In the ComputerWorld article “Judge rules against trial in lawsuit by victim of $588K cyber heist” by Jaikumar Vijayan about the lawsuit between Patco and Ocean Bank there were no winners here. There were mistakes done on both sides and lack of responsibility. Since I was not in the courtroom and didn’t follow the trial I can’t say if the judge’s ruling was the correct one but here is why both plaintiff and defense lost.
Patco needed to take responsibility for their own security:
1. User Name, Password, Challenge Question – Is a very secure mechanism to identify and authenticate the user. What happens is that we as humans make so many mistakes in managing this type of security.
- How strong was the user name? Don’t make it your name, email address or company name. For my online banking accounts I may use something like “p[FoWv;3Y0URUeQ”. Remember that computers are basically stupid since they only do what they are programmed to do, they can’t think.
- How secure was the password? Was it strong, was it used in other places, how often was it changed, how many people were given it and how secure were their systems?
- What was the Challenge answer? So many of these questions are so ridicules that I have to wonder what moron thinks them up. Especially with the online background checking sites that will give a person’s complete life story from birth to death for $39. Here’s a tip – You don’t have to give the correct answer! For example, What is the name of your high school? Instead of your high school name answer the question with what was your grandmother’s maiden name. The question and answer are totally disconnected.
2. Blaming the bank for not using token-based authentication. Guess what, they aren’t required by law to offer this, so take responsibility to put in your own security system.
- There are token-based passwords security systems available for SMB. For full disclosure, my company offers Power LogOn which is specifically designed to securely protect and manage passwords of any size business or organization. There are many other products on the market and company’s need to investigate what is right for them. And if cost is an issue then ask which is worse – Paying $100 per employee or risking $589,000?
3. Zeus and other malware, and how they get into a company’s computer.
- Zeus is a really bad piece of malware. It can constantly morph itself so anti-virus programs have a hard time deleting it. Having said that always keep your computer’s operating system and applications up to date with patches. Partition all hard drives where OS and Apps are on one and data is on another. This can make recovery from an attack easier since most viruses lodge themselves in the OS or app, so if you have to scrub and rebuild your computer all your data may still be in tacked.
- Periodically, bring in a security expert to check your computer system. Think of it as the yearly health checkup of your computer. Don’t rely on your IT guy to do this since they probably are not up to date with all the attacks. Would you go to a podiatrist to perform open heart surgery? Hire the specialist.
- Be very careful of emails, IM, photos sent, videos from Youtube, social networks, etc. The thieves use these and other means to implant their viruses into your computers. One careless employee clicking one attachment can wipe out your entire business. I have told friends don’t ever send me quite videos of something they find on the net since they are the Petri dish for viruses. Train employees about spam, spear phishing, phishing, pharming and other techniques thieves use.
By no means is Ocean Bank off the hook and don’t have responsibilities. And while the judge may have saved them a $345,000 fine, they may lose fare more as the story gets out and all their customers start closing their accounts. Ah yes, here is the short term gain for a long term loss. I know I would not keep my accounts there. Statistics show that after a security breach a company can expect 20-40% of their current customers to leave and the average cost of a breach is now over $215 per record stolen.
1. Banks and almost every business needs to be more proactive in protecting online accounts. Only time will tell if it’s too late for Ocean Bank to recover from the bad press they’re getting. Have security tools in place that monitors unusual activities and then freeze the transfer if anything is out of the normal. 99% of customers will appreciate the confirmation even if it causes a little inconvenience.
2. Offer programs or guess security speakers and invite your customers to teach them about the different attacks and how to defend against them. I am finding more and more local police departments are offering these meetings so tie in with them.
3. Re-check your logon policy. Do you require passwords to be changed? Do you have a strong password checking program? Do you have something as simple as a CAPTA to ensure it is a human entering the account? Bring in security experts to discuss the tools and options available.
4. Let customer know about multi-factor logon token solutions available on the market. Because every individual user’s computer is different let the technology company sell and support the product. If Ocean had given away such a product the tech support calls alone could bury them.
Sadly, the only real winner in this may have been the thief. Stronger laws are need to punish hackers, law enforcement need better tools and DA’s need to be able to prosecute across county and state boarders. Cyber crimes are not local and some of the criminal organizations involved are very scary and very powerful. These criminals are no longer the 14-year old trying to play computer games on the W.O.P.R. from the movie WarGames but terrorists, countries, and cartels all trying to undermine the confidence of the US banking system while at the same time fund their efforts with other people money.