The Bankwatch

Tracking the consumer evolution of financial services

Archive for the ‘Security’ Category

Tokyo Mitsubishi UFJ employee charged with stealing 1.5 million customer records


An employee at Tokyo Mitsubishi UFJ (Tokyo, Japan) has been arrested, charged with stealing 1.5 million customer records, of which about 49,000 have been sold to criminal elements.  The remainder have been safely recovered.

Mitsubishi UFJ says 49,159 customer records leaked | Reuters

TOKYO, April 8 (Reuters) – Mitsubishi UFJ Financial Group’s (8306.T: Quote, Profile, Research) brokerage unit said on Wednesday records on 49,159 customers, including salary details, were leaked and sold to data list agents.

Data stolen included customers’ names, addresses, dates of birth, occupation and rough salary figures, the brokerage said. (Reporting by Junko Fujita)

Written by Colin Henderson

April 8, 2009 at 20:13

Posted in Security

IBM makes pilot security devices available for financial institutions to trial


IBM come out with an innovative security measure that actually makes sense.  It makes far more sense than the two factor authentication tokens many banks have been wasting their time with. 

It also sounds like it requires no work on the FI end – so its a no brainer to trial this one!

IBM unveils USB stick to fight online banking fraud | Finextra

IBM has unveiled a prototype USB stick designed to secure online banking transactions against malware and man-in-the-middle attacks.

The Zone Trusted Information Channel (ZTIC) plugs into the USB port of any computer to add an extra layer of security on top of existing authentication systems like smart cards, PINs and one-time validation codes.

This device in simple terms bypasses your PC and goes straight out over a secure connection to your bank. 

What the user sees on the ZTIC display is identical to what the server "sees".

In addition it can be supplemented by a smart card log in.

Relevance to Bankwatch:

Kudos to IBM for this.  The two factor tokens to date are not protection against all possible attacks, including man-in-the-middle in particular.  While I have always felt consumers would balk at an additional device, that view was qualified by the limited benefit. 

If in fact a device exists that guarantees security, then that is completely different story.

Views in support or to the contrary welcomed.  This is an important topic for ecommerce, and for online banking.

Written by Colin Henderson

October 29, 2008 at 23:33

Whole new appreciation for passwords


I learned a whole new appreciation for passwords tonight. A family member and 15 others included in an old (10 year old) yahoo account received an email ostensibly from me with a bunch of spam crap in it. The only way I can see that the combination of that account and those addresses can co-exist is if someone entered that account, possibly with a script banging away with potential hits. It was a low level password.

Needless to say I have deleted all addresses from that account, and altered the password to an unguessable one. Also changed the passwords on my regular email accounts too. Anyone who has offerred their password to any of those social sites to invite friends should think carefully too and change their passwords. However my example is such an old account, that its not clear at all to me how it was uncovered.

Interestingly, I can assure you that if you are using gmail, then this problem will be invisible because the errant email goes to your spam folder. If you are using yahoo mail which is apparently incapable of filtering spam, then you might see this problem.

Written by Colin Henderson

June 25, 2008 at 21:25

Posted in Security

The laws of unintended consequences | AML data mining


While the data collected by governments was intended to capture Anti Money Laundering and terrorists, it is providing many other results, including the recent debacle with Elliott Spitzer.

globeandmail.com: Anti-laundering software casts wide net to catch big fish

The software looks for subtle patterns that indicate odd activity, and when a transaction is  flagged, a human evaluates the findings. More often than not, the anomaly is explained and  dismissed. For example, someone whose banking consists of bi-weekly deposits may suddenly  show an influx of $15,000 that turns out to be profit from the sale of a car.

But when investigators do find something — like chunks of money transferred from the account of a state governor into the account of a shell corporation — they flag the information and forward it to the authorities. In the United States, the U.S. Treasury’s Financial Crimes Enforcement  Network looks at almost five million suspicious activity reports a year. In this country, The  Financial Transactions and Reports Analysis Centre of Canada in 2007 investigated 193 cases  involving close to $10-billion in financial transactions.

Written by Colin Henderson

April 17, 2008 at 14:33

Posted in Security

Customers don’t want authentication devices | Abbey


Finally someone stated the blindingly obvious point that people do NOT want to carry separate devices. Banks need to provide the required security in other ways. I blogged about these devices last year, and have been amazed by the extent of deployment by European Banks, that could turn out to be wasted investment.

See here for my thoughts last year, and how two factor authentication is not well understood.

Finextra: Customers don’t want authentication devices, says Abbey

Despite continuing security concerns, two thirds of customers do not want their bank to provide chip and PIN-style authentication devices, according to UK high street bank Abbey.

The bank says a survey of 1000 of its own customers found that just one-in-three people (32%) want to be supplied with a security device to further secure online transactions.

Written by Colin Henderson

March 25, 2008 at 23:37

Posted in Security

Thanks for multi-factor authentication | Bankwide


Good article on security here at Bankwide.  It appears to be a new site, with coverage on compliance, security, and the impact on trust in Banks.

A Letter From Hackers: Thanks for Multifactor Authentication | Security | Articles

“Attackers aren’t getting in by guessing, they’re getting in by stealing the credentials or tricking the end-user into giving away the credentials.” So adding more credentials won’t make sites more secure.

Written by Colin Henderson

December 22, 2007 at 16:44

US Department of Defense sponsors Open Source conference


Note for all Bank CTO’s – US DoD are looking carefully at Open Source with suggestions that they are already using it.  Matt’s comments are illuminating for Banks.

U.S. Department of Defense announces open-source conference | The Open Road – The Business and Politics of Open Source by Matt Asay – CNET Blogs

It should be fascinating to see how much open source is being used in the world’s most finicky IT buyer. If open source can meet the performance and security demands of the U.S. Department of Defense, surely it can enable more pedestrian uses of technology…like selling widgets or managing CRM systems.

Technorati Tags: ,

Written by Colin Henderson

November 13, 2007 at 15:13

Posted in Security

%d bloggers like this: