Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Financial Groups Share Data To Fight Online Theft

Posted by Soulskill on from the dogs-and-cats-living-together dept.

smitty777 writes "The Wall Street Journal is reporting on some unprecedented steps being taken by major financial institutions to combat online theft. The initiatives include a new type of data center that would be used to analyze bank data for potential security threats. Additionally, a quarterly round-table between the rivals to attack security issues was proposed. The article notes that 'security threats are pushing the big banks to do something that doesn't come naturally for these secrecy-steeped institutions: share information with one another.' A video at MarketWatch digs into it a little bit more, and points out that the banks will spend an estimated $1 billion on protection this year, which represents a 12% increase. Technologically, there has been much discussion of two-factor authentication to improve security. In fact, security officials in Singapore are even hinting at biometric solutions."

40 comments

  1. Criminals rejoice! by Majik+Sheff · · Score: 2, Insightful

    The banks have decided to consolidate their weak IT policies into a convenient one-stop shop for attacks!

    No longer will you have to break into a half-dozen banks to get the personal information of millions!

    --
    Women are like electronics: you don't know how damaged they are until you try to turn them on.
    1. Re:Criminals rejoice! by Anonymous Coward · · Score: 1

      Can't they just nationalize the banks already? It would save the government the trouble of making sure that the banks don't get too friendly with each other.

    2. Re:Criminals rejoice! by Gideon+Wells · · Score: 5, Insightful

      It all comes down to how it works.

      Right now you have many companies who have differing levels of protection. This would be akin to each state being in charge of its own military. Ideally, by pooling said resources a better overall military/defense could be formed. Redundancy removed, funds freed up for more high level prevention.

      Of course, that is being optimistic. Pessimistically, they'll agree to combine all their funds, use 10% (90% to bonuses for thinking of this savings) of it for this venture, outsource it to a company in India, who outsources it to China, who out sources it to South Korea (which gets linked to North Korea and sold to Russia), who out sources it to a vocational school in Seattle.

      --
      by Anonymous Coward: I, for one, welcome the shift from car analogies to pizza analogies. um.. overlords?
    3. Re:Criminals rejoice! by AliasMarlowe · · Score: 1

      It all comes down to how it works.

      It all comes down to how it dysfunctions.

      Recall the old adage that Canada should be the best place in the world, with French culture, British politics, and American industry. Instead, they somehow ended up with French politics, British industry, and American culture. This cooperation between banks will doubtless combine their weaknesses while discarding their strengths in a similar way.

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    4. Re:Criminals rejoice! by Anonymous Coward · · Score: 0

      Banks have some the very best IT pro's working for them, you clearly have never worked for one. Sharing the info sounds like it violates lots of laws.

  2. Decent evaluation of Bank security by boner · · Score: 4, Interesting

    Having used both name/password, electronic tokens etc. to access my financial data, I would like to see an objective analysis of their security. I personally prefer the electronic tokens used by several Dutch banks (ING, Rabobank, ABN AMRO), above the name/password features used by American banks (BofA, Wells Fargo, Chase, JP Morgan, Credit unions, etc.). But the main question is: how do they perform in real-life? Which schemes lose more money to scamming or phishing?

    Evaluating the performance of my parents (70+) with modern authentication schemes, does not bode well. My parents are generally unable to distinguish phishing mail from real mail - how should banks balance the convenience of email against the requirements for safety?

    Can anyone point to objective evaluations of bank security and authentication schemes?

    1. Re:Decent evaluation of Bank security by TubeSteak · · Score: 1

      ... At an industry conference in 2003, ..., the chief technology officer of a large bank said ... "We don't want to talk about fraud in front of anyone."

      You'll never see an objective analysis of their security and you'll never learn which banks are subject to fraud, except where State/Federal law requires disclosure.
      If we learned about the $$$ value of fraud that banks write off, there would probably be public outrage and a crisis of confidence in the banking system,
      especially now with the mortgage crisis and bank bailouts fresh in the public's mind.

      --
      [Fuck Beta]
      o0t!
    2. Re:Decent evaluation of Bank security by Anonymous Coward · · Score: 0

      What's the problem with just using FinTS, a class 2 (20€) (or even class 3 [costs a bit more]) card reader and a bank-issued card with a 6-digit PIN?
      They do the same at the ATM. So they can do it at home as well. Open the banking program, stick the card in, enter your transfer order and press "OK" on the computer, enter the PIN and press OK on the reader, done.
      As a bonus, the bank could make the banking program look like an ATM and the card reader like the one built into an ATM.

      And if somebody is still too dumb for this, then he needs a nurse to put on your clothes in the morning anyway, and she can do it. (But people that dumb don't usually deserve to live in the first place.)

    3. Re:Decent evaluation of Bank security by daemonenwind · · Score: 2

      If we learned about the $$$ value of fraud that banks write off, there would probably be public outrage and a crisis of confidence in the banking system,
      especially now with the mortgage crisis and bank bailouts fresh in the public's mind.

      If you want to know the value of fraud, just look at any major bank's quarterly statement. It's usually broken out by line-item.

      Protip: start with whatever division name would hold consumer revolving credit, aka credit cards.

      It's the information age; you'd be surprised at what you can find if you just drop the conspiracy theories and anti-corporatism and actually look.

    4. Re:Decent evaluation of Bank security by Anonymous Coward · · Score: 0

      If you want to know the value of fraud, just look at any major bank's quarterly statement. It's usually broken out by line-item.

      Protip: start with whatever division name would hold consumer revolving credit, aka credit cards.

      It's the information age; you'd be surprised at what you can find if you just drop the conspiracy theories and anti-corporatism and actually look.

      ok, go find it. Can't? 'cuz its not there, and not required to be disclosed. Is this your first day on the job?

  3. Biometrics - pushing the bank's risk onto you... by rtfa-troll · · Score: 4, Insightful

    Biometrics; great; Like in Mexico, they will take your hand if you are lucky. If you aren't lucky, the bank will have some kind of life detector which will check if the hand is alive. In that case the gang just takes you along with your hand and then disposes of both together after the crime. With the exception of the situation where there's a guard actually checking that the ID system is being used right by a single person, what could be stupider than using a security token you can't change.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  4. Banks spending money on protection... by Anonymous Coward · · Score: 0

    I think it's funny how much money banks and companies with sensitive data spend on protection, yet they are 'defenseless' against hacker-attacks performed often by amateur hackers.

    1. Re:Banks spending money on protection... by anubi · · Score: 1

      That is what scares me.

      My broker's website is so full of javascript and pop-ups I am terrified to use it. I pulled my retirement from that broker and went to a "brick-and-mortar" institution, only because I know how easy it would be to fool me with a clever javascript to redirect me to a bogus site.

      I feel completely powerless when talking to a office guy whose instructions are to toe the company line and ignore the customer's pleas to not put this kind of code on a financial site. I am left stewing knowing the suit-guy keeps his job while I am liable to be in quite a mess trying to straighten things out if my account is taken for a roll-in-the-pigsty by some clever javascript coder who left a bug in my machine.

      For me, seeing JavaScript is like seeing mice. If I am in most places, it does not alarm me. But in a restaurant, it does. If you wonder from where I get my fear, google virus and javascript together.

      The clear message I get is bankers could care less how people like me think of the security of an account with them.

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]

  5. Biometrics? Again? by fuzzyfuzzyfungus · · Score: 5, Insightful

    Biometrics must be the 'security' concept that combines the worst features with the best wiz-bang sci-fi aesthetic appeal... I can only assume that it was invented during a sort of 'product blackjack', where a group of players competed to see who could come up with the most awful ideal that could still be successfully sold...

    "Hey guys, I'm trying to build a truly awful security system. Can anybody think of something like a password, only absurdly hard to change voluntarily, occasionally changed traumatically by forces beyond the user's control, and preferably left in traces all over the place during the course of daily life? Drinks are on me if successfully compromising it for one institution renders it strongly likely that it will be compromised across a large number of unrelated ones simultaneously!"

    1. Re:Biometrics? Again? by Requiem18th · · Score: 1

      Obligatory youtube link http://www.youtube.com/watch?v=LA4Xx5Noxyo

      --
      But... the future refused to change.
    2. Re:Biometrics? Again? by Em+Adespoton · · Score: 1

      The only place I can see biometrics being useful is as part of a hashing algorithm where some other factor is a secret. In this case, it's not the primary securing factor, but it is yet another piece of information about you that the attacker must have to generate the appropriate hash.

      Of course, "biometrics" is awfully hand-wavy. Because fingerprints/retina scans/vein topology/etc aren't digital, the actual algorithms that digitize them have a large margin of error, and any hash in the appropriate set will be valid, to a certain standard deviation.

      As a result, biometrics are only as good as the worst of: 1) implementation and 2) application. They're really just a way to allow an individual to carry around a personal hash, and NOT a way to carry around a secret.

      Implemented the right way, your fingerprint, for example, will be used to generate a hash, from which the significant bits are extracted to form a sub-hash. This value would be computed but not be left at rest -- it would then be further hashed with a passphrase or private key to generate the public key which would be stored. As a result, the data credential at rest will be specific to the application, and will not be used in other circumstances. It will be unique, more complex than an easy-to-remember passphrase, and repeatable.

      It doesn't really matter if someone else has a copy of your fingerprint in this situation, as that is the lesser factor of authentication. If the reader itself is compromised, the only data leaked is the passphrase/OTP/print combo for that implementation, which should not affect other uses of your fingerprint.

  6. I would welcome 2-Factor authentication by L4t3r4lu5 · · Score: 1

    I signed up for a service to send a one-time-pad by SMS to my mobile phone for every online purchase. I've yet to receive a single request for a code, or a code itself, and it's been over 3 months.

    Then again, Santander are completely rubbish.

    --
    Finally had enough. Come see us over at https://soylentnews.org/
    1. Re:I would welcome 2-Factor authentication by L4t3r4lu5 · · Score: 1

      Oh, right... I see. It's only used for online banking transactions, not online purchasing. Fat lot of good that's doing to combat online fraud.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    2. Re:I would welcome 2-Factor authentication by Anonymous Coward · · Score: 0

      Oh, right... I see. It's only used for online banking transactions, not online purchasing. Fat lot of good that's doing to combat online fraud.

      Well, yeah, it does help if you're trying to transfer large sums of monies and someone has access to your bank account.

      Do you really expect a OTC every time some money leaves your account?

      I'd say Santander are doing a pretty damn good job at having even such a basic system, try using HSBC or Lloyds in the UK, the protection is shoddy.....

    3. Re:I would welcome 2-Factor authentication by L4t3r4lu5 · · Score: 1

      Yes. Yes I do expect that. Anything less is smoke and mirrors. The infrastructure is in place for the bank, all they need to do is replace that "Verified by Visa" / "Mastercard Securecode" bullshit with this service.

      Verified by Visa: Bypassed with a date of birth. What a joke.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
  7. Old News - This Already Exists by Anonymous Coward · · Score: 3, Informative

    Banks have already been sharing info with the National Cyber-Forensics & Training Alliance (NCFTA) which is a non-profit non-government entity. The NCFTA acts as a middle man between banks/other high value targets and law enforcement. They also do aggregate analysis on the attacks seen by multiple institution to determine if there are larger trends.

  8. Hey by Grindalf · · Score: 0

    Watch out, that's personal ID they'll be sharing without client authorization and by an NGO! That's a felony in most states ...

    --
    The purpose of existence is to make money.
    1. Re:Hey by shentino · · Score: 2

      Trust me, if a big company does something, it's either legal already for them, or is about to be as soon as they send their lobbyists to DC.

      Large corporations effectively have sovereign immunity.

  9. How might this affect privacy concerns? by Eremit · · Score: 2

    Of course it sounds good that the banks want to coordinate their security efforts. Probably one part of their analysis has to create profiles of common usage to be able to discern uncommon and possibly dangerous usage. These profiles will be much more detailed than their internal ones. Might they not use those profiles for other things like customer scoring, targeted advertising, etc., too? Or should I assume that they already share some data about their customers?

  10. Location, location, location! by Anonymous Coward · · Score: 0

    Technologically, there has been much discussion of two-factor authentication to improve security. In fact, security officials in Singapore are even hinting at biometric solutions.

    Forehead or palm?

  11. evolution of slavery by harvey+the+nerd · · Score: 1

    Electronics, more secure and convenient than cash...Yeah right, back to gold and silver.

    1. Re:evolution of slavery by rickb928 · · Score: 1

      Seeing as metals have significant security issues also, this makes as much sense as, well, it doesn't make sense. Change one token for another?

      Anything the least bit tangible can be stolen, even data. Seeing as data snatch-and-grabs are all the rage, how banks can escape the fate of some other outfits that should by their very definition be more secure escapes me. It's a cat-and-mouse game. For banks, the goal may be to prevent break-ins, but the best result is probably to detect them quickly, perhaps even as they are being conducted.

      Me? I'm obviously not a security porofessional, but I would add some honeypots to my systems and watch the assailants do their work. Even then, the real threats are users and their often failed practices. I'm beginning to use phrases for passwords, since random stuff is too hard to manage, 'clever' passwords aren't, and at work I now have multiple passwords that expire more frequently than 15 days. A token would be interesting, but impractical for 50,000 users in our environment. and that's just the internal stuff.

      Tthere is no perfect security.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    2. Re:evolution of slavery by Requiem18th · · Score: 1

      Maybe it's the enginieer in me but couldn't we make a machine to test the authenticity of metal coins? Given that metals have specific density and conductivity it would be pretty hard to make a coin with the same size, shape and conductivy than a silver or gold one for instance.

      --
      But... the future refused to change.
    3. Re:evolution of slavery by rickb928 · · Score: 1

      Make a machine that completely prevents theft of alteration. Then these tokens are secure. Maybe.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
  12. unprecedented steps by devent · · Score: 2, Insightful

    How about the consumer and unions come together and take unprecedented steps to combat theft by banks and the Wall Street? First they commited fraud in multi-billion dollars, then get the money from the tax payers to not get bankrupt and now forcing the Europe and the USA into a degaced long recession by austerity and anti-labor politics.

    --
    http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
  13. Looks like... by vikingpower · · Score: 1

    ...banks are the place to work, for the next 2 years or so ( at least if you want to make big bucks ) ?

    --
    Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
    1. Re:Looks like... by netwarerip · · Score: 2

      Unless you are a loan officer or manage loan officers there is no money in banking, especially not in I.T. Never has been, never will be. Over 10 years working I.T. for many banks proved that to me, until I finally wised up and got out of the industry. They don't spend a single penny more than they have to on salary, hardware, software, or security. Maybe this will change when a new generation of presidents, board members, etc comes to power, but as long as it's still the same old white men you can give up any hope of them doing anything more than they absolutely have to.

      Just one quick example - back in 2001 or so I was getting ready to install an internet connection to the brand new ethernet lan at a smaller-sized community bank (avg annual profit of about $1.5 million). I quoted something like $2-3k for a Cisco firewall and was told there was no way in hell I could spend that much. Either I find something for under $200 or we go without a firewall altogether.

  14. Aaand that's why... by Anonymous Coward · · Score: 0

    ...you don't use imaginary money (especially the one based on the debt promises [read: lies and make-believe] of others)... or one-crappy-factor authentication (and call it "two factor").

    I know that when my game is done, it will be based on hard solid matter with a stable value. And there will be an exchange rate for imaginary money, that will make people rush to switch to my currency. (No, you won't be able to buy imaginary items [e.g. inside the game] with it. You will only be able to buy services. But since ALL products are just resources [which nobody owns] plus a series of services, that will be fine.)

  15. Re:Biometrics - pushing the bank's risk onto you.. by muckracer · · Score: 3, Funny

    > Like in Mexico, they will take your hand if you are lucky. If you aren't
    > lucky, the bank will have some kind of life detector which will check
    > if the hand is alive.
    > In that case the gang just takes you along with your hand and then
    > disposes of both together after the crime.

    Wow...'Talk to the hand!' will get a whole new meaning now...

  16. i fail to see how by nimbius · · Score: 1

    i can possibly rely on my financial institutions to keep me financially safe. i hit wells fargo this morning to change some coins into dollars and the banker at the counter couldnt count them without a plastic dowel to arrange them in. The entire time the banker on the floor lectured me without provocation about the banks many incredible services and why i should become a member right away. neither one thought to send me on my way with coin rolls perhaps.

    now i know the banks public hat is quite different than their financial institution hat, but i cant help but conclude that when 'major financial groups share data' its going to be data about me, but its only going to be used to further their interests. come to think of it, when a publication mainly related to wall street prints a diatribe on how wonderfully secure major wallstreet institutions are set to become, one cant help but wonder if its the equivalent of trying to put a fresh coat of paint on an old car.

    --
    Good people go to bed earlier.
  17. Security by SoTerrified · · Score: 3, Interesting

    The banks are considering two-factor authentication? That's great! Now my bank account will finally be as secure as my World of Warcraft account!

    http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq

    (Seriously, my favorite online game has been offering two-factor authentication for years. Why is this a new revelation to banks?)

  18. Re:Biometrics - pushing the bank's risk onto you.. by thoughtlover · · Score: 1

    Biometrics; great; Like in Mexico, they will take your hand if you are lucky.

    That example is a tad outrageous, as I believe the end goal was an RFID implant. Besides, if you can get their fingerprint, you can make a latex copy. I'm pretty sure that the 'gummy' fingerprint technique can still fool most dermal scanners.

    --
    No sig for you! Come back one year!
  19. Re:Biometrics - pushing the bank's risk onto you.. by rtfa-troll · · Score: 1

    The specific example was installation of palm readers in ATMs. I don't remember anything about the RFID bit have a link? I don't see that it help, nor the fact you can forge the fingerprint readers easily with a rubber glove. Anything which is beyond the abilities and patience of a guy with a gun is a bad idea. What is needed is a PIN code with a maximum daily limit and a gradually extending authorisation system depending on the size of the transaction taking place. For example: if it's 100 your PIN is enough; if it's 1000 you also get a call and they use voice analysis; if it's 10,000 you have to visit a branch; if it's 100,000 the branch does serious authentication when you visit, checks your family is okay and so on.

    As long as the cost of the authentication is a small fraction of the profit on the transaction and the loss through bad transactions is less than the cost to the criminals of the times they get caught, everything is okay.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  20. Quickly! by hesaigo999ca · · Score: 1

    On the heels of MS sharing all info they have gotten from the malware with all the major big banking companies and law agencies, this is yet another great step towards uniting against a 5 billion dollar a year industry, identity theft/fraud!

    I applaud it, although they might need to sanction some sort of governing body to help make decisions, else you might get one that wants to take their ball home if they don't play the way they like.

    On the plus side, it just means more ideas will be shared across the board between all big banks, and security will be their #1 priority.