×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Major Financial Groups Share Data To Fight Online Theft

Soulskill posted more than 2 years ago | from the dogs-and-cats-living-together dept.

Crime 40

smitty777 writes "The Wall Street Journal is reporting on some unprecedented steps being taken by major financial institutions to combat online theft. The initiatives include a new type of data center that would be used to analyze bank data for potential security threats. Additionally, a quarterly round-table between the rivals to attack security issues was proposed. The article notes that 'security threats are pushing the big banks to do something that doesn't come naturally for these secrecy-steeped institutions: share information with one another.' A video at MarketWatch digs into it a little bit more, and points out that the banks will spend an estimated $1 billion on protection this year, which represents a 12% increase. Technologically, there has been much discussion of two-factor authentication to improve security. In fact, security officials in Singapore are even hinting at biometric solutions."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

40 comments

Criminals rejoice! (2, Insightful)

Majik Sheff (930627) | more than 2 years ago | (#38673362)

The banks have decided to consolidate their weak IT policies into a convenient one-stop shop for attacks!

No longer will you have to break into a half-dozen banks to get the personal information of millions!

Re:Criminals rejoice! (1)

Anonymous Coward | more than 2 years ago | (#38673390)

Can't they just nationalize the banks already? It would save the government the trouble of making sure that the banks don't get too friendly with each other.

Re:Criminals rejoice! (5, Insightful)

Gideon Wells (1412675) | more than 2 years ago | (#38673442)

It all comes down to how it works.

Right now you have many companies who have differing levels of protection. This would be akin to each state being in charge of its own military. Ideally, by pooling said resources a better overall military/defense could be formed. Redundancy removed, funds freed up for more high level prevention.

Of course, that is being optimistic. Pessimistically, they'll agree to combine all their funds, use 10% (90% to bonuses for thinking of this savings) of it for this venture, outsource it to a company in India, who outsources it to China, who out sources it to South Korea (which gets linked to North Korea and sold to Russia), who out sources it to a vocational school in Seattle.

Re:Criminals rejoice! (1)

AliasMarlowe (1042386) | more than 2 years ago | (#38674950)

It all comes down to how it works.

It all comes down to how it dysfunctions.

Recall the old adage that Canada should be the best place in the world, with French culture, British politics, and American industry. Instead, they somehow ended up with French politics, British industry, and American culture. This cooperation between banks will doubtless combine their weaknesses while discarding their strengths in a similar way.

Re:Criminals rejoice! (0)

Anonymous Coward | more than 2 years ago | (#38675862)

Banks have some the very best IT pro's working for them, you clearly have never worked for one. Sharing the info sounds like it violates lots of laws.

Decent evaluation of Bank security (4, Interesting)

boner (27505) | more than 2 years ago | (#38673480)

Having used both name/password, electronic tokens etc. to access my financial data, I would like to see an objective analysis of their security. I personally prefer the electronic tokens used by several Dutch banks (ING, Rabobank, ABN AMRO), above the name/password features used by American banks (BofA, Wells Fargo, Chase, JP Morgan, Credit unions, etc.). But the main question is: how do they perform in real-life? Which schemes lose more money to scamming or phishing?

Evaluating the performance of my parents (70+) with modern authentication schemes, does not bode well. My parents are generally unable to distinguish phishing mail from real mail - how should banks balance the convenience of email against the requirements for safety?

Can anyone point to objective evaluations of bank security and authentication schemes?

Re:Decent evaluation of Bank security (1)

TubeSteak (669689) | more than 2 years ago | (#38675040)

... At an industry conference in 2003, ..., the chief technology officer of a large bank said ... "We don't want to talk about fraud in front of anyone."

You'll never see an objective analysis of their security and you'll never learn which banks are subject to fraud, except where State/Federal law requires disclosure.
If we learned about the $$$ value of fraud that banks write off, there would probably be public outrage and a crisis of confidence in the banking system,
especially now with the mortgage crisis and bank bailouts fresh in the public's mind.

Re:Decent evaluation of Bank security (2)

daemonenwind (178848) | more than 2 years ago | (#38676412)

If we learned about the $$$ value of fraud that banks write off, there would probably be public outrage and a crisis of confidence in the banking system,
especially now with the mortgage crisis and bank bailouts fresh in the public's mind.

If you want to know the value of fraud, just look at any major bank's quarterly statement. It's usually broken out by line-item.

Protip: start with whatever division name would hold consumer revolving credit, aka credit cards.

It's the information age; you'd be surprised at what you can find if you just drop the conspiracy theories and anti-corporatism and actually look.

Re:Decent evaluation of Bank security (0)

Anonymous Coward | more than 2 years ago | (#38677042)

If you want to know the value of fraud, just look at any major bank's quarterly statement. It's usually broken out by line-item.

Protip: start with whatever division name would hold consumer revolving credit, aka credit cards.

It's the information age; you'd be surprised at what you can find if you just drop the conspiracy theories and anti-corporatism and actually look.

ok, go find it. Can't? 'cuz its not there, and not required to be disclosed. Is this your first day on the job?

Re:Decent evaluation of Bank security (0)

Anonymous Coward | more than 2 years ago | (#38675972)

What's the problem with just using FinTS, a class 2 (20€) (or even class 3 [costs a bit more]) card reader and a bank-issued card with a 6-digit PIN?
They do the same at the ATM. So they can do it at home as well. Open the banking program, stick the card in, enter your transfer order and press "OK" on the computer, enter the PIN and press OK on the reader, done.
As a bonus, the bank could make the banking program look like an ATM and the card reader like the one built into an ATM.

And if somebody is still too dumb for this, then he needs a nurse to put on your clothes in the morning anyway, and she can do it. (But people that dumb don't usually deserve to live in the first place.)

Biometrics - pushing the bank's risk onto you... (4, Insightful)

rtfa-troll (1340807) | more than 2 years ago | (#38673496)

Biometrics; great; Like in Mexico, they will take your hand if you are lucky. If you aren't lucky, the bank will have some kind of life detector which will check if the hand is alive. In that case the gang just takes you along with your hand and then disposes of both together after the crime. With the exception of the situation where there's a guard actually checking that the ID system is being used right by a single person, what could be stupider than using a security token you can't change.

Re:Biometrics - pushing the bank's risk onto you.. (3, Funny)

muckracer (1204794) | more than 2 years ago | (#38674444)

> Like in Mexico, they will take your hand if you are lucky. If you aren't
> lucky, the bank will have some kind of life detector which will check
> if the hand is alive.
> In that case the gang just takes you along with your hand and then
> disposes of both together after the crime.

Wow...'Talk to the hand!' will get a whole new meaning now...

Re:Biometrics - pushing the bank's risk onto you.. (1)

thoughtlover (83833) | more than 2 years ago | (#38679632)

Biometrics; great; Like in Mexico, they will take your hand if you are lucky.

That example is a tad outrageous, as I believe the end goal was an RFID implant. Besides, if you can get their fingerprint, you can make a latex copy. I'm pretty sure that the 'gummy' fingerprint technique can still fool most dermal scanners.

Re:Biometrics - pushing the bank's risk onto you.. (1)

rtfa-troll (1340807) | more than 2 years ago | (#38683182)

The specific example was installation of palm readers in ATMs. I don't remember anything about the RFID bit have a link? I don't see that it help, nor the fact you can forge the fingerprint readers easily with a rubber glove. Anything which is beyond the abilities and patience of a guy with a gun is a bad idea. What is needed is a PIN code with a maximum daily limit and a gradually extending authorisation system depending on the size of the transaction taking place. For example: if it's 100 your PIN is enough; if it's 1000 you also get a call and they use voice analysis; if it's 10,000 you have to visit a branch; if it's 100,000 the branch does serious authentication when you visit, checks your family is okay and so on.

As long as the cost of the authentication is a small fraction of the profit on the transaction and the loss through bad transactions is less than the cost to the criminals of the times they get caught, everything is okay.

Banks spending money on protection... (0)

Anonymous Coward | more than 2 years ago | (#38673510)

I think it's funny how much money banks and companies with sensitive data spend on protection, yet they are 'defenseless' against hacker-attacks performed often by amateur hackers.

Re:Banks spending money on protection... (1)

anubi (640541) | more than 2 years ago | (#38681926)

That is what scares me.

My broker's website is so full of javascript and pop-ups I am terrified to use it. I pulled my retirement from that broker and went to a "brick-and-mortar" institution, only because I know how easy it would be to fool me with a clever javascript to redirect me to a bogus site.

I feel completely powerless when talking to a office guy whose instructions are to toe the company line and ignore the customer's pleas to not put this kind of code on a financial site. I am left stewing knowing the suit-guy keeps his job while I am liable to be in quite a mess trying to straighten things out if my account is taken for a roll-in-the-pigsty by some clever javascript coder who left a bug in my machine.

For me, seeing JavaScript is like seeing mice. If I am in most places, it does not alarm me. But in a restaurant, it does. If you wonder from where I get my fear, google virus and javascript together.

The clear message I get is bankers could care less how people like me think of the security of an account with them.

Biometrics? Again? (5, Insightful)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#38673512)

Biometrics must be the 'security' concept that combines the worst features with the best wiz-bang sci-fi aesthetic appeal... I can only assume that it was invented during a sort of 'product blackjack', where a group of players competed to see who could come up with the most awful ideal that could still be successfully sold...

"Hey guys, I'm trying to build a truly awful security system. Can anybody think of something like a password, only absurdly hard to change voluntarily, occasionally changed traumatically by forces beyond the user's control, and preferably left in traces all over the place during the course of daily life? Drinks are on me if successfully compromising it for one institution renders it strongly likely that it will be compromised across a large number of unrelated ones simultaneously!"

Re:Biometrics? Again? (1)

Em Adespoton (792954) | more than 2 years ago | (#38677078)

The only place I can see biometrics being useful is as part of a hashing algorithm where some other factor is a secret. In this case, it's not the primary securing factor, but it is yet another piece of information about you that the attacker must have to generate the appropriate hash.

Of course, "biometrics" is awfully hand-wavy. Because fingerprints/retina scans/vein topology/etc aren't digital, the actual algorithms that digitize them have a large margin of error, and any hash in the appropriate set will be valid, to a certain standard deviation.

As a result, biometrics are only as good as the worst of: 1) implementation and 2) application. They're really just a way to allow an individual to carry around a personal hash, and NOT a way to carry around a secret.

Implemented the right way, your fingerprint, for example, will be used to generate a hash, from which the significant bits are extracted to form a sub-hash. This value would be computed but not be left at rest -- it would then be further hashed with a passphrase or private key to generate the public key which would be stored. As a result, the data credential at rest will be specific to the application, and will not be used in other circumstances. It will be unique, more complex than an easy-to-remember passphrase, and repeatable.

It doesn't really matter if someone else has a copy of your fingerprint in this situation, as that is the lesser factor of authentication. If the reader itself is compromised, the only data leaked is the passphrase/OTP/print combo for that implementation, which should not affect other uses of your fingerprint.

I would welcome 2-Factor authentication (1)

L4t3r4lu5 (1216702) | more than 2 years ago | (#38673532)

I signed up for a service to send a one-time-pad by SMS to my mobile phone for every online purchase. I've yet to receive a single request for a code, or a code itself, and it's been over 3 months.

Then again, Santander are completely rubbish.

Re:I would welcome 2-Factor authentication (1)

L4t3r4lu5 (1216702) | more than 2 years ago | (#38673558)

Oh, right... I see. It's only used for online banking transactions, not online purchasing. Fat lot of good that's doing to combat online fraud.

Re:I would welcome 2-Factor authentication (0)

Anonymous Coward | more than 2 years ago | (#38674240)

Oh, right... I see. It's only used for online banking transactions, not online purchasing. Fat lot of good that's doing to combat online fraud.

Well, yeah, it does help if you're trying to transfer large sums of monies and someone has access to your bank account.

Do you really expect a OTC every time some money leaves your account?

I'd say Santander are doing a pretty damn good job at having even such a basic system, try using HSBC or Lloyds in the UK, the protection is shoddy.....

Re:I would welcome 2-Factor authentication (1)

L4t3r4lu5 (1216702) | more than 2 years ago | (#38684010)

Yes. Yes I do expect that. Anything less is smoke and mirrors. The infrastructure is in place for the bank, all they need to do is replace that "Verified by Visa" / "Mastercard Securecode" bullshit with this service.

Verified by Visa: Bypassed with a date of birth. What a joke.

Old News - This Already Exists (3, Informative)

Anonymous Coward | more than 2 years ago | (#38673544)

Banks have already been sharing info with the National Cyber-Forensics & Training Alliance (NCFTA) which is a non-profit non-government entity. The NCFTA acts as a middle man between banks/other high value targets and law enforcement. They also do aggregate analysis on the attacks seen by multiple institution to determine if there are larger trends.

Hey (2)

Grindalf (1089511) | more than 2 years ago | (#38673552)

Watch out, that's personal ID they'll be sharing without client authorization and by an NGO! That's a felony in most states ...

Re:Hey (2)

shentino (1139071) | more than 2 years ago | (#38673588)

Trust me, if a big company does something, it's either legal already for them, or is about to be as soon as they send their lobbyists to DC.

Large corporations effectively have sovereign immunity.

How might this affect privacy concerns? (2)

Eremit (35495) | more than 2 years ago | (#38673586)

Of course it sounds good that the banks want to coordinate their security efforts. Probably one part of their analysis has to create profiles of common usage to be able to discern uncommon and possibly dangerous usage. These profiles will be much more detailed than their internal ones. Might they not use those profiles for other things like customer scoring, targeted advertising, etc., too? Or should I assume that they already share some data about their customers?

Location, location, location! (0)

Anonymous Coward | more than 2 years ago | (#38673610)

Technologically, there has been much discussion of two-factor authentication to improve security. In fact, security officials in Singapore are even hinting at biometric solutions.

Forehead or palm?

evolution of slavery (1)

harvey the nerd (582806) | more than 2 years ago | (#38673622)

Electronics, more secure and convenient than cash...Yeah right, back to gold and silver.

Re:evolution of slavery (1)

rickb928 (945187) | more than 2 years ago | (#38673820)

Seeing as metals have significant security issues [wikipedia.org] also, this makes as much sense as, well, it doesn't make sense. Change one token for another?

Anything the least bit tangible can be stolen, even data. Seeing as data snatch-and-grabs are all the rage, how banks can escape the fate of some other outfits that should by their very definition be more secure escapes me. It's a cat-and-mouse game. For banks, the goal may be to prevent break-ins, but the best result is probably to detect them quickly, perhaps even as they are being conducted.

Me? I'm obviously not a security porofessional, but I would add some honeypots to my systems and watch the assailants do their work. Even then, the real threats are users and their often failed practices. I'm beginning to use phrases for passwords, since random stuff is too hard to manage, 'clever' passwords aren't, and at work I now have multiple passwords that expire more frequently than 15 days. A token would be interesting, but impractical for 50,000 users in our environment. and that's just the internal stuff.

Tthere is no perfect security.

Re:evolution of slavery (1)

Requiem18th (742389) | more than 2 years ago | (#38675332)

Maybe it's the enginieer in me but couldn't we make a machine to test the authenticity of metal coins? Given that metals have specific density and conductivity it would be pretty hard to make a coin with the same size, shape and conductivy than a silver or gold one for instance.

Re:evolution of slavery (1)

rickb928 (945187) | more than 2 years ago | (#38675830)

Make a machine that completely prevents theft of alteration. Then these tokens are secure. Maybe.

Major Theft Groups fight themselves then? (-1)

Anonymous Coward | more than 2 years ago | (#38673868)

The biggest theft happened not many years ago, and how many bankers and wall street thieves went to jail? None, because the biggest thieves were the major financial groups themselves, Banks, the insurance corps, the FED, and as usual, politicians of both sides.

This "sharings" seems more like combined cartell efforts in securing their own theft schemes.

unprecedented steps (2, Insightful)

devent (1627873) | more than 2 years ago | (#38673890)

How about the consumer and unions come together and take unprecedented steps to combat theft by banks and the Wall Street? First they commited fraud in multi-billion dollars, then get the money from the tax payers to not get bankrupt and now forcing the Europe and the USA into a degaced long recession by austerity and anti-labor politics.

Looks like... (1)

vikingpower (768921) | more than 2 years ago | (#38673944)

...banks are the place to work, for the next 2 years or so ( at least if you want to make big bucks ) ?

Re:Looks like... (2)

netwarerip (2221204) | more than 2 years ago | (#38674808)

Unless you are a loan officer or manage loan officers there is no money in banking, especially not in I.T. Never has been, never will be. Over 10 years working I.T. for many banks proved that to me, until I finally wised up and got out of the industry. They don't spend a single penny more than they have to on salary, hardware, software, or security. Maybe this will change when a new generation of presidents, board members, etc comes to power, but as long as it's still the same old white men you can give up any hope of them doing anything more than they absolutely have to.

Just one quick example - back in 2001 or so I was getting ready to install an internet connection to the brand new ethernet lan at a smaller-sized community bank (avg annual profit of about $1.5 million). I quoted something like $2-3k for a Cisco firewall and was told there was no way in hell I could spend that much. Either I find something for under $200 or we go without a firewall altogether.

Aaand that's why... (0)

Anonymous Coward | more than 2 years ago | (#38674068)

...you don't use imaginary money (especially the one based on the debt promises [read: lies and make-believe] of others)... or one-crappy-factor authentication (and call it "two factor").

I know that when my game is done, it will be based on hard solid matter with a stable value. And there will be an exchange rate for imaginary money, that will make people rush to switch to my currency. (No, you won't be able to buy imaginary items [e.g. inside the game] with it. You will only be able to buy services. But since ALL products are just resources [which nobody owns] plus a series of services, that will be fine.)

i fail to see how (1)

nimbius (983462) | more than 2 years ago | (#38675520)

i can possibly rely on my financial institutions to keep me financially safe. i hit wells fargo this morning to change some coins into dollars and the banker at the counter couldnt count them without a plastic dowel to arrange them in. The entire time the banker on the floor lectured me without provocation about the banks many incredible services and why i should become a member right away. neither one thought to send me on my way with coin rolls perhaps.

now i know the banks public hat is quite different than their financial institution hat, but i cant help but conclude that when 'major financial groups share data' its going to be data about me, but its only going to be used to further their interests. come to think of it, when a publication mainly related to wall street prints a diatribe on how wonderfully secure major wallstreet institutions are set to become, one cant help but wonder if its the equivalent of trying to put a fresh coat of paint on an old car.

Quickly! (1)

hesaigo999ca (786966) | more than 2 years ago | (#38685108)

On the heels of MS sharing all info they have gotten from the malware with all the major big banking companies and law agencies, this is yet another great step towards uniting against a 5 billion dollar a year industry, identity theft/fraud!

I applaud it, although they might need to sanction some sort of governing body to help make decisions, else you might get one that wants to take their ball home if they don't play the way they like.

On the plus side, it just means more ideas will be shared across the board between all big banks, and security will be their #1 priority.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...