Event
Summary
NetBank (Nasdaq: NTBK),
an Atlanta based internet bank, suffered a major credibility blow last week
when a customer named Mahesh Rao reported that he had been inadvertently given
access to another customer's account, transaction history, social security number,
and funds. Rao had to call NetBank five times before the problem was resolved.
According to Tom Cable, Chief Technology Officer of NetBank, the problem occurred
due to human error. NetBank is an FDIC insured institution. According to Cynthia
Bonnette, spokeswoman for the FDIC, "Significant implications for security and
privacy are raised by this reported incident."
Market
Impact
Incidences
like the one at NetBank affect not only the institution in question, but the
entire online internet banking community. Consumers read about incidences like
this and become skeptical about the security of online banking in general. In
a letter to its financial institutions, even the FDIC expresses concern over
the risks involved in online banking, and states "Institutions using the internet
or other computer networks are exposed to various categories of risk that could
result in the possibility of financial loss and reputational loss."
Securing
systems and networks is complex. Even if a bank uses due diligence and has periodic
security vulnerability assessments by independent auditors, the security audit
is only a snapshot in time, and does not necessarily guarantee the organization's
future information security picture. Systems are continually being upgraded
and patched, and most infrastructure networks are in a constant state of growth.
You can secure an entire network, and have the security subverted by an unknowing
network engineer extending a network connection around the backend security
perimeter.
User
Recommendations
When doing online banking, you are putting a lot of trust into the business
process integrity of the financial institution. The line has become blurred
on whether such an institution is first and foremost a bank, or an internet
company. Typically banks know about banking, and internet companies know about
networking. It is rare to find companies that excel in both fields.
Before
signing up with an institution to do online banking, research their credentials
first:
-
Find
out what Internet Service Provider (ISP) the bank uses. Look at the ISP's
website and see how much attention they give to security. If they offer
security consulting services, chances are they understand network security
better than ISP's without such services which means they are more likely
to better safeguard a bank's website.
-
Ask
to see the bank and their ISP's security Incident Response Procedures. If
either organization has no such procedures, you can be sure that they haven't
spent much time thinking about internet security. If they are able to give
you Incident Response Procedures, you can review them against standard best-practice
Incident Response Procedures such as those listed in RFC2350, the Internet
Society's Expectations
for Computer Security Incident Response.