10 October 2013

YOUR PROVIDER IS HACKED, YOU'RE ASSURED OF NO FINANCIAL LOSS. BUT ARE YOU SAFE?...

[UPDATED 20th FEBRUARY 2014] In the aftermath of the Santander and Barclays KVM hacks, @GrahamCluley kindly invited me to post my comments on his blog.
A few weeks on, I have some updates which you may find interesting…


With all this talk about cybercrime rings targeting UK banks using social engineering techniques to install KVMs (keyboard video mouse) to spy on staff and steal money and information, one has to simultaneously praise the cooperation between law enforcement and the banks for leading to the arrest of the criminals involved and wonder at the overall and wider implications of such crimes...
In both instances mentioned, the organisations affected made it very clear that no customers would have suffered financial losses as a result of the crimes. This is of course no surprise, as under UK law, consumers are protected from such fraudulent activity and if money was ever taken from their accounts, they wouldn’t have had to incur the losses. In the case of Barclays, it was reported that they recovered most of the money, but how much? And what else was potentially siphoned off?

Well, I have asked those very questions on a number of open forums and, as you would expect, it did generate a bit of interest. One comment that surprised me was the following one:

Respect that there are a few unanswered questions here but let us be a bit realistic that this case would form part of a criminal investigation and any public post mortem should be undertaken after the criminals are behind bars. All the points are raised and sharing of data is key, but it is my own opinion that it would not serve to disclose information at this stage.” (sic)

My reply is, whilst I do understand the need to respect secrecy whilst criminal investigations are being undertaken, this doesn’t exclude treating affected parties (e.g. the customers) with due care and attention and providing them with relevant and helpful advice so they can protect themselves in the absence of any UK regulatory framework compelling breached organisations to do so…


So why should you care?

I have long been an advocate of convergence of information security, risk management and fraud (see my earlier post), but it seems that with some notable exceptions I have personally come across, this is by no means standard practice yet. The result is that these areas generally operate in silos and the real cost of fraud, or the real cost of cybercrime, can never be truly assessed.

As an example, if we look at this year’s Annual Fraud Indicator by the National Fraud Authority June 2013, Identity fraud totalled £3.3 billion in 2012 and affected 27% of the UK adult population. Furthermore, 8.8% (4.3 million) of UK adults were a victim, with those who actually lost money (2.7 million) losing an average of £1,203 each...

A very kind South Korean gentleman recently contacted me to ask why UK banks do not offer client security protection for online banking as a matter of course as this is a regulatory requirement in South Korea. The best answer I could come up with is that whilst many banks offer something like Trusteer Rapport to their online banking client, it is not mandatory. So why do they do it? Well, put simply, in the absence of regulation, offering the service for free to clients is cheaper than the cost of fraud that would ensue were they not to offer it… Perhaps cynical, but I’m sure I’m not far off the mark…

The overall cost of fraud in any country should compel us to try and determine the real impact of such crimes.


Impact on the banks

In both breaches mentioned in this article, customer information was sniffed for a period of time. This means that fraudsters may have got hold of financial details (e.g. debit card details, bank account numbers, etc.). The banks may have had to re-issue payment cards to their customers, and the associated cost is not insignificant (how many cards? cost per card? etc.). In addition, how did they inform customers and how much did this cost? And how much money wasn’t recovered? 
Determining the cost of fraud is a complex matter (and indeed, organisations make substantial provisions for this), and more transparency will raise awareness.
There is also the additional concern of customer churn, and whilst some have made valiant attempts to quantify this (ref. Ponemon UK Cost of a data breach), real apportionment is very difficult to achieve. For bank customers specifically, switching your financial life has never been a pleasant experience. However, with the UK announcement that consumers are now able to switch bank accounts in just seven days this may become a real risk to banks after a data breach. And for the doubters, ultimately, the customers will choose, and a recent article highlighted that 36% of UK consumers consider ID fraud their biggest risk… Banks (or any organisation handling personal details) may very well pay heed to this (especially in view of the impending EU data breach disclosure laws)… 
And if this not enough, the Financial Conduct Authority (FCA) recently issued clear guidelines on data security (Chapter 5, and specifically box 5.2 “Five fallacies of data loss and identity fraud”) and here where specific advice is given on key logging devices (Box 6.9), physical security (Box 6.12) and training awareness (Box 6.2). As Consumer Credit is moving from the Office of Fair Trading (OFT) to the FCA by April 2014, their consultation document clearly sets out in chapter 12 the proposed enforcement rules in tackling financial crimes.

My take on this: whilst the FCA still very much (and rightly) focuses on Anti-Money Laundering, it plans to be tougher on protecting customer information and tackling ID Theft.

Impact on the individuals

Whilst individuals suffer no immediate financial loss in such cases, it all comes down to what was sniffed. What information did the criminals get hold of? It could have been names, email addresses, dates of birth, phone numbers, account numbers, addresses, balances, security questions and answers, etc...

Whatever was harvested by the criminals is probably as we speak sitting in underground markets, waiting to be used by criminals to commit ID Theft (e.g. apply for financial services products, launder money, courier theft, etc.), which will affect an individual’s credit rating without their knowledge. This is why by law in the US, breached organisations have to provide one year free ID Theft protection (and this would be very welcome in the UK!).
Going back to the aforementioned UK bank breaches, were consumers reassured that they will not be victims of ID Theft as a result of this crime? The matter of liability remains unclear. Let’s look at the Barclays Official Statement:



Hmm... First of all, we don’t actually know what data was taken. We only know that consumers did not suffer immediate financial losses as a result. We certainly don’t know whether they will not suffer any losses in the future as a result of their identities potentially being stolen following this breach. I let you decide whether consumers have been left in the dark in that respect. And for those who’d like to know how to respond efficiently in the event of such crises, have a look at this post...) 

[20th February 2014 Update] It is interesting to note that such crisis events, aside from the potential technology implications and vulnerabilities, there are always organisational and procedural considerations... In other words, it has come to light that the Barclays KVM attack was actually facilitated by a rogue employee who allowed the criminals to install the KVMs in the first place. Which brings me neatly to the fact that education and awareness is still failing in most organisations as it seems to be merely driven by compliance and regulation... I am sure colleagues of the rogue employees would have noticed unusual behaviour, but perhaps existing processes didn't allow for easy reporting and involvement... Only surmising, of course...

So let’s ask the following questions:
  • What information was taken?
  • What information have customers been given to help them monitor this?
  • Is there a help line?
  • What happens if a customer is subsequently victim of ID Theft?
  • Who can they talk to for advice?
  • What are the processes in place?
  • Has this potential fraud been quantified?
And finally, the ICO has been at pains to deny any bias against public sector organisations, so one hopes that in both cases, the ICO was fully involved with the banks and law enforcement and that they have determined that private individuals and their PII are not at risk of, say, future ID Theft. It would be nice to know this for sure but detailed information is not forthcoming (so if anyone knows, please share...).

In the absence of advice to consumers from the banks, law enforcement and the ICO, if you think you may have been personally affected by the breaches (even if you didn’t lose any money), here are a few pointers you could follow:
  • Check whether your email account(s) has/have been compromised here (Thanks Troy Hunt!)
  • Change the password on your email account (and don’t reuse it elsewhere)
  • Change the password on your bank account and change your security questions
  • Use two-factor authentication on your online accounts where provided
  • Make sure your anti-virus software is up-to-date and active
  • Monitor your credit rating and credit activity regularly to make sure no one is using your identity fraudulently

After all, your digital identity is your life, so be good to yourself...
Until next time...

27 comments:

  1. This post is probably where I got the most useful information for my research. Thanks for posting, maybe we can see more on this. Are you aware of any other websites on this subject.
    Thanks..
    finance and leasing Glenroy

    ReplyDelete
  2. hacking can improve our lives. We are living inside a framework and an area that is excessively reliable on innovation.
    Subway surfer hack

    ReplyDelete
  3. When your website or blog goes live for the first time, it is exciting. That is until you realize no one but you and your.Recover my hacked email account

    ReplyDelete
  4. You made such an interesting piece to read, giving every subject enlightenment for us to gain knowledge. Thanks for sharing the such information with us to read this... quick auto loans

    ReplyDelete
  5. Successful planning offers many rewards in addition to helping you Make Your Money Count and achieving what matters most to you. When CFP® professionals were surveyed about the most significant benefit of financial planning in their own lives, the top answer was "peace of mind." Over my career, many clients have told me that their purpose for financial planning Stocks to Buy Today

    ReplyDelete
  6. http://www.wifeyknowsbest.com/2017/10/4-diy-banana-beauty-hacks-for-natural.html

    ReplyDelete
  7. I don t have the time at the moment to fully read your site but I have bookmarked it and also add your RSS feeds. I will be back in a day or two. thanks for a great site.Hacking

    ReplyDelete
  8. Very interesting blog. Alot of blogs I see these days don't really provide anything that I'm interested in, but I'm most definately interested in this one. Just thought that I would post and let you know. Estate Planning

    ReplyDelete
  9. A financial market is as much a mechanism as it is a venue, either a virtual or a physical one, where buyers and sellers as well as middlemen meet to conduct trades in financial securities, commodities and other exchangeable items of value. Thus, stocks, bond, precious metals, crude oil and agricultural goods can be the subject of trade in financial markets succession.

    ReplyDelete
  10. Admiring the time and effort you put into your blog and detailed information you offer!.. how to hack casino online

    ReplyDelete
  11. Users showed enthusiasm for the site's polished layout and marketing and design firm distinctive features, especially its streaming function

    ReplyDelete
  12. Many people today lack a financial framework or system. When it comes to expenses, the core of financial planning, we often enter a fantasy world. Even if families can give a reasonably accurate set of current financial statements (assets, liabilities, income, expenditure and estate), they are rarely able to project what those statements will look like ten years, or even five years into the future. Financial Planning Masterclass

    ReplyDelete
  13. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!
    Wallets world review

    ReplyDelete
  14. I am confident you've got a great enthusiast following there.
    bulk url opener extension

    ReplyDelete
  15. I know your expertise on this. I must say we should have an online discussion on this. Writing only comments will close the discussion straight away! And will restrict the benefits from this information. poker88 asia

    ReplyDelete
  16. Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon. dewa poker

    ReplyDelete
  17. I high appreciate this post. It’s hard to find the good from the bad sometimes, but I think you’ve nailed it! would you mind updating your blog with more information? dewapoker

    ReplyDelete
  18. Cool stuff you have got and you keep update all of us. Phone Hacking

    ReplyDelete
  19. A good blog always comes-up with new and exciting information and while reading I have feel that this blog is really have all those quality that qualify a blog to be a one. themoneyoffice

    ReplyDelete
  20. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. financial samurai

    ReplyDelete
  21. مسلسل الناجية الوحيدة الحلقة 4 الرابعة
    https://khaleej-trend.online/%d9%85%d8%b3%d9%84%d8%b3%d9%84-%d8%a7%d9%84%d9%86%d8%a7%d8%ac%d9%8a%d8%a9-%d8%a7%d9%84%d9%88%d8%ad%d9%8a%d8%af%d8%a9-%d8%a7%d9%84%d8%ad%d9%84%d9%82%d8%a9-4-%d8%a7%d9%84%d8%b1%d8%a7%d8%a8%d8%b9%d8%a9/

    ReplyDelete
  22. I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! keep up the good work... frugalisme

    ReplyDelete
  23. I would highly recommend their team to friends and colleagues, and they will be my first option for future projects.
    top UI designers

    ReplyDelete
  24. It’s difficult to find knowledgeable people on this topic, nevertheless, you appear to be you know what you’re referring to! Thanks Harvey Neiman

    ReplyDelete
  25. The problem is that you provide may be worth our time and also effort.
    top web design agencies

    ReplyDelete
  26. I exactly got what you mean, thanks for posting. And, I am too much happy to find this website on the world of Google. Lend-viza-tourism

    ReplyDelete
  27. If you are being recommended by one such business personality, there is nothing like that. Reputation matters a lot in the business. Selling Merchant Services

    ReplyDelete