October 5, 2015

Bankers face fake account challenge

While banks manage to fend off a greater percentage of cyberattacks than other industries, widespread data breaches outside the financial sector pose a key challenge: How can banks prevent thieves from opening new accounts or accessing existing ones with information stolen from less-secure industries?

Experian client T-Mobile has 15M records stolen
A critical case in point comes from the recently-announced breach of T-Mobile data which had been entrusted to a business unit of the credit bureau Experian North America. The incident exposed the records of 15 million people. The information stolen reads like a checklist for opening or accessing a bank account:

  • Names.
  • Dates of birth.
  • Social Security Numbers.
  • Addresses.
  • Alternate form of identification.

Also hacked in many cases were the credit evaluations made by T-Mobile of affected customers. Not surprisingly, the telecom giant's executives were beside themselves.

"I am incredibly angry about this data breach," T-Mobile CEO John Legere told the Financial Times, "and we will institute a thorough review of our relationship with Experian."

Banks are hard targets - but not impossible to breach
The Experian breach is just the latest in a string of high-profile cybersecurity failures that have included Target, Sony and the federal government's Office of Personnel Management. It's rare, however, for a financial institution to be successfully hacked, as banks have made themselves among the hardest of targets. Still, hackers sometimes infiltrate financial houses, as they did in 2014 when lax server security at JP Morgan Chase looks to have made possible the largest banking breach to date.

So if banks so rarely fall victim to hackers, why should bankers pay attention to breaches outside the financial sector? As American Banker pointed out, it's because the slew of non-bank attacks exposes just the information cybercriminals need to open or access bank accounts.

"The data of 15 million people has been exposed," Richard Parry, a principal at Chicago's Parry Advisory told American Banker. "It can be used to impersonate for any number of purposes. That's a problem for the customer, and it's a problem for anybody who does verification on people in a remote-channel environment. It's a tool for account takeover."

Experian was at pains to point out that no banking information was disclosed in the T-Mobile breach. But that hardly matters, Parry said, because hackers can draw on previously-stolen data to build up profiles.

Identities for sale, 16 cents each
The fruits of cyberattacks are for sale in certain unregulated corners of the Web. The prices for chunks of "personally identifiable information" are rock-bottom. Exact numbers are hard to come by, for obvious reasons. However, cybersecurity expert Brian Krebbs found that in 2011, full sets of personal data described as "Fullz Info USA Type A" were going for 25 cents each for up to 500 identities. Bulk buyers earned a discount down to 16 cents per identity when ordering 10,000 or more. The packages included all the bulleted pieces of information above plus email address, email password, driver's license number, bank name, bank account number, bank routing number and more.

ABA website targeted
It's no secret that for hackers, many of them sophisticated and even backed by nation-states, financial institutions offer plump targets. While the risk is high and chance of success minimal, the rewards can far exceed breaking into a retailer's system. That's why one small recent breach has bankers talking out of proportion to the damage it did: The website of the American Bankers Association was hacked. The thieves' reward? About 6,400 email addresses and passwords to reach the "members' only" section of www.aba.com.

American Banker reports that trade group executives aren't sure whether the attack was meant to gain access to the victims' banks or perhaps done simply as a protest by hackers with a hatred of bankers. Either way, it's a reminder that financial institutions are under cyber siege.

Of course, hacks are just one of the many risks banks face. Loan sale advisory firm Garnet Capital Advisors keeps a careful watch on all types of these challenges to financial institutions and their loan portfolios.