Security Steps for Your Mobile Device in Online Banking, Purchases



Almost 90 percent of Americans use a cell phone and more than 50 percent have smartphones, according to published reports. They also indicate 28 percent of smartphone owners use their devices for online banking.
 

“Mobile devices are making everyday tasks like banking simpler and easier, and this rise in popularity is making the mobile space more attractive to cybercriminals,” said Ken Marblestone, president of Charter One and RBS Citizens in Ohio.

ID-100270897 patrisyu“The precautions that consumers are accustomed to taking on their computers also should be applied to mobile devices,” he warned.

Mobile banking is a tool banks recommend to lower their costs for attracting customers in their competitive marketplace.

Don’t, but if you must

But mobile banking is not a practice I recommend because identity fraud has escalated in smartphones.

Certainly, bankers are aware of the dangers.

Again, they encourage mobile banking because it’s a source of profits.

“Any device used to connect to the Internet is potentially at risk, so we urge users to follow these basic safety measures to keep their information safe,”  Mr. Marblestone added in a press release.

But if you must engage in mobile banking, the American Bankers Association provides this guidance:

1. Use the passcode lock on your smartphone and other devices. This will make it more difficult for thieves to access your information if your device is lost or stolen.

2. Log out completely when you finish a mobile banking session.

3. Protect your phone from viruses and malicious software, or malware, just like you do for your computer by installing mobile security software.

4. Use caution when downloading apps. Only download apps from the official stores – App StoreSM and Google PlayTM Store. Third party stores may make it possible for malicious software, worms and viruses to be downloaded. And, beware of apps that ask for unnecessary “permissions.”

5. Download the updates for your phone and mobile apps as soon as they become available. You may also enable automatic app updates on your device to ensure timely acceptance.

6. Avoid storing sensitive information like passwords or a social security number on your mobile device.

7. Be aware of shoulder surfers. The most basic form of information theft is observation. Be aware of your surroundings especially when you’re entering sensitive information.

8. Wipe your mobile device before you donate, sell or trade it using specialized software or using the manufacturer’s recommended technique. Some software allows you to wipe your device remotely if it is lost or stolen.

9. Report any suspected fraud to your bank immediately.

Further, I would add this counsel: Don’t use a mobile browser to access your bank account. It’s best to download your banking app directly from your financial institution’s Web site and avoid fake apps that trick you out of your login and password.

From the Coach’s Corner, here are more security tips:

Who Profits from Android’s Security Issues? Not Users.  — A government task force, the Internet Crime Complaint Center (IC3) has issued a dire warning about malware. In particular, it’s a threat to Android users. 

Surprise — Cyber Criminals Chew up Apple Products, too — For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics. 

Most Small Businesses Make You Vulnerable to Credit Card Fraud, ID Theft — A whopping 79 percent of companies in the U.S. and U.K. experienced Web-borne attacks in 2012, according to data released in 2013.  

Tips to Prevent Hacking of Your Bluetooth — Bluetooth technology, of course, allows you freedom when talking on your cell phone. But you’ll lose other freedoms if you don’t prevent scammers from exploiting your system via a trend called “bluebugging.” 

“If we continue to develop our technology without wisdom or prudence, our servant may prove to be our executioner.” 

-Omar Bradley


 __________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.





Photo courtesy of patrisyu at www.freedigitialphotos.net

BYOD, Mobile-Banking Warnings about Security Prove Prophetic



With businesses allowing BYOD and the escalating malware abuse, cybercriminals are so successful in invading smartphones, it’s leading to a security services industry totaling $1.88 billion.

File:ABI Research logo.svgThat’s the finding in an ABI Research 2013 report.

BYOD is the acronym for bring your own  device. In trying save money, many businesses mistakenly allow workers to use their own cell phones in their duties at work. (See Do BYOD Headaches Outweigh Benefits? Yes.)

Furthermore, a government task force has warned mobile users about a another malware threat.

IC3 LogoThe Internet Crime Complaint Center (IC3) warns the  malware is especially dangerous for Androids. The malware that tricks Android users are called Loozfon and FinFisher, and IC3 issued security tips for users.

Nervous bankers

In addition, there’s another warning about mobile banking — even the American Bankers Association in this published report: Why corporate mobile banking is scary.”

The banking-industry article explains the difference between corporate and retail mobile banking. Corporate mobile banking is used by high net worth executives. Retail mobile banking refers to use by the masses. 

‎Not to be gauche, but in 2009 you saw the warning about retail mobile banking here first.

So now, bankers are concerned about the dangers of corporate mobile banking.

Stern warning

Mobile banking is so risky an IT security guru said don’t do it. That was the online security warning on Sept. 7 from the authoritative Dr. Stan Stahl of Citadel Information Group in Los Angeles.

Dr. Stahl’s analysis in my column included this stern warning: “All in all, cell phone on-line banking is a big NO!!!” (Web Security Checklist and Warning about Mobile Banking.)

It was a very popular column in terms of readership. But it also incurred reactionary-venom from a mobile-banking marketer and his friends. Ordinarily, reader responses are given space to comment on my columns. However, his crude sarcasm regarding Dr. Stahl’s expert analysis and my alleged chutzpah in publishing the column was offensive.

After mulling it over a day or so I decided not to give him space on this site. He had crossed the line of civility.

After more than a year had transpired I had, of course, forgotten about the incident.

Disturbing mobile-banking headline

Then, this disturbing headline in Digital Trends on Nov.5, 2010: “Major mobile banking app security holes uncovered.”

Here’s an excerpt:

 You might not want to check your bank account from your phone after all. Mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes, reports research firm viaForensics and WSJ. The bugs center mainly around iPhone and Android versions of the apps, and could potentially allow a hacker to learn your username, password, and some financial information. In other words, this is bad.

Yes, you’re reading correctly about this information technology red flag. Published reports indicate there have been mobile-banking security lapses on iPhone and Android apps at USAA, Chase, Wells Fargo, Bank of America and TD Ameritrade.

Whoa! It’s time to check with Dr. Stahl, a nationally recognized expert, for his typically astute response. (Visit his Web site, www.citadel-information.com, and you’ll understand why I implicitly trust his opinions.)

“This… is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more ‘intellectually humble’ when we talk about how secure something is,” he responded. “Right now, the cyber criminals are winning,” he wrote. “They are winning in part because too many people have a false sense of their own security.”

Prior experience

Dr. Stahl’s security credentials are impressive as a consultant and so is his prior experience, which includes many years in the aerospace industry “securing critical national security software.”

“I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack,” he recalled. “I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake.”

He knows the challenges and expense that go into producing high-quality software.

“We’re taught that pride goeth before the fall,” he added. “That is certainly true in the battle against cyber crime. That’s why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.”

Hmm – intellectual humility. That’s a term I’d also use to describe Dr. Stahl.  He’s been my go-to source for authoritative information since 2004. He’s a true gentleman, a philosopher and he’s assertive in responding to security questions.

“Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis,” Dr. Stahl wrote in explaining his approach. “Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise,” he believes. “We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.

“The challenge is that, human nature being what it seems to be, our intellectual humility doesn’t easily carry over to domains where we lack firsthand knowledge and experience,” he opines. “We tend to over-simplify in those places we know little about. This isn’t usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we’re all on the Internet it’s as if the lion is right next door. And he’s hungry.”

Response to mobile-banking marketer

As for the sarcastic, mobile-banking marketer from 2009, Dr. Stahl commented:

“We can’t expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system,” he pointed out. “Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.

“You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches,” he continued. “And, lacking the experience, these otherwise well-meaning men and women don’t understand the necessity of being intellectually humble in the presence of complex software.”

Dr. Stahl’s bottom-line

“That’s why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: ‘Trust. But verify.’ Do him one better: drop the trust.”

Well said, Dr. Stahl. Thank you.

(Disclosure: Dr. Stahl and I are both members of a roundtable of veteran consultants that meet in Los Angeles; Consultants West, www.consultantswest.com, has experts from many sectors.)

From the Coach’s Corner, also regarding Internet security and Dr. Stahl’s analysis, here is the all-time most-read Biz Coach column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.

“Once they get their hooks into you, you’re a dead pigeon.”
-Bud Abbott


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.





Web Security Checklist and Warning about Mobile Banking


It’s hard to believe that Americans were once complacent about online security. Here are a management security checklist and a warning about mobile banking.



With good reason, Americans are increasingly concerned about their Internet security. However, in 2004, many Americans were not concerned about online security.

That’s when security issues really began raising their ugly heads when I wrote that technology companies were doing too little to safeguard businesses and consumers.

Then, we mostly just feared viruses.

Now, we increasingly fear a whole lot more — from bugs in web servers to malware and phishing.

Security developments

In 2004, we first learned about increased security ramifications for business. We learned computer users ignored basic online security measures – even in tech-savvy Seattle.

However, a nationwide study by National Cyber Security Alliance (NCSA) and America Online revealed that 77 percent of computer users believed they were not vulnerable to Internet dangers.

But after dispatching experts to the homes of the responding 329 broadband and dialup users in Seattle and 21 other cities, NCSA study learned some startling facts:

  • 49 percent of broadband users didn’t utilize firewalls
  • 60 percent of the participants felt secure from hackers
  • 88 percent were unaware their computers were infected with spyware
  • 67 percent failed to regularly update their computers with anti-malware software
  • 19 percent of the group was afflicted with viruses

Not only were they risks to themselves, it was unnerving to note that those computer users were unknowing risks as online customers and as employees in both the public sector and business.

Customer data

Customer data was also lost as a result of ineffective online security. Citing a 55 percent increase in attacks on government agencies, telecommunication companies and utilities in August of 2006, IBM launched its Global Business Security Index.

The company reported its customers were attacked 100 million times a month and most attacks generally occurred on Saturdays and Sundays.

        

                            Stan Stahl

A widely known pioneer in security and the prevention of identity theft – a premier consultant, Stan Stahl, Ph.D., of Citadel Information Group – warned security was a big issue in 2004.

He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions.

He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information security professionals and practitioners.

His philosophy for a successful online security program includes:

  • Protect information assets from attack.
  • Detect illicit attacks on information assets.
  • Quickly recover from attacks, accidents or natural disasters.
  • Comply with applicable security and privacy laws, regulations, and policies.

Management security checklist

To protect the assets of both your customers and your company, here is his basic self-assessment management checklist:

1. Does your organization’s computer network contain sensitive or critical information?

2. Do you have an executive responsible for managing the protection of critical information assets, is this person explicitly trained in information security, and have you allocated budget and resources for protection?

3. Does the board or executive management review the organization’s information security posture at least semi-annually?

4. Has your organization documented information security policies consistent with its business needs, organizational structure, legal obligations, insurance policies, and risk management processes?

5. Is all critical and sensitive information explicitly identified as such and restricted to those having a “need to know?”

6. Are all employees and contractors provided regular ongoing information security training, including training in the safe handling of email and in password selection and protection, and are they held accountable for violations of security policy?

7. Have you coordinated your information security posture with customers, suppliers, and other trading partners whose computer systems you access or who access your computer systems?

8. Does your organization have documented recovery procedures to follow should a break-in, malware infestation or other security event occur?

9. Does your organization back up all workstations and servers at least weekly, are multiple back-ups stored offsite, and are back-ups periodically tested to ensure the ability to restore data if necessary?

10. Has your organization’s system architecture been explicitly designed in accordance with network security principles and practices, including the use of firewalls?

11. Is malware protection software on all servers and workstations and is someone explicitly responsible for monitoring malware alerts and ensuring that malware protection is up-to-date?

12. Is someone explicitly responsible for monitoring security patches and alerts, and ensuring hardware and software systems are up-to-date and properly protected?

13. Is access to servers, routers, and other network technology physically restricted to those whose job responsibilities require access?

14. Would you know if someone was illegitimately accessing critical information assets?

15. Has your organization had an independent third-party information security vulnerability assessment or penetration test within the last 12 months?

So, if security is a possible concern, I would follow Dr. Stahl’s advice.

Dr. Stahl’s Web site:  www.citadel-information.com.

From the Coach’s Corner, phishing attacks are also possible in mobile services:

“Once again, the opportunity to make money trumps security, Dr. Stahl says. “I recommend that consumers ignore any and all attempts to induce them to use their phones for online banking.”

Why?

“It is not just phishing attacks to which they are vulnerable. We can take over cells running Bluetooth. Cell phones (like my iPhone) are often automatically configured to connect to the web using a wireless network over which neither the user nor the bank maintain any control. (I’ve changed this default setting on mine.) And because there have been few cell phone attacks to date, the community has little experience in how buggy the software products are and how responsive the vendors will be in fixing vulnerabilities when they show up.”

For the bottom-line, he advises: “All in all, cell phone online banking is a big NO!!!”

See these resource links: 

“We don’t seem to be able to check crime, so why not legalize it and then tax it out of business”

-Will Rogers

__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.

Seattle business consultant Terry Corbell provides high-performance management services and strategies.