BYOD, Mobile-Banking Warnings about Security Prove Prophetic



With businesses allowing BYOD and the escalating malware abuse, cybercriminals are so successful in invading smartphones, it’s leading to a security services industry totaling $1.88 billion.

File:ABI Research logo.svgThat’s the finding in an ABI Research 2013 report.

BYOD is the acronym for bring your own  device. In trying save money, many businesses mistakenly allow workers to use their own cell phones in their duties at work. (See Do BYOD Headaches Outweigh Benefits? Yes.)

Furthermore, a government task force has warned mobile users about a another malware threat.

IC3 LogoThe Internet Crime Complaint Center (IC3) warns the  malware is especially dangerous for Androids. The malware that tricks Android users are called Loozfon and FinFisher, and IC3 issued security tips for users.

Nervous bankers

In addition, there’s another warning about mobile banking — even the American Bankers Association in this published report: Why corporate mobile banking is scary.”

The banking-industry article explains the difference between corporate and retail mobile banking. Corporate mobile banking is used by high net worth executives. Retail mobile banking refers to use by the masses. 

‎Not to be gauche, but in 2009 you saw the warning about retail mobile banking here first.

So now, bankers are concerned about the dangers of corporate mobile banking.

Stern warning

Mobile banking is so risky an IT security guru said don’t do it. That was the online security warning on Sept. 7 from the authoritative Dr. Stan Stahl of Citadel Information Group in Los Angeles.

Dr. Stahl’s analysis in my column included this stern warning: “All in all, cell phone on-line banking is a big NO!!!” (Web Security Checklist and Warning about Mobile Banking.)

It was a very popular column in terms of readership. But it also incurred reactionary-venom from a mobile-banking marketer and his friends. Ordinarily, reader responses are given space to comment on my columns. However, his crude sarcasm regarding Dr. Stahl’s expert analysis and my alleged chutzpah in publishing the column was offensive.

After mulling it over a day or so I decided not to give him space on this site. He had crossed the line of civility.

After more than a year had transpired I had, of course, forgotten about the incident.

Disturbing mobile-banking headline

Then, this disturbing headline in Digital Trends on Nov.5, 2010: “Major mobile banking app security holes uncovered.”

Here’s an excerpt:

 You might not want to check your bank account from your phone after all. Mobile apps from USAA, Chase, Wells Fargo, Bank of America, and TD Ameritrade have major security holes, reports research firm viaForensics and WSJ. The bugs center mainly around iPhone and Android versions of the apps, and could potentially allow a hacker to learn your username, password, and some financial information. In other words, this is bad.

Yes, you’re reading correctly about this information technology red flag. Published reports indicate there have been mobile-banking security lapses on iPhone and Android apps at USAA, Chase, Wells Fargo, Bank of America and TD Ameritrade.

Whoa! It’s time to check with Dr. Stahl, a nationally recognized expert, for his typically astute response. (Visit his Web site, www.citadel-information.com, and you’ll understand why I implicitly trust his opinions.)

“This… is about learning from experience, particularly that when it comes to cyber security we all need to be a lot more ‘intellectually humble’ when we talk about how secure something is,” he responded. “Right now, the cyber criminals are winning,” he wrote. “They are winning in part because too many people have a false sense of their own security.”

Prior experience

Dr. Stahl’s security credentials are impressive as a consultant and so is his prior experience, which includes many years in the aerospace industry “securing critical national security software.”

“I can remember the day we found a critical vulnerability in Cruise missile software that might have kept us from successfully responding to a nuclear attack,” he recalled. “I know the managerial, political and especially intellectual challenges we went through to be in a position to catch that mistake.”

He knows the challenges and expense that go into producing high-quality software.

“We’re taught that pride goeth before the fall,” he added. “That is certainly true in the battle against cyber crime. That’s why perhaps the most important thing I learned in trying to prevent, find and fix critical logic errors in complex software is intellectual humility.”

Hmm – intellectual humility. That’s a term I’d also use to describe Dr. Stahl.  He’s been my go-to source for authoritative information since 2004. He’s a true gentleman, a philosopher and he’s assertive in responding to security questions.

“Intellectual humility is the ability to suspend our own belief in something we normally believe in, like the attorney hiring another attorney to find weaknesses in his argument or the doctor seeking a second opinion to look for holes in his diagnosis,” Dr. Stahl wrote in explaining his approach. “Most of us develop a normal amount of intellectual humility in those areas of our greatest expertise,” he believes. “We understand and appreciate just how hard it is to do the things that we are accustomed to doing and we learn through experience how to pay detailed attention to the things we need to do to do our job.

“The challenge is that, human nature being what it seems to be, our intellectual humility doesn’t easily carry over to domains where we lack firsthand knowledge and experience,” he opines. “We tend to over-simplify in those places we know little about. This isn’t usually a problem: any intellectual humility I might lack regarding how dangerous lions are is mitigated by the fact that I am under no threat from a lion. Unfortunately, when it comes to cyber security, because we’re all on the Internet it’s as if the lion is right next door. And he’s hungry.”

Response to mobile-banking marketer

As for the sarcastic, mobile-banking marketer from 2009, Dr. Stahl commented:

“We can’t expect a marketing representative in the mobile banking industry to have tested communications software controlling our nuclear missiles any more than we can expect the CEO of a bank to have written cyber security software requirements for an advanced military intelligence system,” he pointed out. “Nor can we expect the people who run our business IT networks to have the same sensitivity to security that we had 25 years ago when we designed a secure network for the Strategic Air Command.

“You can see where the danger is in this since these are the same people who influence (and often make) buying decisions about software that we use to manage money and sensitive information; software that has to be adequately secure to protect the money and information it touches,” he continued. “And, lacking the experience, these otherwise well-meaning men and women don’t understand the necessity of being intellectually humble in the presence of complex software.”

Dr. Stahl’s bottom-line

“That’s why people who have to make decisions about cyber security management must maintain their own healthy skepticism, resisting any temptation they may have to believe cyber security claims, whether from marketing people, their banks or their own internal IT staff. Ronald Reagan is famous for saying: ‘Trust. But verify.’ Do him one better: drop the trust.”

Well said, Dr. Stahl. Thank you.

(Disclosure: Dr. Stahl and I are both members of a roundtable of veteran consultants that meet in Los Angeles; Consultants West, www.consultantswest.com, has experts from many sectors.)

From the Coach’s Corner, also regarding Internet security and Dr. Stahl’s analysis, here is the all-time most-read Biz Coach column: Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.

“Once they get their hooks into you, you’re a dead pigeon.”
-Bud Abbott


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.





What Your Company Can Do to Combat the Malware Epidemic



Arguably, the nation’s leading Internet security expert agrees with published reports that an epidemic of malware has been unleashed on the Web – and he provides solutions.

“There has been a sea change in cybercrime,” wrote Stan Stahl, Ph.D. “Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.”

Dr. Stahl is a principal in Citadel Information Group, and is president of the Los Angeles Chapter of the Information Systems Security Association.

                    Stan Stahl

He says every organization must look critically look at its defenses – everything from policies and employee-awareness training to modern intrusion prevention systems.

“It needs to make sure it’s employing a cost-effective defense-in-depth strategy covering all three critical security management domains,” he explained.

“It’s also a time to talk to your attorney and your insurance broker,” he adds. “Your attorney can make sure you’re aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.”

He said the security-management of domains include:

1. Corporate security management

2. Security management of the IT infrastructure

3. Point-in time security of the IT infrastructure

“It’s also a time to talk to your attorney and your insurance broker,” he adds. “Your attorney can make sure you’re aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.”

The malware epidemic has regularly prompted Microsoft to issue emergency patches, an event the company calls “Patch Tuesday.”

Dr. Stahl’s Web site: www.citadel-information.com, which has a link to his informative blog.

From the Coach’s Corner, here’s sampling of more critical information from Dr. Stahl:

Lesson about Passwords after Theft of 16,000+ UCLA Patient Records –  Unfortunately, we’ve learned another lesson about passwords at the expense of 16,288 patients who’ve been treated at UCLA’s network of hospitals and clinics.  The patients’ sensitive information are in the wrong hands following a burglary of a doctor.

Why Many Healthcare Workers Are Alarmingly Responsible for Medical ID Theft — Medical identity theft is skyrocketing. It’s the fast-growing trend in ID thievery, and the data shows it adversely impacted 1.42 million Americans in 2010. That’s according to a 2011 study by PricewaterhouseCoopers (PwC). PwC reports medical ID theft aggregately cost more than $28 billion.

Security Precautions to Take Following Citibank’s Second Reported Online Breach – Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps.

Has Security Bloom Fallen off the Rose for Macs? – For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics.

Tips For Internet Security to Prepare you for New Cyber Attacks – Do you need more evidence to be diligent in using best practices for security on the Internet? According to a Web security study in 2013, Internet attacks have been impacting businesses, with the majority of them reporting significant effects in the form of increased help desk time, reduced employee productivity and disruption of business activities.

“Precaution is better than cure.”
-Johann Wolfgang von Goethe 


__________

Author Terry Corbell has written innumerable online business-enhancement articles, and is a business-performance consultant and profit professional. Click here to see his management services. For a complimentary chat about your business situation or to schedule him as a speaker, consultant or author, please contact Terry.






Seattle business consultant Terry Corbell provides high-performance management services and strategies.