When management sets the wrong security culture

Fourteen years ago I warned MyBank (which is not one of my clients; I am one of its) about using Social Security numbers as solid identification. The bank's head of security said he would look into it. Since then, the security at MyBank has gone from bad to worse. It's still a recipe for ID theft.

During a recent tele-banking transaction, I was instructed to enter my bank account and Social Security numbers. MyBank's "new and improved" system was using two pieces of publicly available information as proof-positive remote identification. When I confronted MyBank about this, it took 30 days to fix this gaping security hole.

Last month, MyBank assured me its online banking system was fixed. Logon security was decent: a long, secret account number generated by the bank, my federal EIN, a four-digit PIN and no cookies. As a test, I moved money to American Express and paid Al, a member of my staff.

Several days later, Al screams, "Where's my paycheck?" I had proof I sent it. Amex also said it had not been paid. I had proof I paid it. I called MyBank and asked for proof of receipt of funds by Amex and Al's bank, but was told the bank does not use acknowledgements from online transfers. The most disturbing security aspect is that no one at MyBank could tell me where my money was when it was not in my account and not in Amex's or Al's.

Then security at MyBank plummeted to a new low. The reasonable logon security had been shattered, as the long private code was no longer required. Now my publicly available account number and a mere four-digit PIN was the sole defense of any account that sits on the Internet. The obvious attempt to simplify the user experience is a devastating blow to security. An ATM card only requires a four-digit PIN, but it employs the "something you own, something you know," identification mantra. Silly me for expecting better banking security on the Internet.

When I once more attempted to pay my staff, Al was again the victim. His money was snafued in the labyrinth of MyBank's infrastructure. Without my knowledge or approval, a banking employee: (1) cancelled my payment to Al, (2) issued a payment from my account with something called a "forced check" to Al, (3) withdrew a duplicate payment from my account without my authorization and deposited it in Al's account, and (4) cancelled another payment to Al. The net effect of this security transgression was a cascade of bad checks, overdrafts and the freezing of Al's other accounts.

Then it got worse. Al says MyBank told him that the money was removed from his account (without authorization or notice) because my corporate account had insufficient funds to cover his paycheck. This security breach was in clear violation of any number of privacy and banking laws or compliant governance besides being an absolute untruth.

If any one of these had been an isolated incident, so be it, but I was sucked into the pandemic maelstrom of a stream of significant security lapses. MyBank chose to use the easiest and weakest identification possible. All three basic security principles - confidentiality, integrity and availability - were violated through poor application design, inexplicable movement of money, social engineering and denial of funds. To see two major remote banking systems designed with such holes suggests that the application development folks are using weak security as a trade-off for a simpler customer experience.

Security and user experience (functionality) are inversely proportional, but it appears MyBank has taken the easy way out: Listen to customers who complain about security barriers, remove or reduce their efficacy and see what happens. I had hoped by now that most major financial institutions had crossed the security awareness boundary from clueless to clued-in. Hopefully my experience can serve as a model on what not to do.

Schwartau is a security writer, lecturer and president of Interpact, a security awareness consulting firm. He can be reached at winn@thesecurityawarenesscompany.com.

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022