An article recently appeared in the Vancouver Sun regarding Canadian banks’ attempts at protecting their clients’ information (http://www.canada.com/vancouversun/news/westcoastnews/story.html?id=0130fa57-d25d-42e8-833b-b8069acb3cca&p=2). Since we talked about using multiple layers of protection in class, it seemed to be an appropriate topic. We’ve all heard about the countless scams directed at bank customers, several of which have involved the Notre Dame Credit Union, but this what is known as zero-day attacks are becoming more popular strategies. In these information security attacks, the attackers utilize the information gained within twenty-four hours. As a result, victims of these attacks have an extremely small window in which they can resolve the problem without facing some damage.
With the ever increasing number of clients making transactions online, Canadian Banks are taking greater precautions to protect the sensitive financial and personal information of their clients. In 2006, CIBC, TD Bank, BMO Bank of Montreal, Scotiabank, and RBC Royal Bank, the largest banks in Canada, spent about $4.4 billion dollars on information security. The large amount of investment these banks are making on protecting their clients’ information is predictive of the numerous layers of security used including improved sign-ins, firewalls, and encryption. An enhanced sign-in method has been developed that requires the user to not only enter the typical member number and password, but also includes customized phrases and personalized graphics which serves a dual purpose. Not only can the bank verify that the customer is who they claim to be, but it also allows the customer to verify that they are on a valid website, not a fraudulent one. In addition, most of these banks use multiple firewalls to strengthen the security. Finally, 128-bit encryption is becoming more widely used in order to protect data as it travels between the clients and the bank as well as within the bank. This results from the use of SSL (Secure Sockets Layer) which verifies that the server is that of the bank. Some banks such as BMO are putting more emphasis on signing-in. When managing their bank account, most people consistently use the same computer, so when a customer uses a different computer than usual, they are asked additional security questions to verify their identity.
In addition to the precautions that the banks are taking, they also warn their customers about protecting themselves. Banks stress that they will never ask their customers for things such as a password since they already have the information. Clients should also make sure that a sight is valid by verifying the SSL certificate. This is a good way to avoid Phishing attacks as well as searching for the bank’s URL instead following a link sent in an email.
Protecting the confidentiality of sensitive financial and personal information is becoming a major concern. Knowing that some banks are taking greater cautions to protect our information breeds confidence in those banks, but what about all the others? It makes me wonder why they are not taking the same measures to protect their clients. According to another article in The Business Journal, the U.S. Government has established laws that will require banks to protect their costumers from identity theft. However, a study found that only a third of banks meet these standards. One can only hope the government will enforce these laws and protect our valuable information. It may be difficult to find a balance between protecting clients’ information and maintaining online banking as a convenient way to making transactions, but I think most people would be willing to have to go through a few additional security measures if it meant they could be more confident in the confidentiality of their information.
Posts
Notre Dame Federal Credit Union utilizes the 'extra security questions' approach when users log in from new computers (or after the browsers' cache has been cleared). For those of you who use NDFCU, do you ever click the "add extra security" checkbox? I often wonder what exactly that does except assuage the nerves of jittery users.
ReplyDeleteWhile I'm sure the extra security questions do indeed increase the integrity of the system, they certainly do pose tiresome to customers who bank online from multiple locations. In addition, NDFCU has a relatively strict 'lock-out' policy, so if you mix up your security questions too many times, it can be a hassle to unlock.
Nevertheless, these are nice measures to see in an institution charged with maintaining assets of starving students, among others.
I bank online with National City, and National City also uses "extra security" questions. I always have to enter my ID and password--which the bank forced me to make long and complicated--and I usually have to enter some crazy word or jumble of letters and numbers that appears on the log-in screen. Jonathan has a point: the additional security definitely makes it a hassel for me to quickly sign in and view my financial material. However, the slight inconvenience of answering additional security questions also makes me feel that my finanical material is much safer than otherwise.
ReplyDeleteAnd I do agree with Jonathan. I think the added measures are nice, even though I feel many people just don't want to spend the extra time answering extra security questions. It's like they want the added security without any possible inconveniences for themselves. Oh well, I guess you can't have your cake and eat it too.
I am also very surprised how many scams have happened through NDFCU. I have a bank account with them and with my local bank at home, Colorado National. In order to sign in online at Colorado National Bank, you have to enter a username, password, answer 3 security questions, and if it is not the computer you normally use, you have to wait for an access code and password to be sent to the registered email account or phone number you gave the bank when you signed up. In all honesty, it is the biggest waste of time. Half the time I don't remember the answers to the security questions and end up writing everything down somewhere anyway, which I feel is defeating the banks purpose of making it more secure. I feel like if there are too many things we have to do, it can cause us to do things that are potentially more harmfully to our information security.
ReplyDeleteBetween this thread about banking practices and the conversation over Sarah Palin's Email being hacked, it seems to me that security questions really don't bolster security as much as intended. Among my various accounts with such security measures, I am certain that I use the same answers to similar questions across a spectrum of websites. Thus, if the answers to one site were compromised, other accounts would also become highly vulnerable. Cassondra brings up a important point that these questions are not always easy to remember. Rather than cutting through the red tape of resetting my password I just won't log in. This omission, then, poses a new risk: the absence of monitoring account activity.
ReplyDelete