PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
Earlier this month, tens of thousands of Western Union customers awoke to a disconcerting phone call. A recorded message from company President Mike Yerington warned that unknown intruders had snaked through an Internet security hole and gained access to 10,000 to 20,000 credit-card and debit-card numbers used in Western Union money transfers. Human error caused the breach: A Western Union employee doing routine maintenance left the site unprotected by mistake.
Some mistake. Since 1851, Western Union has built its reputation on safely delivering the goods -- whether it's information or money -- anywhere in the world. But when the dust had settled on Sept. 10, 2000, the company tallied 15,700 compromised accounts, not to mention the blot left on its Internet strategy launched only three months earlier.
It's not that the venerable company mishandled the security breach. Actually, computer experts give Western Union credit for responding swiftly and properly. It shut down its servers and went to extraordinary lengths to notify customers. The company even urged them to cancel their exposed credit cards and request new ones -- a gutsy move that surely put frowns on the faces of bank presidents everywhere. It costs banks $125 a pop to cancel and reissue a credit card. That's a step few financial sites have taken in past instances of Internet credit-card fraud, according to Richard Power, editorial director of the Computer Security Institute in San Francisco and author of Tangled Web, a book chronicling digital crimes.
UNHEARD MESSAGE. Western Union's site is back up, and traffic is brisk, the company reports. No more instances of fraud have been detected, the company claims. By all accounts, Western Union pursued a thorough security audit.
But banks and bank customers, take note. This case illustrates once again that anyone doing business on the Internet -- particularly financial institutions -- can take nothing for granted. Not only does the Internet speed up business but it also speeds up the requisite response time to prevent a financial and/or public-relations catastrophe. That reality should convince even the financial institutions with the stoutest security to pay closer attention.
Alas, that message still may not be getting through to the banking industry. "A lot of other industries often pay more attention to security than some of the banks we talk to. We always tell them you are more of a target because of the data that you hold and transmit, so you have to take extra care for always improving your security," says Ken Bywater, the manager of the Internet security practice at consulting firm Berbee Services.
Bywater says e-commerce is embraced as business development, first and foremost, by most banks and financial institutions. Security ends up as a secondary concern. Even when companies install good security, they often ignore the necessary procedural safeguards such as routine maintenance.
EASY ENTRY. Fact is, the software packages and security strategies that banks are using to protect themselves and their customers could be far less secure than advertised. Dozens of companies currently sell software for secure banking, but no independent auditing board exists to check on the veracity of their security claims. "I have taken a whack at three large [secure banking] software offerings, and on all three I have gained account numbers, even passwords," says Jim Stickley, chief engineer at security consultants Garrison Technology.
And such information provides an easy route to further fraud. Aside from addresses, many banks store Social Security numbers in the same data records. While Western Union's quick warnings to the financial institutions of affected customers might have headed off direct fraud against their credit-card accounts, exposed records provided customer addresses and credit-card numbers side-by-side. That, in turn, can be used to reroute credit-card mailings or possibly open new accounts with a simple phone call, particularly if the customers elected not to cancel their credit card.
Of course, no system is ever completely hack-proof, and people do make mistakes. Western Union's rapid response, as well as the notification of its customers, prevented damages that could have easily mounted into the millions of dollars within hours.
"BASIC STEPS." But banks and financial institutions haven't put together agreed-upon standards on how to secure sites -- much less how to respond in case of an attack. Last November, Congress passed legislation to create privacy regulations that could be used as a legal cudgel to promote enhanced security. Unfortunately, that's not likely to be enough, particularly in light of the growing sophistication of the attacks.
Witness the attempts by Visa International in August to provide minimum requirements for sites using online transactions. Visa's criteria for "secure" provided not much of a challenge to even a beginning hacker. "They said things like you should have a firewall, and you should encrypt data accessible via the Internet. It was unbelievable," says Computer Security Institute's Power. "Those are the most basic steps. Much more should be required."
Ideally, Power thinks online banking should require a system more like automatic teller machines, which require not only a known password code but also a physical card. American Express' recent announcement of disposable credit-card numbers is also a step in the right direction. You can sign up for one of these cards at the AmEx Web site and use it one time on the Internet. Consumers can download software that makes the disposable cards easily recognizable to merchants who accept American Express cards.
THIRD-PARTY SCRUTINY. But clearly, the big financial institutions have their work cut out for them. Uniform response policies in case of security breaches must be enforced. Minimum security requirements should become the purview not of the financial institutions themselves but of the U.S. government or another third party, just as banks' balance sheets get scrutinized before they can retain insurance from the Federal Deposit Insurance Corp.
That might seem unwieldy. But so far, financial institutions collectively have failed to grasp the gravity of a massive security breach or to appreciate that customer confidence and their direct reputations are at stake. Let the Western Union case be both a guide -- and a warning. Not every case of cracked bank sites will end so happily.
Salkever covers electronic security issues in this column twice a month for BW Online Edited by Douglas Harbrecht
[an error occurred while processing this directive]
Copyright 2000, Bloomberg L.P.
Printer-Friendly Version
