Alan Calder on IT Governance, information security & ISO 27001

When financial markets appear to be in free fall, many organisations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist any more? (And, from what we’ve seen over the last few weeks, the ‘might not exist tomorrow’ possibility should be a very real planning scenario for all but the world’s best-capitalised banks).

Well, in the UK, the Information Commissioner is unlikely to cease caring – already identified as “setting the political and administrative agendas for the protection of personal data in this century in the UK” and for “firmly disciplining politicians, civil servants, the media and business folk into line”, he’s unlikely to allow data protection to take a back seat at exactly the moment that spammers are expected to take advantage of bank buyouts to launch new phishing scams.

However, we’re talking here about banks who were unable to identify or adequately manage some rather more obvious risks to their business (like, if you lend someone 130% of the value of his collateral, and if his current cashflow is insufficient to pay the interest let alone repay the principle, how do you expect to survive?) than those around personal data. So, if you’re a bank customer, it might not be wise to hope that, in the midst of all this turmoil, your personal data will be adequately protected. The facts speak for themselves: US organisations are on track to report at least 680 data breaches by the end of 2008, affecting more than 30 million records.

It is clearly the case that, with personal data, one can only rely on oneself to protect it!

It’s amazing how social trends can often make people do the most stupid things. Sales of paper shredders have gone through the roof of late because the public has woken up to the identity theft risks of making personal data available to strangers. So far so good – an entirely intelligent response. So what makes often the very same people put all of their personal data online instead through social networking sites like Facebook?! As this article rightly points out, this is an open invitation to phishing scams that can become far more targeted and convincing to the individual. I have no doubt that news stories of the first Facebook scam victims will be just around the corner.

If you are going to use sites like this the important thing is to be very circumspect about what you reveal about yourself. You should share the bare minimum at all times. Of course, the really smart move is not to get involved in the first place (which sounds like a killjoy’s view right up until someone empties your bank account for you).

The Message Labs 2006 Annual Report makes interesting reading – the most important section, though, is the chapter dealing with their projections for 2007. They forecast a continuing increase in spam, growth in the threat to users of Instant Messaging, and substantial growth in phishing attacks, domain kiting, and increasing encryption strength in ransom-ware. The suggestion that Windows Vista will be relatively quickly targeted is an issue that should be taken into account when considering upgrading.

Finally, the indication that low level, targeted attacks against businesses are likely to rise to 20 per day should be enough to get any semi-sane security manager paranoid about network security.

More evidence of the increasing sophistication of online fraud. Gartner says that phishing scams are increasingly targeting wealthy web users and that the number of adults to have received phishing e-mails has nearly doubled since 2004.

“The good news is that this year fewer people think they lost money to phishers, but when they did lose, they lost more,” said Gartner analyst Avivah Litan.

It will be interesting to see whether the anti-phishing measures in Microsoft’s IE7 have much impact on this, but my guess is that the best prevention will remain education, hence my book for home and SME users, ‘The Internet Highway Code’.

Get Safe Online is out banging the drum for improved Internet security awareness amongst consumers and small businesses. As expected, their new survey reveals some strikingly relaxed attitudes (e.g. 25% of respondents were either not aware of phishing scams, or were unsure of how to protect themselves from being lured to fraudulent websites). Their government-backed website provides a good primer in some of the basics of Internet security, but for businesses that are growing from the sapling to young tree stage it is also helpful to have some more detail, hence my chapter for small businesses in ‘A Business Guide to Information Security’.

“Mr. Calder, it’s your bank calling.”
“Yes?” I answer, cautiously, wondering what I’ve done wrong – or what has been done to me.
“For security, can I please ask for your telephone banking password?”
My mouth opens: “3..b (for bravo)…9…” and then my brain clicks in. “Why do you want to know?”
“So we know who you are, to protect you, sir.”
“Yes, but I know who I am, and you rang me – how do I know who you are?”
The call doesn’t last much longer; the “bank” offers to call me back “at a more convenient time”, by which it presumably means sometime when my brain won’t click in.

The number of “phishing” frauds that are initiated by telephone will increase over the months ahead; while they are more costly for criminals than the online version, the innocent bank customer is more likely to respond to the immediacy of a real human voice, particularly if a plausible excuse like “we want to confirm that some large transactions on your account today are genuine” is offered. Give the caller your telephone banking password (or the three digits on the reverse of your credit card) and you really can expect some large transactions to take place, probably within minutes – and, as the fraudsters are outside the UK, they’re unlikely to be caught.

As things stand, your bank is likely to foot the bill for your indiscretion. Once upon a time, this was called a “moral hazard”: if you do not personally pay the price for making a bad choice, you can go on making bad choices until….

Of course, in order to reduce their exposure, banks will increase the controls on normal people; it is already difficult to transact anything but minor business online and there are days when individual internet banking sites are not fully operative – all this, ostensibly, to protect their customers against themselves. Wouldn’t it be more helpful to more people if banks refused to compensate the victims of “phishing” fraud, thereby encouraging everyone to pay proper attention to their own financial affairs, while allowing the vigilant to continue about their everday affairs unhindered? Or does the nanny-state mentality have to pervade the internet as well?

APACs has recently said that UK banks can’t be expected to go on compensating the victims of “phishing” attacks. I’m astonished that they ever did in the first place! And it’s hardly surprising that, when there is no cost to stupidity, people go on falling for these frauds.

“Phishing” attacks follow a fairly standard pattern: spam e-mails, that look like they come from a bank (they use bank logos and internet addresses that include the bank’s name) ask the recipient to urgently log on and confirm their internet banking details. The reasons given for why you should do this are plausible but fraudulent. All banks say, in crystal clear terms on the home page for their internet banking sites, that they would never ask customers to ” confirm details” of their accounts across the internet. And this is just common sense: banks invest very substantially in their computer and information security systems and have to comply with stringent data protection and privacy legislation – they would never be in a position where you had to “re-confirm” your data to them.

These particular fraud has now had a lot of newspaper coverage as well. Surely we’ve reached the point where the banks should simply say: “if you fall for this fraud, please report it to the police. We will keep having fraudulent sites taken down as fast as you notify us of them, but we will not compensate you for your losses.” Would such a stance, combined with some newspaper headlines, not encourage internet bank users to be accountable for their own actions?