Here we go again!

No sooner had law enforcement officials arrested two teen-agers for the May theft of the VA laptop than a mere three days later the Department of Veterans Affairs revealed that a desktop computer with personal data on as many as 38,000 US military veterans had disappeared from Unisys, a VA subcontractor.

It was just last month that I wrote about a scary list that you can only hope does not include you or your company. It is a public list of all of the recent compromises to personal data that is being stored by banks, merchants, universities, and many other breaches, most of which seem to involve government agencies. However, this month I am going to describe a security breach from the private sector, one that should give you great pause, because it occurred within the Transaction Processing Industry, essentially in the very market space where we all earn our livings!

That list of known security breaches is massive, and it left me with the impression that the odds that you and I have somehow been affected are pretty good. Especially when you consider the fact that the list is only a partial record of what is happening out there. In some cases, this list just says "unknown" in terms of the number of records compromised and makes one wonder how many incidents are probably not getting reported at all.

One massive security breach that is not on that list and that apparently gave Madrid-based hackers direct access to the online banking credentials belonging to customers of over 300 banks has avoided the spotlight until recently. This incident serious questions about what really happened, who was affected, and how it was disclosed. While I cannot sit here and tell you for sure whether or not this eventual disclosure was enough to satisfy lawmakers, my belief is that it was clearly not enough for the public.

According to news reports, a journalist received a tip from a customer of one of the impacted banks who himself had received a notice that his password had been reset. In what has to be one of the better case studies of how a monoculture can lead to massive security problems, the reason so many banks were affected was because of how they all turned to the same third party provider - Goldleaf Financial Solutions, Inc. - for certain home page services that included the capture and digestion of online banking credentials. With one exploit, hackers were able to redirect the login IDs and passwords to a site in Madrid, Spain.

The disclosure that has so far followed leaves much to be desired. According to a press release from Goldleaf (one that was regurgitated word-for-word by news outlets such as Forbes under the heading of news and analysis):

Goldleaf Chief Executive Officer, Lynn Boggs, said, "We have identified and corrected the problem. We have fully restored our Web site, remote deposit and ACH services. In addition to contacting our customers, we have communicated with our vendor partners, regulators and law enforcement authorities. We are fully operational and will remain diligent in our security efforts." What exactly was communicated I snot known. What we do know is that most of the information that has so far been made public is at best misleading and at worst, wreaks of spin control. The problem starts with the press release's headline which reads Goldleaf Technologies Responds to Phishing Attempt.

That is certainly an interesting choice of words to describe what happened in this case. If it was a phishing attempt, Goldleaf could easily escape any blame by deferring some of it to insecure client software such emails, browsers, etc. and the rest to a lack of best practices on the end user's behalf. Phishing is a form of email-based social engineering that dupes users into clicking on links in an email message that they would not otherwise click on. TPAtlanta devoted a column to phishing in an earlier issue.

Well known companies such as eBay are a frequent target of phishers. Even when such phishing attempts are successful, it is hardly eBay's fault. However, neither email nor phishing played a role in this particular bank exploit. End users were not socially engineered. They entered their credentials as they normally would, into Web pages that were served from the domains they should have been served from. At the very least, Goldleaf needs to restate its news release so that it is absolutely clear to the public that it was Goldleaf's own services that were hacked and that phishing played no role in this attack.

Further drawing the disclosure and reporting into question is an AP Wire story that quotes Goldleaf spokesman Scott Meyerhoff as saying that the security breach affected about 150 to 175 bank Web sites for anywhere from a minute to an hour and a half. In a subsequent interview with Goldleaf however, it was learned that the actual number was more than 300 financial institutions that were involved!

The best case scenario, say 300 banks compromised for 1 minute each, computes to 300 minutes or five hours of exposure. If one bank was exposed in this way for five hours, how many of that bank's customers could have been potentially compromised? The worst case scenario using Goldleaf's own numbers would have 300 banks being compromised for 90 minutes each, which is the equivalent of one bank being exposed for 27,000 minutes or nearly 19 days. Can you imagine one bank being compromised for nearly 3 weeks? So, many questions remain. Or at least they should!

What 300 banks? We do not know all of the ones that were hit or to what degree. Where are their press releases? No idea. Was it really a minute to an hour and half? Or was it longer? We just don't know. And therein lies the problem in our industry.

Unfortunately, there is no obligation, no regulatory mandate, for any entity to reveal the data or the methodology that led Goldleaf to that conclusion. Even so, a lot of logins can happen in 90 minutes across 300 banks. How many actually did happen? Was any money taken? How were the customers of the banks notified of the potential breach? Where can or should have they gone for more information to find out if their accounts had been compromised?

Some banks, the ones we know of, notified their customers by both regular mail and email. First State Bank, one of the affected banks, sent out two separate notices. The first one, signed by First State E-Banking officer Christa Walton, had the audacity to include a link that points people to a remedy Web page that is not even within First State's domain: an absolute no-no that is exactly the same trick used by phishers. Says that first email:

…..In an effort to ensure that all customers are aware, this same communication was mailed via US Postal Service. If, at receipt of this mailed communication, you have already obtained access to your accounts through our new Online Banking site, located at "xxxxxx.com" there is no need to take any further action….

The reason that I masked the URL found in Ms. Walton's email is that it is a URL that is not even in First State Bank's own Internet domain. Think about that for a moment.

Technically, it could be fodder for phishers who might try to take advantage of the fact that some banks had to move their online banking home page to an off-domain page. Personally, I find it unconscionable that a bank would even consider sending an email that flies in the face of all conventional wisdom and best practices regarding the security and privacy of its customers. To their credit, their use of the USPS cc: helps but is far from a perfect solution.

Continuing to exacerbate this problem, in Ms.Walton's second email to the bank's customers, she advises:

…..On Thursday, May 25, 2006, First State Bank became aware of an apparent attempt by an unauthorized party to gain access to our third-party website host and thus to our Online Banking site……Although there is no current evidence that customers information has been accessed, this incident may have increased the probability of your information being used for fraudulent purposes……Your Online Banking password has been defaulted back to your original password; when you established your Online Banking service….you may not have access to your original login information, First State Bank has established a help center that you may contact at 1-800-XXX-YYYY or by email at info@first-state.net…..A temporary Online Banking login website has been established at . This temporary site is safe……

Forget for a minute that most people do not have a clue what their original password is. Heck, I can not even remember my current ones, and I am logging in to financial web sites every day. When receiving an email like this from a financial institution, if you are even half as sensitized to the phishing problem as I am, then you'd probably do what I do when I get an email like this one: delete it without even looking.

In this case, the email goes beyond the faux pas of providing an off-domain site that asks for user credentials; it provides an 800 number to call for more information or help. What are email recipients supposed to do with that? Call it? Over their dead bodies hopefully! I can see it now….hundreds of people calling an 800 number that they got from an email whose source can not be authenticated and then calling that number, divulging all sorts of other compromising data to some unauthenticated source.

What is the bottom line here? This event is a case study that demonstrates how badly a financial breach can unravel into a disaster. The void in information that the public deserved to have as soon as the incursion was discovered is simply shocking. Not only that, this situation provides evidence of just how the public will invariably end up mis-, under- or, worse yet, dis-informed, in the name of spin control, when organizations are left to their own litmus tests to decide whether a breach is serious enough to warrant disclosure.

Unfortunately the toothless disclosure legislation that is currently before Congress does not go far enough into what exactly should be disclosed and what the remedies should be. Opponents to more heavy-handed legislation with stricter requirements argue that consumers will be overwhelmed by the number of disclosures as though that's a good reason not to have them. To that I say disclose away folks. I want to know each and every time some bit of personal information may have been compromised and I want all the gory details - including specific actions I should take that do not go against the very best practices that the financial and technology industries recommend in the first place.

So just what kind of pro-active disclosure policies do your companies have in place in case you are hit with a security breach or a data theft? Advance planning is your best defense so that you do not have to resort to spin control in time of intense stress and public scrutiny.

We invite you to share your best practices with us here at TPAtlanta so that we may in turn help all of us to become better stewards of our company's and our customers' data. We will continue to monitor what is transpiring with regards to the security issues for the Transaction Processing Industry and will report back to you with new developments. It is pretty fine for a radio disk jockey to say that the hits keep on coming. Just do not let that phrase apply to your organization!

Calvin D. Johnson, Publisher
publisher@tpatlanta.com
Trans Atlantic Systems, Inc.

PS

We have dedicated this column for the last three months to highlighting some very disturbing security breaches involving hundreds of thousands of customer data records becoming exposed to segments of society that would best be regarded as nefarious. We do not think that these events should be taken lightly, and we have encouraged you to re-double your own data security best practices.

In view of that high level of seriousness in our reporting, we would like to close this month's column by sharing with you the following story that ran recently in The Onion:

Postmaster General Loses Laptop; Zip-Code Data Of Millions At Risk

WASHINGTON, DC-The U.S. Postal Service has confirmed that a laptop computer issued to Postmaster General John Potter and containing the zip-code information of over 280 million Americans was allegedly left in a taxicab Monday evening. "I sincerely regret that my carelessness has made precious five- and nine-digit codes, which are vital for U.S. information delivery, potentially vulnerable to unscrupulous individuals who would do us harm," Potter said in a televised press conference Tuesday, during which he also announced his resignation. "I have failed the president, the Postal Service, and you, the American people, by not securely safeguarding this sensitive data, which pertains to the current locations of literally hundreds of millions of U.S. citizens. I have no choice but to step down, effective immediately." Officials refused to elaborate on the extent of the information leak, but did not rule out the possibility that everyone in the U.S. might have to move.