Banks Face New Threat
Banks have been caught off guard by what experts say is the first major mobile banking security threat to hit the United States.
It is a modification of the mobile Trojan called Svpeng, which has been used to steal money from Russian mobile bank accounts, said Dmitry Bestuzhev, head of the global research and analysis team, Latin America, at Kaspersky Lab, the Woburn, Mass.-based antivirus software company that discovered the malware.
The malware, which emanates from Russia, has been termed “ransomware,” because the hackers demand payment in exchange for not destroying the victim’s reputation, claiming there is child pornography and other prohibited content on the cell phone.
“It takes a picture of the victim and then says it will send it with the child pornography findings to all of the victim’s contacts,” Bestuzhev said.
“Nobody wants to be a victim of such reputation damage.”
This new malware is deeply integrated and is almost impossible to remove from an infected device, he added.
Better software is needed to protect against malware, said Chris Keegan, a managing director at Beecher Carlson in New York.
For now, banks rely on warning their customers against social engineering attempts by fraudsters, and usually that means, “Don’t press the button or answer the email.” Banks must warn their customers not to download any applications not found on verified websites, he said.
Banks Ran Out of Time
Avivah Litan, a Gartner Inc. vice president and analyst in Potomac, Md., said the malware should serve as a wake-up call for many banks, as a fair number of them have not developed security measures for mobile banking that are as robust as those used in online banking.
Ensuring that customers use secured browsers doesn’t apply when they use mobile apps.
Giants like Chase Bank, U.S. Bank and others are developing tougher measures specific to mobile, but the industry as a whole needs to step it up, Litan said.
“They’ve just been slow to put measures in place specific to mobile because there hasn’t been any mobile malware,” she said. “Everybody knew it was coming, but they thought they had more time.”
Matt Krogstad, head of mobile banking at Bank of the West in San Francisco, said the bank’s fraud prevention department works with his department to combat mobile malware and other types of mobile banking fraud.
“It’s an ongoing process since the mobile security space is constantly evolving,” Krogstad said.
Bank of the West diligently educates customers about the latest threats, Krogstad said. In cases like Heartbleed, communications to customers were to reassure them that the bank had done its due diligence to ensure that their accounts were safe.
“With other malware like this randomware, it’s more about reinforcing certain behaviors, such as not downloading apps from unofficial app stores or not clicking on links from people you don’t know,” he said. “Don’t jailbreak your phone or put your banking passwords in your contacts.”
Keeping up with all types of cyber crime continues to challenge the industry. Indeed, computer crime and malicious codes rank as No. 5 as a top risk for banks, according to Aon’s “2014 U.S. Industry Report: Financial Institutions.”
However, there is a disconnect at most banks that hampers risk mitigation, said Michael O’Connell, managing director, financial institutions practice at Aon Risk Solutions.
The disconnect occurs because one group traditionally is responsible for purchasing insurance, while another group is responsible for assessing exposures, including technology that may pose an operational enterprise risk, said O’Connell.
“We strongly recommend linking the two groups together, to assess ‘what-if’ scenarios and develop mitigation strategies that include insurance,” he said.
Kevin Kalinich, Aon’s global practice leader for cyber/network risk, said that recent court decisions have ruled that if fraudsters are able to steal customer identities or money, it is the bank’s obligation to help their customers, even if the fraud is out of the bank’s control.
“So if a customer gets fooled on their mobile devices, then the bank has the responsibility to monitor usage of their bank accounts,” Kalinich said.
Social Media: A Double-Edged Sword
Something as simple as a hashtag can launch an event onto a national stage in a matter of hours. For companies and organizations harnessing social media as a business tool, that kind of attention can go both ways.
In Target’s massive cyber breach last year, customers unleashed their fury on Facebook and Twitter, spreading bad press perhaps too overwhelming for a corporate response to counter. Nearly a year later, the company has slashed its profit outlook for 2014 as it struggles to regain consumer trust.
Earlier this year, the New York Police Department started the hashtag #myNYPD, encouraging people to tweet friendly photos of themselves with officers. The marketing ploy backfired, however, when people shared photos of police brutality instead.
Another marketing ploy backfired during Hurricane Sandy in 2012, when Gap posted a tweet telling customers in the area to stay safe, and perhaps spend their time using the store’s website. Faced with backlash for insensitivity, the retail chain later deleted the tweet and apologized.
But the pendulum can swing the other way, too. Take for example the ALS Ice Bucket Challenge.
The Facebook campaign prompting users to donate to the ALS Association — or record themselves dumping a bucket of ice water over their heads — has so far raised $111 million and boosted awareness of the debilitating disease, according to the association.
Video: Justin Timberlake, Jimmy Fallon and others take the ice bucket challenge.
While Facebook, Twitter and LinkedIn are the most common channels used by companies, more social media forums are emerging, and executives and risk managers must consider how to deal with the reputational and legal risks while take advantage of the communication breadth and speed of social media.
“Social media is the quickest, most efficient way to reach customers,” said Mark Scovera, president of Access Florida Finance Corporation (AFFC). “It has allowed us to target our customers and focus in on folks who really want to hear our message.”
Scovera participated in survey and report by audit and advisory firm Grant Thornton, “Social media risks and rewards,” focusing on the pros and cons of social media for business.
The report identified four top risks associated with social media. First and foremost: brand reputation. Others included the disclosure of proprietary information, corporate identity theft, and legal, regulatory or compliance violations.
Thirty-eight percent of the 111 executives surveyed said their companies use social media to raise brand awareness, while 27 percent use it for recruiting purposes. Fifty-five percent said social media will be an important component of corporate efforts in the future.
“Social media is not simply a technology issue; it’s a business issue and opportunity, and therefore requires a specific strategy that directly ties back to the organization’s overall corporate strategy,” the report said.
Only 33 percent of companies surveyed had a defined social media policy, and only 36 percent provided social media training for employees. But 40 percent are developing a policy or have other related ones in place, such as “acceptable use” and “bring your own device” policies.
“A number of companies are adopting social media policies,” said Melissa Krasnow, certified information privacy professional and corporate partner with Dorsey & Whitney LLP.
But the language within those policies must comply with state and national regulations. For example, states have different laws governing whether employers can demand log-in information for employees’ private accounts.
“Companies need to consult with legal counsel,” she said.
The National Labor Relations Board (NLRB) is scrutinizing employer social media policies that appear too restrictive of employees’ speech and the “right to come together to discuss work-related issues for the purpose of collective bargaining or other mutual aid or protection.”
In other words, policies that forbid or punish employees for speaking ill of their companies on social media could be found unlawful by the NLRB.
How then can employers limit the spread of bad press by a disgruntled employee or customer?
Video: Comcast refuses to cancel a customer’s service in this video that went viral.
“We had a marketing consultant that advised on things to do and not to do, and how to handle negative comments,” Scovera said.
“It would be no different than if we were speaking in front of a large group and asked a difficult question. We try to put a positive spin on it, and if the person persists, we attempt to take it offline. We’ve never had to get to this point, but if that didn’t work, we’d do whatever we can to delete the comments and block that person.”
Scovera and AFFC’s social media policy also addresses how to manage the content generated and disseminated by the organization. Scovera meets with his marketing coordinator on a monthly basis to determine which messages or types of content the company should push out.
“The third area was to make sure it was clear that the company owns the social media content and contact,” he said. “We didn’t want an employee who developed contacts through social media to leave and take all those followers with them.”
“This involves aspects of intellectual property risk,” Krasnow said. “Whose name is on the account? Who actually owns it?”
In addition to input from legal counsel, some suggest that IT, risk management, and marketing departments should vet messages before they are posted because each function will have a different perspective..
“As social media evolves, there are new risks all the time that a business owner needs to be aware of,” Sovera said.
With the right policies in place, companies can keep themselves from becoming another negative hashtag.
A Dreaming Team
Chris Thorn is known as one of the most creative risk managers in the business. After all, his risk management program hit the cover of Risk & Insurance® in March, 2012.
Now the senior manager, payments and risk, for Southwest Airlines is working with Riskonnect, a technology partner that he thinks can take his program to new heights.
“For us, it’s a platform that gives you so many different tools that if you can dream it, you can build it,” said Thorn.
Thorn ditched his legacy risk management information system in 2012 and started working with Riskonnect, initially using the platform solely for liability claims management.
But the system’s “do-it-yourself” accessibility almost immediately caught the eye of Thorn’s colleagues managing safety risk and workers’ compensation.
“They were seeking a software solution at the time and said, ‘Hey, we want to join the party,” Thorn recalls of his friends in safety and workers’ compensation.
“For us, it’s a platform that gives you so many different tools that if you can dream it, you can build it.”
–Chris Thorn, senior manager, payments and risk, Southwest Airlines
What was making Thorn’s colleagues so jealous was the system’s “smart question” process which allows any supervisor in the company to enter a claim, while at the same time freeing those supervisors from being claims adjusters.
The Riskonnect platform asks questions that direct the claim to the appropriate category without the supervisor having to take on the burden of performing that triage.
“They love it because all of the redundant questions are gone,” Thorn said.
The added beauty of the system, Thorn said, is that allows carriers and TPAs to work right alongside the Southwest team in claims files while maintaining rock-solid cyber security.
“This has sped up the process,” Thorn said.
“Any time you can speed up the process, the more success you’re going to have when you make offers to settle claims,” he said.
Since that initial splash in claims management, the Riskonnect platform has gone on to become a rock star at Southwest in a number of other areas. And as Thorn suggests, the possibilities of the system are limited only by the user’s imagination.
With a little creativity and help from Riskonnect as needed, a risk manager can add on system capabilities without having to go on bended knee to his own information technology department.
In the area of insurance policy management, for example, the Riskonnect platform as built by Thorn now holds data on all property values and exposures that can in turn be downloaded for use by underwriters.
Every time Southwest buys a new airplane, the enterprise platform sends out a notice to the airlines insurance broker, who in turn notifies the 16 or 17 carriers that are on the hull program.
Again, in that “anything’s possible” vein, the system has the capability of notifying the carriers, directly, a tool Thorn said he’s flirting with.
“It is capable of doing that,” he said.
“We’re testing out this functionality before we turn on it loose directly to the insurance companies.”
In alignment with the platform’s muscle in documenting, storing and reporting liability and property exposures, the system monitors and reports on insurance carrier financial strength.
If a rating agency downgrades a Southwest program carrier’s financial strength, for example, the system “pings” Thorn and his colleagues.
“Not only will we know about it, but we will also know all programs, present and past that they participated on, what the open reserves are for those policy years and policies,” Thorn said.
“That gives us even more comfort that we have good, solid financial backing of the insurance policies that are protecting us,” Thorn said.
Like many of us, Chris Thorn didn’t set out to work in risk management and insurance. Thorn is a Certified Public Accountant, and it’s that background that allows him to take creative advantage of the Riskonnect platform’s malleability in yet another way.
With the help of the Riskonnect customer service team, Thorn added a function to the platform that allows him to calculate the cost of insurance policies on a monthly basis, enter them into a general ledger and send them over to his colleagues in accounting.
“It’s very robust on handling financial information, date information, or anything with that much granularity,” Thorn said.
The sky is the limit
Thorn and Southwest are only two years into their relationship with Riskonnect and there are a number of places Thorn thinks the platform can take him that have yet to be explored, but certainly will be.
“It’s basically a repository of anything that’s risk-related, it continues to grow,” Thorn said.
“This has sped up the process. Any time you can speed up the process, the more success you’re going to have when you make offers to settle claims.”
–Chris Thorn, senior manager, payments and risk, Southwest Airlines
Not only have Southwest’s safety and workers’ compensation managers joined Thorn in his work with Riskonnect, business continuity has come knocking as well.
Thorn met in July with members of Southwest Airline’s business continuity team, which has a whole host of concerns, ranging from pandemics to cyber-attacks that it needs help in documenting the exposures and resiliency options for.
That Enterprise Risk Management approach will in the future also involve the system’s capability to provide risk alerts, telling Thorn and his team for example, that a hurricane or fast moving wildfire is threatening one of the company’s facilities.
Supply chain resiliency and managing certificates of insurance for foreign vendors are other areas where Thorn and his team plan to put the Riskonnect platform to good use.
“That’s all stuff that’s being worked on by us,” Thorn said.
“They’ve given us the tools, but we’re trying to develop how we’re going to use it,” he said.