Our Mobile-Banking Warnings about Security Prove Prophetic
Updated Feb. 1, 2012
There’s another warning about mobile banking — even the American Bankers Association in this published report: “Why corporate mobile banking is scary.”
The banking-industry article explains the difference between corporate and retail mobile banking. Corporate mobile banking is used by high net worth executives. Retail mobile banking refers to use by the masses.
Not to be gauche, but in 2009 you saw the warning about retail mobile banking here first. Now, bankers are concerned about the dangers of corporate mobile banking. Mobile banking is so risky an IT security guru said don’t do it. That was the online security warning on Sept. 7 from the authoritative Dr. Stan Stahl of Citadel Information Group in Los Angeles.
Dr. Stahl’s analysis in my column included this stern warning: “All in all, cell phone on-line banking is a big NO!!!” (Web Security Checklist and Warning about Mobile Banking.)
It was a very popular column in terms of readership. But it also incurred reactionary-venom from a mobile-banking marketer and his friends. Ordinarily, reader responses are given space to comment on my columns. However, his crude sarcasm regarding Dr. Stahl’s expert analysis and my alleged chutzpah in publishing the column was offensive.
After mulling it over a day or so I decided not to give him space on this site. He had crossed the line of civility.
After more than a year had transpired I had, of course, forgotten about the incident.
Disturbing mobile-banking headline
Then, this disturbing headline in Digital Trends on Nov.5, 2010: “Major mobile banking app security holes uncovered.”
Here’s an excerpt:
You might not want to check your bank account from your phone after all. Mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes, reports research firm viaForensics and WSJ. The bugs center mainly around iPhone and Android versions of the apps, and could potentially allow a hacker to learn your username, password, and some financial information. In other words, this is bad.
Yes, you’re reading correctly about this information technology red flag. Published reports indicate there have been mobile-banking security lapses on iPhone and Android apps at USAA, Chase, Wells Fargo, Bank of America and TD Ameritrade.
Whoa! It’s time to check with Dr. Stahl, a nationally recognized expert, for his typically astute response. (Visit his Web site, www.citadel-information.com, and you’ll understand why I implicitly trust his opinions.)
“This… is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more ‘intellectually humble’ when we talk about how secure something is,” he responded.
“Right now, the cyber criminals are winning,” he wrote. “They are winning in part because too many people have a false sense of their own security.”
Prior experience
Dr. Stahl’s security credentials are impressive as a consultant and so is his prior experience, which includes many years in the aerospace industry “securing critical national security software.”
“I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack,” he recalled. “I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake.”
He knows the challenges and expense that go into producing high-quality software.
“We’re taught that pride goeth before the fall,” he added. “That is certainly true in the battle against cyber crime. That’s why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.”
Hmm – intellectual humility. That’s a term I’d also use to describe Dr. Stahl. He’s been my go-to source for authoritative information since 2004. He’s a true gentleman, a philosopher and he’s assertive in responding to security questions.
“Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis,” Dr. Stahl wrote in explaining his approach. “Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise,” he believes. “We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.
“The challenge is that, human nature being what it seems to be, our intellectual humility doesn’t easily carry over to domains where we lack firsthand knowledge and experience,” he opines. “We tend to over-simplify in those places we know little about. This isn’t usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we’re all on the Internet it’s as if the lion is right next door. And he’s hungry.”
Response to mobile-banking marketer
As for the sarcastic, mobile-banking marketer from 2009, Dr. Stahl commented:
“We can’t expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system,” he pointed out. “Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.
“You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches,” he continued. “And, lacking the experience, these otherwise well-meaning men and women don’t understand the necessity of being intellectually humble in the presence of complex software.”
Dr. Stahl’s bottom-line
“That’s why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: ‘Trust. But verify.’ Do him one better: drop the trust.”
Well said, Dr. Stahl. Thank you.
(Disclosure: Dr. Stahl and I are both members of a roundtable of veteran consultants that meet in Los Angeles; Consultants West, www.consultantswest.com, has experts from many sectors.)
From the Coach’s Corner, also regarding Internet security and Dr. Stahl’s analysis, here is the all-time most-read Biz Coach column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.
“Once they get their hooks into you, you’re a dead pigeon.”
-Bud Abbott
__________
Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?
Web Security Checklist and Warning about Mobile Banking
Sept. 7, 2009
With good reason, Americans are increasingly concerned about their Internet security, according to a Harris Interactive study sponsored by Microsoft and National Cyber Security Alliance (NCSA). As recently as 2004, many Americans were not concerned about online security.
Fortunately, in surveying attitudes from 2007 to 2009, the Harris study’s findings included the following:
62 percent of U.S. adults are now leery of cybercrime
- 48 percent are more hesitant to put their personal information on the Web
- 37 percent are more reluctant to shop online
- 64 percent have received or are acquainted with someone who has received requests for personal information from untrustworthy sources
Internet security has been a headache for years and I once wrote that technology companies were doing too little to safeguard businesses and consumers. Security was a concern in my Biz Coach column dated Oct. 26, 2004 when we mostly just feared viruses.
Now, we increasingly fear a whole lot more, including:
- Malware – a term for malicious software that infiltrates computers without the owners’ authorization.
- Phishing – the criminal act of trying to obtain personal information including passwords and credit card information, surreptitiously, by masquerading as a trustworthy source usually via e-mail.
In 2004, I wrote there was evidence of increased security ramifications for business. We learned computer users ignored basic online security measures – even in tech-savvy Seattle. A nationwide study by NCSA and America Online revealed that 77 percent of computer-users believed they were not vulnerable to Internet dangers.
But after dispatching experts to the homes of the responding 329 broadband and dialup users in Seattle and 21 other cities, NCSA study learned some startling facts:
- 49 percent of broadband users didn’t utilize firewalls
- 60 percent of the participants felt secure from hackers
- 88 percent were unaware their computers were infected with spyware
- 67 percent failed to regularly update their computers with anti-malware software
- 19 percent of the group was afflicted with viruses
Not only were they risks to themselves, it was unnerving to note that those computer-users were unknowing risks as online customers and as employees in both the public sector and business.
Customer data was also lost as a result of ineffective online security. Citing a 55 percent increase in attacks on government agencies, telecommunication companies and utilities in August of 2006, IBM launched its Global Business Security Index. The company reported its customers were attacked 100 million times a month and most attacks generally occurred on Saturdays and Sundays.
A widely known pioneer in security and the prevention of identity theft – a premier consultant, Dr. Stan Stahl – warned security was a big issue in 2004. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information security professionals and practitioners.
His philosophy for a successful online security program includes:
- Protect information assets from attack.
- Detect illicit attacks on information assets.
- Quickly recover from attacks, accidents or natural disasters.
- Comply with applicable security and privacy laws, regulations, and policies.
To protect the assets of both your customers and your company, here is his basic self-assessment management checklist:
1. Does your organization’s computer network contain sensitive or critical information?
2. Do you have an executive responsible for managing the protection of critical information assets, is this person explicitly trained in information security, and have you allocated budget and resources for protection?
3. Does the board or executive management review the organization’s information security posture at least semi-annually?
4. Has your organization documented information security policies consistent with its business needs, organizational structure, legal obligations, insurance policies, and risk management processes?
5. Is all critical and sensitive information explicitly identified as such and restricted to those having a “need to know?”
6. Are all employees and contractors provided regular ongoing information security training, including training in the safe handling of email and in password selection and protection, and are they held accountable for violations of security policy?
7. Have you coordinated your information security posture with customers, suppliers, and other trading partners whose computer systems you access or who access your computer systems?
8. Does your organization have documented recovery procedures to follow should a break-in, malware infestation or other security event occur?
9. Does your organization back up all workstations and servers at least weekly, are multiple back-ups stored offsite, and are back-ups periodically tested to ensure the ability to restore data if necessary?
10. Has your organization’s system architecture been explicitly designed in accordance with network security principles and practices, including the use of firewalls?
11. Is malware protection software on all servers and workstations and is someone explicitly responsible for monitoring malware alerts and ensuring that malware protection is up-to-date?
12. Is someone explicitly responsible for monitoring security patches and alerts, and ensuring hardware and software systems are up-to-date and properly protected?
13. Is access to servers, routers, and other network technology physically restricted to those whose job responsibilities require access?
14. Would you know if someone was illegitimately accessing critical information assets?
15. Has your organization had an independent third-party information security vulnerability assessment or penetration test within the last 12 months?
So, if security is a possible concern, I would follow Dr. Stahl’s advice.
Dr. Stahl’s Web site: www.citadel-information.com.
From the Coach’s Corner, phishing attacks are also possible in mobile services, according to the Credit Union Times Web site. With the growing popularity of mobile services, not surprisingly, mobile phones are vulnerable, too.
The site warns about another security threat – bluejacking on mobile phones. Predators are capable of penetrating Bluetooth connections to access data on phones. The publication suggests implementing multi-layer authentication and quick-session timeouts in this blue jacking article.
However, please note Dr. Stahl raises a giant red flag on mobile services:
“Once again, the opportunity to make money trumps security, he says. “I recommend that consumers ignore any and all attempts to induce them to use their phones for online banking.”
He further explains:
“It is not just phishing attacks to which they are vulnerable. We can take over cells running Bluetooth. Cell phones (like my iPhone) are often automatically configured to connect to the web using a wireless network over which neither the user nor the bank maintain any control. (I’ve changed this default setting on mine.) And because there have been few cell phone attacks to date, the community has little experience in how buggy the software products are and how responsive the vendors will be in fixing vulnerabilities when they show up.”
For the bottom-line, he advises:
“All in all, cell phone on-line banking is a big NO!!!”
