Major Financial Groups Share Data To Fight Online Theft

smitty777 writes "The Wall Street Journal is reporting on some unprecedented steps being taken by major financial institutions to combat online theft. The initiatives include a new type of data center that would be used to analyze bank data for potential security threats. Additionally, a quarterly round-table between the rivals to attack security issues was proposed. The article notes that 'security threats are pushing the big banks to do something that doesn't come naturally for these secrecy-steeped institutions: share information with one another.' A video at MarketWatch digs into it a little bit more, and points out that the banks will spend an estimated $1 billion on protection this year, which represents a 12% increase. Technologically, there has been much discussion of two-factor authentication to improve security. In fact, security officials in Singapore are even hinting at biometric solutions."

Criminals rejoice!

[Majik Sheff]

The banks have decided to consolidate their weak IT policies into a convenient one-stop shop for attacks!

No longer will you have to break into a half-dozen banks to get the personal information of millions!

Re:

[Anonymous Coward]

Can't they just nationalize the banks already? It would save the government the trouble of making sure that the banks don't get too friendly with each other.

Re:Criminals rejoice!

[Gideon Wells]

It all comes down to how it works.

Right now you have many companies who have differing levels of protection. This would be akin to each state being in charge of its own military. Ideally, by pooling said resources a better overall military/defense could be formed. Redundancy removed, funds freed up for more high level prevention.

Of course, that is being optimistic. Pessimistically, they'll agree to combine all their funds, use 10% (90% to bonuses for thinking of this savings) of it for this venture, outsource it to a company in India, who outsources it to China, who out sources it to South Korea (which gets linked to North Korea and sold to Russia), who out sources it to a vocational school in Seattle.

Re:

[AliasMarlowe]

It all comes down to how it works.

It all comes down to how it dysfunctions.

Recall the old adage that Canada should be the best place in the world, with French culture, British politics, and American industry. Instead, they somehow ended up with French politics, British industry, and American culture. This cooperation between banks will doubtless combine their weaknesses while discarding their strengths in a similar way.

Decent evaluation of Bank security

[boner]

Having used both name/password, electronic tokens etc. to access my financial data, I would like to see an objective analysis of their security. I personally prefer the electronic tokens used by several Dutch banks (ING, Rabobank, ABN AMRO), above the name/password features used by American banks (BofA, Wells Fargo, Chase, JP Morgan, Credit unions, etc.). But the main question is: how do they perform in real-life? Which schemes lose more money to scamming or phishing?

Evaluating the performance of my parents (70+) with modern authentication schemes, does not bode well. My parents are generally unable to distinguish phishing mail from real mail - how should banks balance the convenience of email against the requirements for safety?

Can anyone point to objective evaluations of bank security and authentication schemes?

Re:

[TubeSteak]

... At an industry conference in 2003, ..., the chief technology officer of a large bank said ... "We don't want to talk about fraud in front of anyone."

You'll never see an objective analysis of their security and you'll never learn which banks are subject to fraud, except where State/Federal law requires disclosure.
If we learned about the $$$ value of fraud that banks write off, there would probably be public outrage and a crisis of confidence in the banking system,
especially now with the mortgage crisis and bank bailouts fresh in the public's mind.

Re:

[daemonenwind]

If we learned about the $$$ value of fraud that banks write off, there would probably be public outrage and a crisis of confidence in the banking system,
especially now with the mortgage crisis and bank bailouts fresh in the public's mind.

If you want to know the value of fraud, just look at any major bank's quarterly statement. It's usually broken out by line-item.

Protip: start with whatever division name would hold consumer revolving credit, aka credit cards.

It's the information age; you'd be surprised at what you can find if you just drop the conspiracy theories and anti-corporatism and actually look.

Biometrics - pushing the bank's risk onto you...

[rtfa-troll]

Biometrics; great; Like in Mexico, they will take your hand if you are lucky. If you aren't lucky, the bank will have some kind of life detector which will check if the hand is alive. In that case the gang just takes you along with your hand and then disposes of both together after the crime. With the exception of the situation where there's a guard actually checking that the ID system is being used right by a single person, what could be stupider than using a security token you can't change.

Re:Biometrics - pushing the bank's risk onto you..

[muckracer]

> Like in Mexico, they will take your hand if you are lucky. If you aren't
> lucky, the bank will have some kind of life detector which will check
> if the hand is alive.
> In that case the gang just takes you along with your hand and then
> disposes of both together after the crime.

Wow...'Talk to the hand!' will get a whole new meaning now...

Re:

[thoughtlover]

Biometrics; great; Like in Mexico, they will take your hand if you are lucky.

That example is a tad outrageous, as I believe the end goal was an RFID implant. Besides, if you can get their fingerprint, you can make a latex copy. I'm pretty sure that the 'gummy' fingerprint technique can still fool most dermal scanners.

Re:

[rtfa-troll]

The specific example was installation of palm readers in ATMs. I don't remember anything about the RFID bit have a link? I don't see that it help, nor the fact you can forge the fingerprint readers easily with a rubber glove. Anything which is beyond the abilities and patience of a guy with a gun is a bad idea. What is needed is a PIN code with a maximum daily limit and a gradually extending authorisation system depending on the size of the transaction taking place. For example: if it's 100 your PIN is

Re:

[anubi]

That is what scares me.

My broker's website is so full of javascript and pop-ups I am terrified to use it. I pulled my retirement from that broker and went to a "brick-and-mortar" institution, only because I know how easy it would be to fool me with a clever javascript to redirect me to a bogus site.

I feel completely powerless when talking to a office guy whose instructions are to toe the company line and ignore the customer's pleas to not put this kind of code on a financial site. I am left stewing kn

Biometrics? Again?

[fuzzyfuzzyfungus]

Biometrics must be the 'security' concept that combines the worst features with the best wiz-bang sci-fi aesthetic appeal... I can only assume that it was invented during a sort of 'product blackjack', where a group of players competed to see who could come up with the most awful ideal that could still be successfully sold...

"Hey guys, I'm trying to build a truly awful security system. Can anybody think of something like a password, only absurdly hard to change voluntarily, occasionally changed traumatically by forces beyond the user's control, and preferably left in traces all over the place during the course of daily life? Drinks are on me if successfully compromising it for one institution renders it strongly likely that it will be compromised across a large number of unrelated ones simultaneously!"

Re:

[Requiem18th]

Obligatory youtube link http://www.youtube.com/watch?v=LA4Xx5Noxyo [youtube.com]

Re:

[Em Adespoton]

The only place I can see biometrics being useful is as part of a hashing algorithm where some other factor is a secret. In this case, it's not the primary securing factor, but it is yet another piece of information about you that the attacker must have to generate the appropriate hash.

Of course, "biometrics" is awfully hand-wavy. Because fingerprints/retina scans/vein topology/etc aren't digital, the actual algorithms that digitize them have a large margin of error, and any hash in the appropriate set wil

I would welcome 2-Factor authentication

[L4t3r4lu5]

I signed up for a service to send a one-time-pad by SMS to my mobile phone for every online purchase. I've yet to receive a single request for a code, or a code itself, and it's been over 3 months.

Then again, Santander are completely rubbish.

Re:

[L4t3r4lu5]

Oh, right... I see. It's only used for online banking transactions, not online purchasing. Fat lot of good that's doing to combat online fraud.

Re:

[L4t3r4lu5]

Yes. Yes I do expect that. Anything less is smoke and mirrors. The infrastructure is in place for the bank, all they need to do is replace that "Verified by Visa" / "Mastercard Securecode" bullshit with this service.

Verified by Visa: Bypassed with a date of birth. What a joke.

Old News - This Already Exists

[Anonymous Coward]

Banks have already been sharing info with the National Cyber-Forensics & Training Alliance (NCFTA) which is a non-profit non-government entity. The NCFTA acts as a middle man between banks/other high value targets and law enforcement. They also do aggregate analysis on the attacks seen by multiple institution to determine if there are larger trends.

Re:

[shentino]

Trust me, if a big company does something, it's either legal already for them, or is about to be as soon as they send their lobbyists to DC.

Large corporations effectively have sovereign immunity.

How might this affect privacy concerns?

[Eremit]

Of course it sounds good that the banks want to coordinate their security efforts. Probably one part of their analysis has to create profiles of common usage to be able to discern uncommon and possibly dangerous usage. These profiles will be much more detailed than their internal ones. Might they not use those profiles for other things like customer scoring, targeted advertising, etc., too? Or should I assume that they already share some data about their customers?

evolution of slavery

[harvey the nerd]

Electronics, more secure and convenient than cash...Yeah right, back to gold and silver.

Re:

[rickb928]

Seeing as metals have significant security issues [wikipedia.org] also, this makes as much sense as, well, it doesn't make sense. Change one token for another?

Anything the least bit tangible can be stolen, even data. Seeing as data snatch-and-grabs are all the rage, how banks can escape the fate of some other outfits that should by their very definition be more secure escapes me. It's a cat-and-mouse game. For banks, the goal may be to prevent break-ins, but the best result is probably to detect them quickly, perhaps e

Re:

[Requiem18th]

Maybe it's the enginieer in me but couldn't we make a machine to test the authenticity of metal coins? Given that metals have specific density and conductivity it would be pretty hard to make a coin with the same size, shape and conductivy than a silver or gold one for instance.

Re:

[rickb928]

Make a machine that completely prevents theft of alteration. Then these tokens are secure. Maybe.

unprecedented steps

[devent]

How about the consumer and unions come together and take unprecedented steps to combat theft by banks and the Wall Street? First they commited fraud in multi-billion dollars, then get the money from the tax payers to not get bankrupt and now forcing the Europe and the USA into a degaced long recession by austerity and anti-labor politics.

Looks like...

[vikingpower]

...banks are the place to work, for the next 2 years or so ( at least if you want to make big bucks ) ?

Re:

[netwarerip]

Unless you are a loan officer or manage loan officers there is no money in banking, especially not in I.T. Never has been, never will be. Over 10 years working I.T. for many banks proved that to me, until I finally wised up and got out of the industry. They don't spend a single penny more than they have to on salary, hardware, software, or security. Maybe this will change when a new generation of presidents, board members, etc comes to power, but as long as it's still the same old white men you can give up

Re:

[account_deleted]

Comment removed based on user account deletion

Security

[SoTerrified]

The banks are considering two-factor authentication? That's great! Now my bank account will finally be as secure as my World of Warcraft account!

http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq [battle.net]

(Seriously, my favorite online game has been offering two-factor authentication for years. Why is this a new revelation to banks?)

Quickly!

[hesaigo999ca]

On the heels of MS sharing all info they have gotten from the malware with all the major big banking companies and law agencies, this is yet another great step towards uniting against a 5 billion dollar a year industry, identity theft/fraud!

I applaud it, although they might need to sanction some sort of governing body to help make decisions, else you might get one that wants to take their ball home if they don't play the way they like.

On the plus side, it just means more ideas will be shared across the boar