentioned in Dr. Stahl’s security blog.

Hopefully, your business is not one of the businesses cited in the study. Cybercrime has become a global nightmare. My question for companies about Cyber Security: Is Your Business Prepared with Precautions and Response Philosophy? 

For NCSA’s tips for small business security, read this post. 

“Seventy-nine percent of businesses are storing consumer information when they don’t need it. It’s not protected. It’s not secure,” Verizon spokesperson Andrea Woroch was quoted in a published report.

For consumers, Verizon offers these tips:

Watch the people swiping your credit or debit card.

“You don’t want to blame or suspect everyone’s trying to steal your information, but there are people who will and are trying to copy your credit card information with extra swipes,” says Ms. Woroch.

Take extra care when you buy on the Internet.

“Don’t mark that little check box that says ‘to store for future purchases.’ you don’t want that organization, that business, that Internet website to hold any of that information,” explains Ms. Woroch.

Consider alternatives to using your credit card, such as gift cards.

Carefully study your billing statements.

“Lots of consumers overlook little charges that are being made on their statement and that’s how people are continually able to trick them and deceive them and steal them and take extra money out of their accounts,” adds Ms. Woroch.

Resource link: Dr. Stahl’s Web site.

(Note: Dr. Stahl is a fellow member of Consultants West, www.consultantswest.com, a roundtable of veteran consultants in the Los Angeles area.)

From the Coach’s Corner, here are additional cybersecurity tips:

Security Precautions to Take Following Citibank’s Second Reported Online Breach

Our Mobile-Banking Warnings about Security Prove Prophetic

“Being good is good business.”

-Anita Roddick

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

 

Why Many Healthcare Workers Are Responsible for Alarming Trend: Medical ID Theft

 

Sept. 26, 2011

Medical identity theft is skyrocketing. It’s the fast-growing trend in ID thievery, and the data shows it adversely impacted 1.42 million Americans in 2010, according to a study by PricewaterhouseCoopers (PwC) in a published report.

PwC reports medical ID theft aggregately cost more than $28 billion.

“The root cause of the fraudulent use of someone else’s medical identification is that protected medical information is widely dispersed in multiple information systems where it all too often is inadequately secured,” says nationally known security expert, Dr. Stan Stahl, president of Citadel Information Group, Inc. in Los Angeles.

MedPage Today (Medical Identity Theft a Growing Problem) reported the three most common identity breaches:

1. Employees who act unprofessionally – improper use of patients’ data in doctors’ offices, hospitals, insurance company and life sciences companies. They’ve even been caught posting comments about patients on Facebook.
2. Almost 40 percent of hospitals and physicians report they have caught patients using another person’s identity when they seek treatment.
3. Twenty-five percent of insurance companies acknowledge the improper transfer of information in patients’ health files. Unauthorized persons viewed such files.

“Every organization that collects or stores personally identifiable medical information – hospitals, doctors, clinics, pharmacies, billing offices, insurance companies, even employers – has a legal and ethical obligation to properly secure that information,” asserts Dr.Stahl.

In public reports, theft was responsible for 66 percent of medical ID breaches in the last two years. The thefts include notebook computers, smartphones, using another person’s personal information for fraudulent claims, and people using others’ names.

More shocking news

Authors of the PwC study indicated most healthcare organizations aren’t equipped to prevent medical ID theft – despite the growing use of information technology in the medical profession.

“Most breaches are not the result of [information technology] IT hackers, but rather reflect the increase in the risks of the knowledgeable insider related to identity theft and simple human error – loss of a computer or device, lack of knowledge or unintended unauthorized disclosure,” said James Koenig, director of the Health Information Privacy and Security Practice at PwC in a press statement.

More than 50 percent of the study’s respondents who work for healthcare organizations said they knew of at least one privacy breach since 2009.

“Doctors need to take measures to assure their patients are who they say they are,” recommends Dr. Stahl. “That can include checking referrals.”

What can patients do?

“Patients need to treat their medical information with the same care that they treat their financial information, including periodically checking with their insurance company to identify fraudulent activity,” advises Dr. Stahl.

The PwC study indicated that most healthcare organizations admit they haven’t even begun to adequately deal with privacy and security issues in this digital-information age.

Obviously, as a business-performance consultant, here’s my sense:

1. The medical profession should immediately take adequate security precautions.
2. All medical employees should undergo privacy-confidentiality sensitivity training.

After all, shouldn’t these precautions be part of medical care?

Dr. Stahl’s links:

• Informative security blog
• His Web site 

From the Coach’s Corner, you might consider these security-resource links:

Security Precautions to Take Following Citibank’s Second Reported Online Breach

Our Mobile-Banking Warnings about Security Prove Prophetic

11 Travel Tips – Save Money, Prevent against Cyber Theft, Fraud

“If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees.”

-Kahlil Gibran

 

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

Security Precautions to Take Following Citibank’s Second Reported Online Breach

 

Updated June 16, 2011 (updates figures: from 200,000 to 360,083)

Citibank’s acknowledgment that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps.

The bank’s May, 2011 security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.

None of the reports I found pointed out that it was Citibank’s second reported major security issue in just 18 months. Soon after the bank’s first breach was reported, it seemed as though the security issue was buried. There weren’t any follow-up reports.

That’s when I wrote the column, How to Protect Yourself from the Internet Crime Wave, quoting Dr. Stan Stahl, a nationally known security expert based in Los Angeles.

Over the years, Dr. Stahl has been a valuable resource – some of the most-widely read Biz Coach columns have included his expert opinions, especially these three columns:

Our Mobile-Banking Warnings about Security Prove Prophetic

Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist

5 Safety Measures to Thwart Mounting Social-Network Attacks

A security expert I’m not, but I’ve learned from Dr. Stahl’s valuable insights.

In addition to the tips in the above columns – whether you’re a Citibank customer or not – I’d suggest immediately taking these defensive computer measures:

1. Change all log-in information. That means all banking, retail credit card and e-mail passwords and information.
2. Make certain that you don’t use the same password twice.
3. Install adequate firewall and anti-virus protection on your computer.
4. To limit your exposure, use the same computer for your financial information. Never use it for social media networking.
5. Review all privacy and policy information.
6. Avoid using your debit card online. At least personal credit cards offer liability protection under federal regulation. But business banking is not federally protected – it’s left up to individual banks, so check your bank’s policies regarding your company’s accounts.
7. Don’t conduct financial transactions over WIFI.
8. Don’t do mobile banking.
9. If you get an e-mail allegedly from your financial institution, act like an all-pro football defensive end. Prevent an end run. Assume it’s a fraud. If you must communicate with your financial institution, make a telephone call or a personal visit.
10. When doing your online banking, be sure to type in the financial institution’s Web address in your browser.
11. Regarding the security questions, be creative and don’t list the right answer, which might be obvious to any hacker who learned about your personal situation.
12. Check your financial accounts daily.
13. If your account is compromised, quickly take appropriate action.

For your company’s management controls, Dr. Stahl has previously recommended taking six precautions:

1. Don’t allow your employees to use your computers in social networking.
2. Establish a list of allowable web-sites.
3. Closely monitor your bank account.
4. Train employees in social engineering awareness.
5. Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security.
6. Strengthen your defenses.

Cybercriminals, I’m sad to say, are here to stay. Do your due diligence.

(Note: Dr. Stahl and I are fellow members of Consultants West, www.consultantswest.com, a roundtable of veteran management consultants.)

From the Coach’s Corner, here’s Dr. Stahl’s cyber security blog and his Web site.

“In a world in which the total of human knowledge is doubling about every ten years, our security can rest only on our ability to learn.”

- Nathaniel Branden

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complementary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

Epsilon’s Security Flaw Threatens Millions of Businesses, Consumers

 

April 4, 2011

 

Epsilon, a major email marketing company, annually forwards 40 billion messages. The firm purports to be the leading op-in marketing company with some 2,500 corporate customers. Its branding slogan is “Marketing as Usual. Not a Chance.”

Epsilon reportedly emails customers for some pretty big players, including Capitol One, Citibank, Disney, Home Shopping Network, JP Morgan Chase, Kroger, and TiVo.

As expected, Epsilon has an attractive Web site, www.epsilon.com. It touts all kinds of cutting-edge services. The site creates a favorable first impression.

But in my recent visit to the site, an important element was also missing – an unfortunate omen, if you will. You see, appearances in business are important, especially first-impressions about IT security. However, Epsilon has failed to adequately reassure its site’s visitors that it provides cutting-edge security. In today’s IT environment, that’s more than just a gaffe. It suggests a catastrophe of monumental proportions waiting to happen.

Unfortunately, such a security breakdown has already occurred. Indeed, on April 1, 2011, an ominous press release appeared on the company’s Web site. Unfortunately, it was not an April Fool’s joke.

Epsilon published this terse announcement:

Epsilon Notifies Clients of Unauthorized Entry into Email System

IRVING, TEXAS – April 1, 2011 - On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

Epsilon’s notice didn’t please me. You see, the cybercriminals were already at work. Several days prior to the press-release posting on March 30, I became aware that something was amiss – phishing scams trying to entice businesses and consumers to take advantage of so-called offers.

Afterward, Threatpost reported that some of Epsilon’s customers in-turn warned their customers — here’s the warning from Disney Destinations to its customers:

“We have been informed by one of our email service providers, Epsilon, that your email address was exposed by an unauthorized entry into that provider’s computer system.  We regret that this incident has occurred and any inconvenience this incident may cause you.  We take your privacy very seriously, and we will continue to work diligently to protect your personal information,” the statement says.

“We want to assure you that your email address was the only personal information we have regarding you that was compromised in this incident. As a result of this incident, it is possible that you may receive spam email messages, emails that contain links containing computer viruses or other types of computer malware, or emails that seek to deceive you into providing personal or credit card information.”

The two salient lessons from this security debacle:

1. Epsilon and other companies that provide IT services need to make security more of a priority.
2. Businesspeople and consumers need to stay alert to the dangers lurking on the Internet, and IT in general.

In conclusion, what are the solutions for this situation and to prevent more occurrences? My longtime go-to security expert is Dr. Stan Stahl of Citadel Information Group in Los Angeles. Here’s what he had to say in What You Really Need to Know to Stay Web Safe.

Further, noteworthy management lessons have evolved from the alleged data-management program at Epsilon. Obviously, Epsilon’s data management is an oxymoron. It is not managed properly. Here are Management Lessons from Epsilon’s Email-Breach Scandal.

From the Coach’s Corner, Dr. Stahl’s insights were also quoted in this business portal’s all-time most-read column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.

Dr. Stahl’s Web site: www.citadel-information.com.

His blog: www.citadel-information.com/blog.

(Note: Dr. Stahl is a valued friend and colleague. This relationship stems from our membership in Consultants West, www.consultantswest.com, a roundtable of some of the nation’s most-trusted consultants and authors.)

What You Really Need to Know to Stay Web Safe

An Internet security checklist from a noted expert

 

Updated Jan. 31, 2011

If you Google the keywords, “cyber security,” you’ll get thousands of search results. Internet security is a nightmare for business, the public sector and consumers. Unfortunately, published advice is well-intentioned, but often misses the mark. There’s no room for error in cyber security precautions.

A case-in-point: An advice article on Internet security at SeattlePI.com that caught my eye. Not because it contained great information, but the article didn’t seem to be on target. It was originally published in the San Francisco Chronicle.

David Perry, the global director of education for TrendMicro, was heavily quoted. Having written dozens of tech columns here, something seemed amiss. The article was certainly intended to be helpful, but it didn’t seem right.

Not to pick on reporter Casey Newton, but I was left wanting more and better information. It seemed to be nothing more than PR fluff for TrendMicro.

So, I sent the article to a nationally known security expert, Dr. Stan Stahl in Los Angeles (www.citadel-information.com). Does Dr. Stahl agree with Mr. Perry?

Here are his responses to the four points:

David Perry: “Make sure your computer isn’t infected already.”

Dr. Stahl: Yes. By all means scan. Even use Trend Micro’s HouseCall. But don’t be lulled into a false sense of security. Remember that the most serious attacks like 0-days and drive-bys are written to get past antivirus programs. That’s why we publish our “Weekend Vulnerability and Patch Management Report.”

David Perry: “Avoid exposing your credit number.”

Dr. Stahl: More important than this item 2 is to (i) always make sure you’re running https and not just http before entering your credit card info and (ii) if given the option, don’t let smaller retailers store  your credit card numbers [they're less likely to have proper security].

David Perry: “Use protection.” 

Dr. Stahl: Definitely use protection, but don’t forget to keep all your programs patched and run a good spam filter. That’s what makes this so misleading; it conveys the impression that running antivirus is enough. It’s not! Users can subscribe to our blog blog and update their computer in accordance with our “Weekend Vulnerability and Patch Management Report.”

David Perry: “Watch where you click.”

Dr. Stahl: Yes; never click a link in an email and always check the seller’s reputation. The part about buying from the manufacturer is bogus.

Dr. Stahl, thank you for your usual valuable insights.

(Note: I’ve known Dr. Stahl a long time and consider him the go-to security expert. He and I are also members of Consultants West, www.consultantswest.com, a roundtable of veteran consultants that meets in Los Angeles.)

From the Coach’s Corner, here’s an online safety checklist from Dr. Stahl:

Cybercriminals want your bank account and credit card numbers so they can take your money and use your credit while stiffing you with the bill. They want your social security number so they can apply for credit in your name, stealing your identity. They have even begun selling stolen medical insurance information.

Cybercriminals steal your sensitive personal information by taking control of your computer. This control also lets them install rogue programs on your computer, turning your computer into a zombie under their control—the cyber-equivalent of Night of the Living Dead. These control programs make money for the cybercriminals by sending spam, displaying pop-up ads, and committing sophisticated computer crime.

Cybercriminals take control of your computer by exploiting four weaknesses:

1. Every computer program running on your computer has subtle programming errors (vulnerabilities) that cybercriminals exploit to take control of your computer.
2. Legitimate internet web sites often fail to prevent cybercriminals from installing malicious programs on their web sites. When you visit these sites, these malicious programs silently install Trojan horses and other malware on your computer.
3. Default settings for many computer programs make it easy for cyber criminals to take control of your computer.
4. Users often don’t know what they need to do to minimize the dangers and risks of cybercrime, particularly the need for defense-in-depth.

Defense Strategy 1: Keep Cybercriminals Off Your Computer

• Keep Systems Patched: Software manufacturers issue program updates containing patches to fix known vulnerabilities. Set Microsoft Windows and Office to automatically update. Manually update other programs like Adobe Acrobat, iTunes, Flash and Java.
• Limit Exposure: Create separate accounts for all family members. This is done in the Control Panel. Set account type to “Limited” unless the account needs to run programs as “Administrator.” This will make it harder for cybercriminals to install malware on your computer.
• Protect Your Desktop: Install a reputable antivirus / antispyware product & keep it up-to-date. If you’re technical, run Firefox with the NoScript add-on inside of sandboxie and install a host intrusion prevention system.  Sophisticated cybercriminals can get past basic antivirus/antispyware software. Antivirus is necessary. It is not sufficient.
• Secure Your WiFi: If you have a wireless network, encrypt it with WPA2 encryption. Otherwise anyone near you can eavesdrop on your communications and piggy-back on your connection.
• Stay Away from P2P Networks: Don’t run Peer-to-Peer or other file sharing programs, such as Kazaa, Limewire or BitTorrent. These networks provide strangers access to your computer.
• Beware of Scams, 1: Don’t click on web-site ads or pop-ups offering to scan your computer for free. Cybercriminals love to take advantage of people’s fear of getting a virus. Instead of scanning your computer, these programs will infect it. Always be wary.
• Beware of Scams, 2: Don’t open unusual or unexpected attachments, not even from people you know. It’s easy to send an email so it looks like it came from someone else. Also, how do you know your friend’s computer hasn’t been taken over? Always be wary.
• Beware of Scams, 3: Don’t follow links in unfamiliar or unusual emails, especially those requesting your user names, passwords, or financial information. A SPAM filter can help you avoid these e-mails but you must be on guard for emails that get past your SPAM filter. Always be wary.

Defense Strategy 2: Be Careful With Your Financial Information On-Line

1. Don’t send your Social Security Number, bank account numbers or credit card numbers in unencrypted email.
2. Use different strong passwords [8+ characters, upper & lower case, numbers, characters] for all eCommerce websites. Use Password Safe or RoboForm to securely manage online passwords.
3. Only buy on-line from merchants using SSL, which means the website address begins with https://. Look for the “lock” on the title bar of Internet Explorer or Firefox’s lower right corner.
4. Use a credit card rather than a debit card when shopping on-line. Link PayPal to your credit card, not your bank account. Federal law limits your credit card exposure to $50. There is no corresponding limit if you use a debit card (even though many banks cover debit card fraud).

Defense Strategy 3: Protect Your Information Away from Home

1. Keep your laptop with you at all times. Never leave it unattended in your car.
2. Keep WiFi and Bluetooth turned off except when you are using them.
3. Encrypt the hard drive of your laptop, protecting it with a strong 15+ character passphrase. If you lose the laptop, the information is still safe. You can get free encryption software at http://www.truecrypt.org/.
4. Never use a public computer, Kiosk, or public WiFi for online banking, shopping or to access sensitive information. Since you don’t know how secure these are, prudence requires you to assume they are insecure.

Defense Strategy 4: Watch Your Credit

1. Subscribe to a basic credit monitoring service (AAA California offers members a free service)
2. Regularly review your bank, credit card and investment accounts for fraudulent activity.

Defense Strategy 5: Better Safe Than Sorry

1. Always think about the information you are giving out.
2. When in doubt, don’t.
3. Stay up-to-date by reading our  blog.

“Security is always excessive until it’s not enough.”

-Robbie Sinclair

_________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complementary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

Our Mobile-Banking Warnings about Security Prove Prophetic

 

 Updated Feb. 1, 2012

There’s another warning about mobile banking — even the American Bankers Association in this published report: “Why corporate mobile banking is scary.”

The banking-industry article explains the difference between corporate and retail mobile banking. Corporate mobile banking is used by high net worth executives. Retail mobile banking refers to use by the masses. 

‎Not to be gauche, but in 2009 you saw the warning about retail mobile banking here first. Now, bankers are concerned about the dangers of corporate mobile banking. Mobile banking is so risky an IT security guru said don’t do it. That was the online security warning on Sept. 7 from the authoritative Dr. Stan Stahl of Citadel Information Group in Los Angeles.

Dr. Stahl’s analysis in my column included this stern warning: “All in all, cell phone on-line banking is a big NO!!!” (Web Security Checklist and Warning about Mobile Banking.)

It was a very popular column in terms of readership. But it also incurred reactionary-venom from a mobile-banking marketer and his friends. Ordinarily, reader responses are given space to comment on my columns. However, his crude sarcasm regarding Dr. Stahl’s expert analysis and my alleged chutzpah in publishing the column was offensive.

After mulling it over a day or so I decided not to give him space on this site. He had crossed the line of civility.

After more than a year had transpired I had, of course, forgotten about the incident.

Disturbing mobile-banking headline

Then, this disturbing headline in Digital Trends on Nov.5, 2010: “Major mobile banking app security holes uncovered.”

Here’s an excerpt:

 You might not want to check your bank account from your phone after all. Mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes, reports research firm viaForensics and WSJ. The bugs center mainly around iPhone and Android versions of the apps, and could potentially allow a hacker to learn your username, password, and some financial information. In other words, this is bad.

Yes, you’re reading correctly about this information technology red flag. Published reports indicate there have been mobile-banking security lapses on iPhone and Android apps at USAA, Chase, Wells Fargo, Bank of America and TD Ameritrade.

Whoa! It’s time to check with Dr. Stahl, a nationally recognized expert, for his typically astute response. (Visit his Web site, www.citadel-information.com, and you’ll understand why I implicitly trust his opinions.)

“This… is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more ‘intellectually humble’ when we talk about how secure something is,” he responded.

“Right now, the cyber criminals are winning,” he wrote. “They are winning in part because too many people have a false sense of their own security.”

Prior experience

Dr. Stahl’s security credentials are impressive as a consultant and so is his prior experience, which includes many years in the aerospace industry “securing critical national security software.”

“I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack,” he recalled. “I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake.”

He knows the challenges and expense that go into producing high-quality software.

“We’re taught that pride goeth before the fall,” he added. “That is certainly true in the battle against cyber crime. That’s why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.”

Hmm – intellectual humility. That’s a term I’d also use to describe Dr. Stahl.  He’s been my go-to source for authoritative information since 2004. He’s a true gentleman, a philosopher and he’s assertive in responding to security questions.

“Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis,” Dr. Stahl wrote in explaining his approach. “Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise,” he believes. “We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.

“The challenge is that, human nature being what it seems to be, our intellectual humility doesn’t easily carry over to domains where we lack firsthand knowledge and experience,” he opines. “We tend to over-simplify in those places we know little about. This isn’t usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we’re all on the Internet it’s as if the lion is right next door. And he’s hungry.”

Response to mobile-banking marketer

As for the sarcastic, mobile-banking marketer from 2009, Dr. Stahl commented:

“We can’t expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system,” he pointed out. “Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.

“You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches,” he continued. “And, lacking the experience, these otherwise well-meaning men and women don’t understand the necessity of being intellectually humble in the presence of complex software.”

Dr. Stahl’s bottom-line

“That’s why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: ‘Trust. But verify.’ Do him one better: drop the trust.”

Well said, Dr. Stahl. Thank you.

(Disclosure: Dr. Stahl and I are both members of a roundtable of veteran consultants that meet in Los Angeles; Consultants West, www.consultantswest.com, has experts from many sectors.)

From the Coach’s Corner, also regarding Internet security and Dr. Stahl’s analysis, here is the all-time most-read Biz Coach column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.

“Once they get their hooks into you, you’re a dead pigeon.”
-Bud Abbott

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

Are You Insured for Cyber Theft?

 

Aug. 30, 2010

On a regular basis, cybercriminals are creating hardship for businesses and consumers. A post by blogger Brian Krebs caught my eye – a Texas company is struggling to get its bank to pay for a $50,000 cyber theft.

“Attorneys for Dallas-based Hi-Line Supply Inc. recently convinced a state court to require depositions from officials at Community Bank, Inc. of Rockwall, Texas,” wrote Mr. Krebs. “Hi-Line requested the sworn statements to learn more about what the bank knew in the time surrounding Aug. 20, 2009, when crooks broke into the company’s online bank accounts and transferred roughly $50,000 to four individuals across the country who had no prior business with Hi-Line.”

Ostensibly, the comments in the deposition are locked up, but the lawyers maintain the bank is guilty of security incompetence and a lawsuit might be the next step.

Mr. Krebs quoted an attorney:

 “In the event Community Bank refuses to resolve this matter, now that we have uncovered some of the information obtained by virtue of the court’s order, Hi-Line intends to assert claims for misrepresentation, violations of the Texas Deceptive Trade Practices Act, fraud, and breach of warranties, among other things,” said Michael Lyons, a partner with the Dallas law firm Deans Lyons.

The fraud apparently began on Aug. 20 last year when Hi-Line processed its $25,000 payroll, according to Gary Evans, the firm’s president.

“After Hi-Line submitted that batch of payments to its bank, the unknown intruders attempted two more transfers of nearly identical amounts on Friday and the following Monday, Aug. 24,” explained Mr. Krebs. “Evans said he had trouble logging in to his account on Thursday and had the bank reset his password, but the fraudulent transactions hadn’t showed up on his account at that time. He said he took that Friday off as he always does, and when he tried again to log in after returning to work on Monday, he again found the bank’s site would not accept his password.”

Then, Mr. Evans sensed trouble.

“When I finally got the bank to reset my password and got into my account, I noticed the duplicate payroll batches and said ‘Why are you all pulling my payroll out three times?’” Mr. Krebs quoted Mr. Evans about his recollection of how he came to realize his firm had been robbed. “At the time, as I was resetting my password, I had to scroll through the bank’s online customer agreement, which basically said the bank is not responsible for any fraud. I should have known at that point that they were not going to take any responsibility for this at all.”

Mr. Evans maintains the bank should have taken notice.

“Evans said the bank should have detected that something was amiss, and not just because of the unusual and repeated payroll batches,” wrote Mr. Krebs. “He said the crooks accessed his account from five different Internet addresses with locations that were nowhere near Texas, including from computers located more than 1,300 miles away, in Washington, D.C. and Maryland.”

The blogger says Community Bank did not respond to his request for a comment, but its deposition claims the cybercriminals “had infiltrated Evans’ computer with a virus and used it to steal his online banking credentials, which included a user name, password, PIN and several challenge/response questions.”

Mr. Krebs indicated the thieves pulled it off with the unknowing help of what are called money mules.

“Among those lured into the scam was Josh Enlow, a 28-year-old gas station attendant in Phoenix,” he wrote. “Enlow said he was hired by an entity calling itself The Total Group Co., which initially contacted him in an e-mail stating it had found his resume on a job search Web site, and would he be interested in an ‘accounts payable’ position?”

Reported, Mr. Enlow received several fund deposits and was asked to forward the money.

“He then wired the money to individuals in Eastern Europe as instructed, he said,” Wrote Mr. Krebs.

“If the customer wants the bank to reimburse it for fraud losses, it’s up to the customer to prove that the bank’s security procedures are not commercially reasonable…” says IT security expert Dr. Stan Stahl. “The result, all too often, is that the customer has little choice but to sue the bank.”

But Dr. Stahl says there are reasons for such victims to hope:

“There’s a very good chance the bank’s procedure’s fail the test of commercial reasonableness,” writes Dr. Stahl. “

But he adds the burden of proving a bank is at-fault is “huge.”

He says one solution is cyber theft insurance.

My counsel is due diligence by a top-notch security adviser, and to make sure you really know your bank.

From the Coach’s Corner, Dr. Stahl’s security blog: http://citadelonsecurity.blogspot.com/.

What You Must Do to Combat the Malware Epidemic

 

Aug. 11, 2010

The nation’s leading Internet security expert agrees with McAfee – the antivirus firm’s 2010 Q2 report states an epidemic of malware has been unleashed on the Web – and he provides solutions.

 “The report reconfirms everything we’ve been saying since we began our blog 18 months ago. There has been a sea change in cybercrime,” writes Dr. Stan Stahl. “Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.”

Dr. Stahl is a principal in Citadel Information Group, and is president of the Los Angeles Chapter of the Information Systems Security Association.

“The report is a reminder to every organization to take a critical look at its defenses – everything from policies and employee awareness training to modern intrusion prevention systems,” suggests Dr. Stahl. “It needs to make sure it’s employing a cost-effective defense-in-depth strategy covering all three critical security management domains.”

He says the security-management domains include:

1. Corporate security management
2. Security management of the IT infrastructure
3. Point-in time security of the IT infrastructure

“It’s also a time to talk to your attorney and your insurance broker,” he adds. “Your attorney can make sure you’re aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.”

Indeed, McAfee report does confirm what Dr. Stahl has been telling me. The malware epidemic recently prompted Microsoft to issue an emergency patch. Whatever he recommends, I strongly endorse it.

Two resource links:

• Here’s my original column about McAfee’s report – Security Firm Warns About Historic Malware Levels.
• Dr. Stahl’s Web site: www.citadel-information.com.
• His blog:blog.citadel-information.com.

From the Coach’s Corner, Dr. Stahl has often graciously responded to my requests for information since 2004. His analysis on many IT security topics – from the dangers of mobile banking to using WIFI – can be found in numerous columns here on The Biz Coach site. Simply enter his name as key words in this site’s search in the upper right corner on any these pages.

Next Page »