Is Your Financial Transaction Secure?

Event Summary

You want to start doing on-line banking but you keep hearing about information security incidents that make you skeptical of the process. How do you know if your financial institution has done due diligence to protect your assets from wily hackers, cavalier administrators, and other information technology sepulchers? If a large sum of money disappeared from your account, and banking records indicated that you made the withdrawal, but you know you didn't, how could you prove this? These are questions that consumers should be asking themselves before jumping on-line to do financial transactions.

The FDIC has been protecting financial accounts since 1933, when it was first instituted by Congress in response to the Great Depression. Essentially, the FDIC is a government managed insurance company. Since the FDIC is insuring deposits, it makes sense that they are also concerned with financial systems integrity and network security. Traditionally, the FDIC has been used as a safety-net for bank failures. Since the FDIC began official operations in 1934, at least one bank a year has failed. This year, so far, six banks have failed, according to the FDIC.

Though half a dozen bank closings a year is not impressive, the reasons commonly cited for the closings, "inadequate supervision by the banks board of directors," may concern anyone interested in how banks secure their internal networks. When it comes to system and network security, there are no formal procedures or guidelines for network or information security audits. Banks audit themselves. It is up to the Board of Directors of each bank to provide the FDIC with an information technology and security audit report. The FDIC then reads the report and assigns an URSIT rating. URSIT stands for "Uniform Rating System for Information Technology."

URSIT ratings run on a scale from 1 to 5, with 1 being the highest rating with least degree of concern, and 5 being the lowest rating with most degree of concern. URSIT ratings are only assigned every other year, and only began being assigned this past April. With technology changing so quickly, and the pace at which financial institutions are jumping on-line, one wonders if once every 24 months is enough. Furthermore, if a bank receives an egregious URSIT rating of 5, which holds the description "Risk management processes are severely deficientand strategic plans do not exist or are ineffective." wouldn't you want to know this before doing on-line business with them? Unfortunately, URSIT ratings are not available to the general public.

In a letter dated August 24, 1998, to all CEOs and CIOs of national banks, the Office of the Comptroller of the Currency, (the OCC) stipulated that "To manage strategic risk, banks should establish an effective planning process to implement and monitor PC banking systems." This simply means that banks must have a process. What that process involves is very loosely defined. Our understanding is that the majority of banks don't have the expertise to do their own security audits. An assumption is made that if this is the case, the majority of banks outsource network vulnerability assessments. But how can one be sure that their bank is actually outsourcing network vulnerability assessments to reliable security consultants?

As an example, in a recent security audit done by a major bank in the U.K. for a new e-commerce site, the security auditor only scanned TCP ports and failed to scan any of the e-commerce site's UDP ports. What this means is that the security audit as defined by the consultant was only half-way useful since there are many well-known exploits of UDP ports that hackers can take advantage of that were not taken into consideration. In general, the depth of the security audit will vary by consulting firms. Every company defines their own audit procedure, if they have any. It is not uncommon for companies to create "procedures" in the midst of a business opportunity.

While, the FDIC acknowledges the seriousness of the situation, it admits that it is currently too bogged down with Y2K concerns to take any action on system and network security. The FDIC further concedes that after the 1st of the year, the FDIC will step up the amount of person power put into managing system and network security regulations for financial institutions. In the meantime, the FDIC assures people, "All deposits are insured by the FDIC, so the public should not be concerned with URSIT ratings."

Market Impact

For corporations planning on going on-line and signing up with a financial institutions "on-line store service," there is little information that can be gleaned to help understand how safe a financial institution's on-line transaction systems are. With internet usage expected to exceed 500 million 1 by the year 2000, and on-line investing accounts tripling in the next four years, there is much to be concerned about. For companies selling system and network security technologies, the market is ripe for the picking. There are enough potential customers and a big enough market out in the wild, wild, west of on-line banking and electronic commerce to keep even the most remedial security consultants working overtime.

User Recommendations

It is currently not possible to know how safe your bank's on-line electronic commerce system is. Big and reputable banks are not necessarily safer than smaller banks. One way to mitigate some risk is to ask your financial institution some key questions:

  1. Has a system and network security audit of their on-line websites been done?

  2. What outside third-party did the system and network security audit?

  3. What is the date that the last security audit was done?

  4. Are all financial transactions encrypted?

  5. Do they have a network security team?

Doing on-line banking is clearly a risk. One needs to determine if the risk is worth the benefit before jumping on-line.

1 The Industry Standard

comments powered by Disqus