ABA Banking Journal - December 2008 - (Page 36)

Tech topics vaults and similar kinds of controls in the environment. What do you advise bank employees to do if someone pulls a gun? Well, as they should be shown on a training DVD, bank employees should listen to the perpetrator, try to notice details of appearance for later work with police, but stay calm and quiet and do as they are told. Don’t try to play the hero. No tackling or arguing with the person. Just get the thieves out of there, then call the police. Some tellers are shown where to hit alarms, which is fine, as long as you’re not going to stir up a racket and the police know to act quickly, rather than to simply call the bank and ask if anything’s wrong. I like what you have to say about awareness. What about office space, keeping files locked up and making it difficult for a non-authorized person to grab information, even from dumpsters? Certainly that’s important, but most banks are good with their assets, including documents that they are working with or done with. Banks have an operations protocol called a “dual method of control” which means that at least two people have to be involved in the opening of a vault or the monitoring of office opening and closing procedures. So in many senses, they are covered. Now, you don’t want a fortress, you want a customerfriendly community bank. But again, you want to be protected during business hours just the way you are during the beginning and end of the day if you follow those procedures. The most important thing is doing what’s reasonable. The bank employee needs to be able to do their job yet also pick up on the unusual. If somebody comes in wearing a trench coat and seems off and it’s nearly 90 degrees—that might be indicative of something. There has to be a judgment call. You train in a classroom setting. What else do you recommend? First, I always tell senior management to do what they can afford to do. Treat the employees like the people they are— that middle-aged woman is somebody’s Aunt or Mother. That young college student is somebody’s child. Really think about what steps can protect staff and your customers. And get friendly with your police department. They can’t always be hanging out at Dunkin Donuts. As for training, videos can be effective. What I do like about the classroom is that the way I approach it, I encourage students to think for themselves. That wakes them up. For instance, we do this exercise where we have partners face each other and query Security flaws are probably designed into your online banking website ogo said it: We have met the enemy and he is us. In a carefully crafted study, The University of Michigan reports that 76% of online banking websites contained at least one design flaw that could lead users to make “bad security decisions.” The flaws are not the typical software bug that can be fixed with a patch and a mea culpa. They show up in websites that are designed by security experts and fortified with the latest security protocols, such as SSL, and can unintentionally make it easy for users to expose sensitive data to cybercriminals. The Michigan analysis of online banking programs in 214 U.S. financial institutions focused on the recurrence of five common design flaws that the research team identified in preliminary research. Results: 76% of the sites had at least one design flaw; 68% had two or more flaws; 10% had all By Bill Orr, contributing editor billorr@ibert.org Webnotes The user, assuming that the information is protected, then gives up her Social Security number, birth date, and other private information. The design flaw here is ignoring the well-known security principle of protecting not only the data channel, but also the context used to generate the session keys for the channel. In IT-speak, SSL 2.0 was vulnerable to cipher rollback attack because it did not adequately protect the key negotiation steps, the report says. Presenting secure login options on insecure pages (47%). Login pages and options displayed on insecure pages leave users vulnerable. In this common case, a man-in-the-middle or a domain name hijacker can spoof the entire page and manipulate the secure data (without understanding it), thus gaining control of the dialog. A trusting user might not be looking for positive evidence that sensitive login information is secure, and likely won’t notice its absence. Even more likely, she won’t be WEBNOTES continued on p. 44 five. The five design flaws and the frequency (percent) of their occurrence are: Content information/security advice on insecure pages (55%). To compromise such a system, an attacker “only needs to spoof or modify the page, replacing the customer service phone numbers with bogus numbers.” A fraudster might set up a bogus customer service number with the malicious intention of later collecting information from a customer when she calls in response to, say, a bogus message informing the user of the need to reset her password. Most users will welcome such a message, carefully worded to allay suspicion. This example from the study’s files: “We regret to inform you that we have received numerous fraudulent e-mails which ask for personal account information Please remember that we will never ask for personal account information via e-mail or web pages. . . To activate your [new Identity Theft Protection Program] please call .” 1. 2. 36 DECEMBER 2008/ABA BANKING JOURNAL Subscribe at www.ababj.com http://www.ababj.com

Table of Contents for the Digital Edition of ABA Banking Journal - December 2008

ABA Banking Journal - December 2008
Contents
Editor’s Column
Cover Story
ABA Resources
ABA Chairman’s Position
Community Banking
Pass the Aspirin
The Bank that Hates "Customers"
"Ivan the Terrible"Wreaks Havoc, but Adds New Business Line
New Twist on Philanthropy:the "Second-Chance" Account
Risk Management
Tech Topics
Webnotes
Compliance Clinic
MailBox
Banker’s Mart
To Advertise/Index of Advertisers
The Economy

ABA Banking Journal - December 2008

http://www.nxtbook.com/naylor/BAKS/BAKS0515
http://www.nxtbook.com/naylor/BAKS/BAKS0415
http://www.nxtbook.com/naylor/BAKS/BAKS0315
http://www.nxtbook.com/naylor/BAKS2/BAKS1014
http://www.nxtbook.com/naylor/BAKS2/BAKS0914
http://www.nxtbook.com/naylor/BAKS2/BAKS0814
http://www.nxtbook.com/naylor/BAKS2/BAKS0714
http://www.nxtbook.com/naylor/BAKS2/BAKS0614
http://www.nxtbook.com/naylor/BAKS2/BAKS0514
http://www.nxtbook.com/naylor/BAKS2/BAKS0414
http://www.nxtbook.com/naylor/BAKS2/BAKS0314
http://www.nxtbook.com/naylor/BAKS2/BAKS0214
http://www.nxtbook.com/naylor/BAKS2/BAKS0114
http://www.nxtbook.com/naylor/BAKS2/BAKS1213
http://www.nxtbook.com/naylor/BAKS2/BAKS1113
http://www.nxtbook.com/naylor/BAKS2/BAKS1013
http://www.nxtbook.com/naylor/BAKS2/BAKS0913
http://www.nxtbook.com/naylor/BAKS2/BAKS0813
http://www.nxtbook.com/naylor/BAKS2/BAKS0713
http://www.nxtbook.com/naylor/BAKS2/BAKS0613
http://www.nxtbook.com/naylor/BAKS2/BAKS0513
http://www.nxtbook.com/naylor/BAKS2/BAKS0413
http://www.nxtbook.com/naylor/BAKS2/BAKS0313
http://www.nxtbook.com/naylor/BAKS2/BAKS0213
http://www.nxtbook.com/naylor/BAKS2/BAKS0113
http://www.nxtbook.com/naylor/BAKS2/BAKS1212
http://www.nxtbook.com/naylor/BAKS2/BAKS1112
http://www.nxtbook.com/naylor/BAKS2/BAKS1012
http://www.nxtbook.com/naylor/BAKS2/BAKS0912
http://www.nxtbook.com/naylor/BAKS2/BAKS0812
http://www.nxtbook.com/naylor/BAKS2/BAKS0712
http://www.nxtbook.com/naylor/BAKS2/BAKS0612
http://www.nxtbook.com/naylor/BAKS2/BAKS0512
http://www.nxtbook.com/naylor/BAKS2/BAKS0412
http://www.nxtbook.com/naylor/BAKS2/BAKS0312
http://www.nxtbook.com/naylor/BAKS2/BAKS0212
http://www.nxtbook.com/naylor/BAKS2/BAKS0112
http://www.nxtbook.com/naylor/BAKS2/BAKS1211
http://www.nxtbook.com/naylor/BAKS2/BAKS1111
http://www.nxtbook.com/naylor/BAKS2/BAKS1011
http://www.nxtbook.com/naylor/BAKS2/BAKS0911
http://www.nxtbook.com/naylor/BAKS2/BAKS0811
http://www.nxtbook.com/naylor/BAKS2/BAKS0711
http://www.nxtbook.com/naylor/BAKS2/BAKS0611
http://www.nxtbook.com/naylor/BAKS2/BAKS0511
http://www.nxtbook.com/naylor/BAKS2/BAKS0411
http://www.nxtbook.com/naylor/BAKS2/BAKS0311
http://www.nxtbook.com/naylor/BAKS2/BAKS0211
http://www.nxtbook.com/naylor/BAKS2/BAKS0111
http://www.nxtbook.com/naylor/BAKS2/BAKS1210
http://www.nxtbook.com/naylor/BAKS2/BAKS1110
http://www.nxtbook.com/naylor/BAKS2/BAKS1010
http://www.nxtbook.com/naylor/BAKS2/BAKS0910
http://www.nxtbook.com/naylor/BAKS2/BAKS0810
http://www.nxtbook.com/nxtbooks/sb/ababj0710
http://www.nxtbook.com/nxtbooks/sb/ababj0610
http://www.nxtbook.com/nxtbooks/sb/ababj0510
http://www.nxtbook.com/nxtbooks/sb/ababj0410
http://www.nxtbook.com/nxtbooks/sb/ababj0310
http://www.nxtbook.com/nxtbooks/sb/ababj0210
http://www.nxtbook.com/nxtbooks/sb/ababj0110
http://www.nxtbook.com/nxtbooks/sb/ababj1209
http://www.nxtbook.com/nxtbooks/sb/ababj1109
http://www.nxtbook.com/nxtbooks/sb/ababj1009
http://www.nxtbook.com/nxtbooks/sb/ababj0909
http://www.nxtbook.com/nxtbooks/sb/ababj0809
http://www.nxtbook.com/nxtbooks/sb/ababj0709
http://www.nxtbook.com/nxtbooks/sb/ababj0609
http://www.nxtbook.com/nxtbooks/sb/ababj0509
http://www.nxtbook.com/nxtbooks/sb/ababj0409
http://www.nxtbook.com/nxtbooks/sb/ababj0309
http://www.nxtbook.com/nxtbooks/sb/ababj0209
http://www.nxtbook.com/nxtbooks/sb/ababj0109
http://www.nxtbook.com/nxtbooks/sb/ababj1208
http://www.nxtbook.com/nxtbooks/sb/ababj1108
http://www.nxtbook.com/nxtbooks/sb/ababj1008
http://www.nxtbook.com/nxtbooks/sb/ababj0908
http://www.nxtbook.com/nxtbooks/sb/ababj0808
http://www.nxtbook.com/nxtbooks/sb/ababj0708
http://www.nxtbook.com/nxtbooks/sb/ababj0608
http://www.nxtbook.com/nxtbooks/sb/ababj0508
http://www.nxtbook.com/nxtbooks/sb/ababj0408
http://www.nxtbook.com/nxtbooks/sb/ababj0308
http://www.nxtbook.com/nxtbooks/sb/ababj0208
http://www.nxtbook.com/nxtbooks/sb/ababj-compsurv08
http://www.nxtbook.com/nxtbooks/sb/ababj0108
http://www.nxtbook.com/nxtbooks/sb/ababj1207
http://www.nxtbook.com/nxtbooks/sb/ababj1107
http://www.nxtbook.com/nxtbooks/sb/ababj1007
http://www.nxtbook.com/nxtbooks/sb/ababj0907
http://www.nxtbook.com/nxtbooks/sb/ababj0807
http://www.nxtbook.com/nxtbooks/sb/ababj0707
http://www.nxtbook.com/nxtbooks/sb/ababj0607
http://www.nxtbook.com/nxtbooks/sb/ababj-jackhenry
http://www.nxtbook.com/nxtbooks/sb/ababj0507
http://www.nxtbook.com/nxtbooks/sb/ababj0407
http://www.nxtbook.com/nxtbooks/sb/ababj0307
http://www.nxtbook.com/nxtbooks/sb/ababj-compsurv07
http://www.nxtbook.com/nxtbooks/sb/ababj0207
http://www.nxtbook.com/nxtbooks/sb/ababj0107
http://www.nxtbook.com/nxtbooks/sb/ababj1206
http://www.nxtbook.com/nxtbooks/sb/ababjcompsurv2006
http://www.nxtbookMEDIA.com