Banking Frontiers September, 2002
MYTH 1 – “Email messages are confidential can be trusted”.
In a world where email spoofing is literally becoming child’s play this statement is no longer a myth – it is a lie. In the past email spoofing, where an email appears to be sent by someone but has actually been sent by some other person, has brought many to financial ruin.
Take the case of an Indian bank which recently faced a run because email, supposedly sent by its manager, informed customers that the bank was facing financial troubles. In another case, a Pune based businessman was conned out of Rs 10 lakhs by a Nigerian who was pretending to be the Vice President of the African Development Bank. The businessman trusted the senders email address as was showing in the email that he received.
The only way to protect yourself is to digitally sign and encrypt all email messages.
MYTH 2 – “We have firewalls installed. We are totally safe.”
Untrue. In reality almost all firewalls, in the past, have been broken into. Bugs have been discovered in some of the best firewalls in the world. A new version is introduced as soon as the bugs in the earlier version become public. Then a newer version is introduced as soon as the bugs in the earlier version become public and so on…
Instead of trying to secure your position by installing criminally expensive firewalls, prefer using Virtual Private Networks based on Public Key Infrastructure.
MYTH 3 – “We are using the best antivirus. There’s no way we can get infected”.
Now let us face the facts. Suppose your company buys the latest anti-virus package. The anti-virus company provides you with regular updates. So, you update once a month. Each day 30-50 new viruses are created and released into ‘the wild”. What if you get infected between upgrades? Anti-viruses, and by this we mean all anti viruses work on a reactive basis. So first the virus attacks then the patch is made. No anti-virus anticipates the new viruses it will have to face.
To drive home the point, consider that case of the idiot virus. This virus would scan all your communication and wherever it found the words Sir or Madam it would change them to IDIOT. Imagine bank statements going out to thousand of customers that start with the words “Dear Idiot,”!
Another virus, the ILOVEYOU virus, enjoys the distinction of having been the most prevalent virus in the world. This virus was created in the Visual Basic language. Losses incurred due to this virus were pegged at US $ 10 billion! The virus used the addresses in the victim’s Microsoft Outlook and e-mailed itself to those addresses. The email, which was sent out had “ILOVEYOU” in its subject line. The attached file was named “LOVE-LETTER-FOR-YOU.TXT.vbs”. people wary of opening email attachments were conquered by the subject line and those who had some knowledge of viruses, did not notice the tiny .vbs extension and believed the file to be a text file. The message in the email was “kindly check the attached LOVELETTER coming from me”. this virus first selected certain files and then inserts its own code in lieu of the original data contained in the file. This way it creates ever-increasing copies of itself.
The 5% virus – that is what the original version was called. This virus affected mainly financial institutions. Its effect was tht it would take all the figures in your computers and alter them by either increasing or decreasing them by 5%. Later versions changed the percentage of alteration to 1.35 or 2.7% making it even more difficult to trace the alterations.
The solution. Do not blindly trust any anti-virus package. Set down inviolable rules about email attachments – whether they may be opened from office computers or not. No computer that has even remotely important data on it should have any connectivity to the Internet. If this computer is on a network the entire network should have no connection whatsoever with the Internet Employees should not be allowed to use their floppies on office computers.
MYTH 4 – “If something is password protected, I bet it cannot be broken into.”
If you make this bet, you’d feel sorry. Most passwords are short and very simple to crack. To stop it most passwords are based on common names, birth dates, telephone numbers etc. these are, of course, the first passwords that any hacker will try. It’s easy enough to crack passwords; such users just make the hacker’s job easier.
The hacker could actually pretend that they are really close to you till you trust them. And obviously, since they are from the rusted gang you wouldn’t think twice about “mistakenly” telling them your password. Why would they possibly want to harm you, right? Then there are those who are experienced in the use of computers but can’t always remember their password. So, what do they do? They put these passwords on POST-IT notes and stick them on their monitors thinking, “No one would really think of looking for passwords there, would they?”
Even if you do not make any of these bloopers, all a hacker would need to break your passwords, is a good password cracker. Just a small piece of trivia – the good crackers are quite capable of checking 75 lakh passwords per second! The best way to avoid such ugly situations….keep long alphanumeric symbolic machine generated passwords (like a_7834ee*A98Y!$%), change passwords frequently and have a well defined organizational password policy.
MYTH 5 – “Operating systems have built in dependable security features”
That one is a joke. It is common knowledge that most operating systems (OS) will provide only a very basic level of security against breaches. If that’s what you are depending on, you might as well present all your critical data to the attackers on a CD ROM. The solution? Do NOT trust only your OS. Use a combination of electronic and information security techniques for data protection.
MYTH 6 – “Once a month, we backup all our data on another drive.”
Big Mistake. Most institutions take regular backups onto another drive. What happens if a virus infects the computer on which regular backups are taken and all the files are destroyed? Backups should be taken in real-time, and additionally stored on removable media like CD-ROMs.
MYTH 7 – “Since banks use it, banking software is absolutely bug-free.”
No software is completely bug-free. Time and again hackers have proven this fact much to the chagrin of the banks. The best banking software have been shown to have major flaws. In many cases the software developers deliberately leave flaws or backdoors in the software. And you have to consider the fact these are finally human. They can make mistakes. These vulnerabilities are later exploited to commit huge frauds. This one has no perfect tailor-made solutions. Choose a proven software solution and … pray.
MYTH 8 – “Anyways, if something goes wrong, our team of experts can handle it.”
Wrong. If a security breach occurs, brings in the experts. Do not try to investigate in house. You may end up doing irretrievable damage with nothing to show for it. Electronic evidence is inherently volatile and will disappear if you try to investigate without expert assistance. A team of the FBI’s (USA) topnotch cyber crime investigators raided the premises of a suspect and confiscated his computers. Keep in mind that these guys were some of the best in the world. When they reached their labs and reconnected the computers they found that there was nothing on them.
It was later found that the suspect had put extremely powerful magnetic coils around his door. When the computers were taken through that door, all the data on them was completely deleted and erased!!
MYTH 9 – “OK. If a breach occurs, we will wait for the experts to come in before doing anything?
Wrong again. All your employees should be trained in basic emergency response. A security breach should not create FUD (Fear, Uncertainty or Doubt). All employees should know that panic would not help. They should be well aware of the countermeasures, which will need to be taken. These basic countermeasures are of course dependent upon the systems and software in use.
A bank in London was hacked into. Their intrusion detection system (IDS) immediately alerted them to the breach. The authorities of the bank called in a team of experts for investigation. This team arrivged one and a half hours later. By then the attacker had stolen tons of customer account information and erased most of the evidence. The Computer Emergency Respoonse Team (CERT) later said that had the bank employees disconnected the target computer from the network, 90% of the data could have been saved.
MYTH 10 – “What’s the point in trying to report anything to the police? They can’t do anything anyway!”
This is one of the most blatant statements of ignorance. Many police departments today are well trained to handle cyber crimes and are aware of the legal provisions. Make sure that the local police are informed as soon as any breach is detected or suspected. If the collection of evidence is not done meticulously and as per the law, the criminals will walk free.