Click here to download the PDF version of this presentation.

Most financial institutions have robust policies in place allowing their supervisory committee, external auditors, or other vendors access to reports and analysis on the security measures in place. Not just alarms and panic buttons, but also teller and cash drawer controls, dual-custody policies, password policies, remote access policies, and board bylaws. As cloud computing becomes more of the norm, IT will need to demonstrate the security measures in place surrounding their cloud infrastructure.

The Windows Azure Platform is one of the newer entries into the cloud computing market. Created and run by Microsoft, Azure will be come a very popular selection for cloud computing needs simply because it is owned and operated by Microsoft. They claim to have completed a SAS 70 Type I and Type II audit on their “cloud platform”, which is one of the key factors for financial institutions, but they don’t specify that it is for their Azure platform, nor is it available for download. Either of those factors could be a stumbling block for credit unions or banks.

SQL Azure, Microsoft’s database cloud offering, provides some excellent alternatives for database hosting. Rather than paying expensive licensing fees or hosting fees, a company can use Microsoft’s very robust and redundant infrastructure to host their databases. Even Microsoft’s cloud is still an infant though. Currently, their SQL Azure offering has no server level auditing in place. While logical, as many people are sharing a virtualized database and access restrictions are need, it also prevents users from verifying that no one else is logging in to or otherwise gaining access to their resources. Very few auditing choices exist today for SQL Azure, as demonstrated in this article.

Rackspace, on the other hand, has a very descriptive page detailing their expertise and certifications, including their SAS 70 Type II and their PCI compliance. Their SAS 70 is able to be downloaded and their PCI compliance also presents a unique security offering to financial institutions, helping them be more confident in their choice of a cloud provider.

Cloud computing is going to become the norm in the financial industry. It may take the form of private clouds or stay public, but technology infrastructure is going to become a utility. Just like we pay for electricity now, we’ll pay for computing resources as well. If your FI is looking to make the move into cloud computing, start with baby steps. Don’t put member information up there quite yet. Start with your public facing website then move your intranet. Start experimenting, but keep in mind the many security and auditing concerns that exist today.

Everyone in the industry is familiar with the Heartland breach, the TJ Maxx theft, and probably half-a-dozen others. Too bad retailers, both brick and mortar and online, don’t believe in SCI. Of all the players in the industry, Microsoft has recently stepped up with a program they’ve dubbed “U-Prove“. U-Prove works with a model similar to SCI, in that it only gives the information necessary to complete a transaction and nothing else. A recent Ars Technica article has offered some editorial insights:

On the other hand, there’s no reason why a storefront like, say, iTunes, needs to know your identity; it only needs to know that the money being handed over is yours to hand over.

To use a credit card on iTunes, I have to hand over so much information that Apple, if it was a bad actor, could masquerade as me. I can’t just give Apple some electronic money; instead, I have to give them my name, address, and credit card number. In practice, the real problem with me handing over so much info to iTunes isn’t that Apple might pretend to be me—with billions in the bank the company doesn’t really need to charge things to my credit card, after all—but that hackers (both external and internal) might take this stored data and use it for their own nefarious purposes.

U-Prove aims to stop organizations from being forced to collect excessive information from their customers when, in reality, it is not needed. To the contributor’s first quote, Apple doesn’t really need to know all of my info, just that the money I’m sending them is good. Microsoft has open-sourced the U-Prove framework, enabling other applications to use the protocols. U-Prove, using a combination of many cryptographic solutions, creates a one-time unique and secure key with the necessary information contained within it, which is then decoded and used by the organization requesting the transaction.

As is the case with any new technology, adoption is always going to be the hardest part. Some retailers, such as the Amazon example used the in Ars Technica article, will not welcome the U-Prove framework as it removes many key data mining aspects of their business. Amazon doesn’t really need to know your age, unless of course you are subscribing to Playboy or buying a CD with explicit lyrics, but they use that information extensively in their advertising. In much the same way, Apple has no need for your address when purchasing a song, but they can use that information to determine the best location to place their next store, geographic and contextual marketing, and potentially track down problems in their supply and distribution chain.

The U-Prove framework has the potential to be a game changer for the way business and individuals transfer information between one another, but the implementation and adoption hurdle will be a large hill to overcome. Microsoft has begun implementing U-Prove within some of their own products such as Active Directory and some of their web technologies. Even with this show of good faith, convincing other organizations to limit the amount of data they can collect from their customers, all in the sake of privacy and security, will be a challenge.

Is U-Prove the correct way to diminish some of the risk associated with breaches like Heartland and TJ Maxx by limiting the amount of data exposed on a need-to-know basis only or are the implementation challenges to great to overcome?

I’ve moved the list from Feedburner over to MailChimp and also added the option to get emails as we post them or to get a weekly digest edition.  If you’d like to get an special edition of this blog emailed to you as it is updated, please subscribe here. And if you’d like to update your preferences on receiving email from us, simply click the link of the bottom of the email. And if you have any problems pop up or any questions, don’t hesitate to let me know!

I also have an extra copy of The 10 Faces of Innovation from Ideo laying around my office and at the end of the week, I’ll pick a random email subscriber to mail it to. So make sure you sign up!

Similar to other freemium models, OpenDNS provides a free service but also a paid subscription model, both to individuals and businesses. In all levels of their account, OpenDNS has a very robust content filtering mechanism in place. Basically, a domain is tagged by the OpenDNS community and placed into a category. These categories can then be filtered out.  For instance, if your credit union or employer used the OpenDNS product, they could simply check a box in the configuration and not allow any traffic to any site that has been classified as chat, adult, adware, malware, nudity, etc. This would prevent a great number of visits to websites that could be harmful to the network of the credit union. Many credit unions already have a filtering system in place to prevent access to certain types of sites and OpenDNS is just another mechanism to accomplish that.

In my credit union community service act of the week, I took all of the website addresses for credit unions out of the call report data, uploaded them to OpenDNS, and tagged all of them as “Financial Institution”. Don’t worry, it wasn’t that hard. There were only about 7000. Only about 3% of credit union websites were listed, which could potentially lead to some of those websites being blocked for users of OpenDNS. With nearly 20 billion DNS requests handle per day, OpenDNS is becoming a large provider of these services and thus CU’s need to ensure that their members can reach their website.

I have uploaded and tagged all of the credit union url’s, but now they have to be voted on by the community to ensure the tags are accurate. To check your website and vote on the category it is placed in, go to the OpenDNS Domain Tagging page. In the upper, right-hand corner, enter in your website address and vote “Yes” to ensure it is placed in the Financial Institution category. If you run other public facing subdomains, such as blog.mycu.org or onlinebanking.mycu.org, you can add those domains as well.

OpenDNS also runs another project called PhishTank, which is something that will most likely hit all of us by some point. PhishTank works exactly like OpenDNS, in that the community can submit phishing attempts to the website and it then gets voted on. This data can then be used by law enforcement or the company that is being phished to educate their members. OpenDNS also uses this data to possibly filter these phishing sites and prevent users from going to a confirmed site.

So if you’ve got 30 seconds, go to OpenDNS, look up your CU’s website, or your own, and vote to make sure that it is in the correct category. You wouldn’t want your site to be inaccessible to your members!

In the spirit of giving, should I do this using all of the FDIC for the banks, assuming that their website addresses are in the data?

UPDATE: I also uploaded all of the FDIC bank url data as well.  So if you are a banker out there, go vote for your website as well.

What in the world does this have to do with credit unions?  Well, I never finished the sign-up process and the next day I received this email:

How cool is that!  Not only can they tell that I didn’t finish the setup process, but they are providing me an incentive to come back and finish.  Credit unions are just beginning to get into opening accounts online, but they can take a page out of the Rackspace playbook.  First off, they have the technology to make this happen, so make sure your online account vendor can do this.  Secondly, they don’t take any kind of holier-than-thou attitude about why the potential member didn’t finish.  Finally, they provide an incentive to come back.  ”Outbound calling”, aka hounding indirect auto loan customers, would do well with some like this.

Here’s my version:

Hey Joe,

We noticed that you didn’t complete your online (insert product name here) application yesterday.  If you have any questions about the process or just need someone to talk to, feel free to give me a call directly at 888-888-8888 or call into our Member Service Center at 888-8888-7777.  Oh, and by the way, we really value the business of all of our members, so if you’d like to finish the application online or come into a branch, enter in your discount code of ALMOSTGOTAWAY and we’ll give you another .5% on your (insert product name here).

Robbie Wright

ABC Credit Union

What a load of crap.  That’s like saying people die wearing seat belts, thus it must be the seat belt’s fault so you shouldn’t wear your seat belt.  The reason there are so many viruses and malware for Windows is because it is such a big “prize” for hackers.  MS owns the desktop OS market, thus making them the biggest target.  If you were going to rob a bank, wouldn’t you pick the branch that had the most money in it?  It doesn’t make much sense to write a virus for Linux because it owns such a small portion of the market that the payoff would be nothing.

The FFIEC guidelines for multi-factor authentication are a pain.  But the concept behind MFA is a must.  There are three ways to identify someone online: something they know (Q&A), something they are (bio-metrics or computer ID), and something they have (cell phone or email).  If an FI really, truly applies 2 of those factors, it will make it nearly impossible to directly hack a person’s account.  The article speaks of the proverbial “man in the middle” attack in which a hacker somehow manages to gain access to the user’s password, either through a keylogger or a fictitious webpage made to look like the real thing.  Both of these are easy to stop:

1. Don’t download anything from anyone you don’t know.
2. Don’t install anything from anyone you don’t know.
3. Don’t follow a link to an FI website, type it in or bookmark it yourself.
4. Look at the url of the webpage you are on and make sure it says mycu.com.

Now some will argue that most people aren’t smart enough to figure that out on their own.  True, it is possible to build such a great phishing site that even an employee couldn’t tell the difference, but it is highly unlikely.  This is where the FI has to step in.  Companies like Trusteer have built a glorified browser add-on, but it works.  It prevents any type of keylogging software from detecting what is being typed into the webpages that the browser is serving up.  They’ve done the right thing and they count on the users machine already being infected.  Additionally, FI’s could help with 3 and 4 by offering other security measures like RSA keys.  Make it optional for users if they want it or if a member has had fraud on their account, make it mandatory.

However FI’s and online banking companies handle their security, two things need to happen: The users have to take some responsibility for their actions (don’t log into phishing sites or download shady applications) and FI’s have to offer appropriate security measures to make unauthorized access to someone’s account extremely difficult.