Featured Article

Featured Article 

Sign up for our free BSA/AML Webinar

Click Here

 

Newsletter Signup

 

Comp Survey
 

2011 Independent Bank Compensation Survey


Have A Question?

We'll get right back to you.

Name:
Company:
Email:
Phone:
Interest:
Question:
TypeCode:* Security Image
Follow Us:
Home > Library > IT and Security > Data in the Cloud
Bookmark and Share

Data in the Cloud – Beware of the Storm

1/20/2011

Regardless of how a breech occurs, data that has been compromised cannot be controlled. This holds true for information that bank employees enter into social media sites as well. A good hacker can access personal data by collecting information from a variety of sources and putting those pieces together like a puzzle. Often that information is put “in the cloud” voluntarily.

At any point during the day we are asked to enter information into websites. We have been aware for some time that if the link begins with an “https” and there is a little golden lock on the lower right hand corner of your computer display you are on a secured site. Generally, this may be true, however that information can be misleading and often replicated by hackers that deface and redirect website traffic. So where does this information end up?

Information that may contain your bank’s data can be easily obtained by performing a search on key terms such as: cc number, skimming, maiden names, account numbers for sale, fullz and ATM skims. Here is an example of such a website: http://tinyurl.com/28y8k26. As you can see this site will sell you bank and security information, social security numbers, mother’s maiden names, birth dates, AOL and Pay Pal user names and passwords and ATM skimming devices. The information that they are displaying is considered a usable sample, used to convince you that their data is legitimate. The flowing link will identify how an ATM skimmer can be deployed for a short period of time (half an hour): http://tinyurl.com/y8sn44. This site sells the hardware required to perform this type of theft.

Sites like www.spokeo.com harvest public records (marriage and divorce decrees, birth and death certificates, real property records, phone numbers, usernames, email addresses, Google images, Facebook data and other Census data). This information is generally considered to be sensitive in nature, however if used in a well crafted social engineering attempt, the hacker may be able to answer multifactor authentication challenge questions which is standard for most online banking transactions.

There are a number of different controls that a bank can test to determine if you are appropriately training your staff to ensure that these risks are mitigated. So during your next IT exam, insist that these controls are included in the scope of the Assessment.