BAI Banking Strategies

Executive Report

The changing face of fraud in a digital age

January 2017

In this Issue

How AI tightens cracks and cracks down on crooks

The chips fall where they may: EMV cards still vulnerable to fraud

Lights, cameras, inaction threaten banking security

8

12

16

BAI Banking Strategies

Executive Report

BankingStrategies.com

2 3

Countering hackers and attackers: What is your data breach response plan?To protect sensitive data, businesses must refocus on these best practices.

How AI tightens cracks and cracks down on crooksIoT systems that connect to IT networks streamline operations—but also give fraudsters ways to sneak in. Enter new AI-enabled solutions.

The chips fall where they may: EMV cards still vulnerable to fraudBy stealing ‘replacement’ cards or fudging online purchases, hackers work the loopholes—and banks need to warn customers, experts say.

Lights, cameras, inaction threaten banking security Experts say it’s urgent to turn the focus back on finding and fixing internet vulnerabilities—and do it now—before the oncoming explosion of connected devices.

4

12

8

16

Table of Contents

Letter from the Editor

With 2017 upon us, broken resolutions will soon pile up faster than unused gym memberships and “like new” diet books hastily marked for sale on eBay. But if personal goals fall by the wayside, professional ones set by the banking industry call upon us all to take pause, especially when it comes to bolstering fraud protection.

Even for the best efforts of relentless security experts and tireless IT teams, the challenges that face financial services in 2017 seem as vast as the exploding cybersphere itself. By one estimate, five billion new devices will be added to the Internet of Things (IoT) in the next five years. Five billion. The question is: How many additional soft spots does that give criminals to hammer?

The statistic is contained in Howard Altman’s story, “Lights, cameras, inaction threaten banking security.” It comes from Phil DuMas, who owns CTO Bell Curve Technology and serves as director of research and curriculum development for the non-profit National Cyber Partnership. “If they are compromised at a rate of even 10 percent, the internet as we know it is in real trouble,” DuMas says. And as Altman reminds us, it only took four compromised routers—each costing about $10—for criminals to fleece the Central Bank of Bangladesh for more than $80 million.

Where Altman catalogues the ways hackers can get in through the IoT, Anne Rawland Gabriel tells us how conscientious banks can keep them out. Her piece, “How AI tightens cracks and cracks down on crooks,” focuses on the revolutions within artificial intelligence that could give banks an upper hand this year.

“First up is user and entity behavior analytics [UEBA],” Gabriel writes. “Essentially, this technology establishes a behavioral baseline for everything—animate or inanimate—that connects to your network. After ascertaining connection norms, these solutions monitor for anomalies and raise an alert when risk levels reach your pre-determined thresholds.”

Deploying UEBA and other AI solutions will prove critical, for as financial institutions interconnect more devices through the IoT, even something as innocuous as a lightbulb can provide an entry way for hackers to exploit. That’s right: a lightbulb. Perhaps it’s an appropriate symbol for criminals who come up with devious ideas.

Even the much-heralded rollout of EMV chip technology in the U.S. has not been without its problems, writes Caitlin Kelly in “The chips fall where they may: EMV cards still vulnerable to fraud.” Yet a

It’s hack to the future – Unless the fraud fighters get there first

new technology called “Motion Code” shuffles the three-digit card verification value (CVV) code every 20 minutes or so, and thus holds promise in making EMV credit and debit cards much safer. It could also quash fraud activity at “card not present” (CNP) transactions that take place at e-commerce sites. While it’s too soon to tell whether enhanced CCV + EMV = virtually fraud free, there’s hope that Motion Code will tilt the anti-theft equation in the right direction.

In the meantime, banks need a strong data breach response plan to counter hackers and attackers, writes contributor Rich Blumberg of CyberScout. The common-sense steps—too often ignored—range from tapping into additional resources to assembling the response team, which can include IT, risk management and public relations.

Fraud, data breach, hacks and the like will always be with us. But the banking industry has always held the power to meet fraud problems head on and create big wins on multiple fronts: with customers, with staff and in the public sphere via positive PR. Now more than ever, that power must be laser focused into resolve.

And in a month known for ambitious resolutions, what better time?

A veteran journalist who has served with the Chicago Tribune, Reuters Money and U.S. News & World Report, Lou Carlozo is the managing editor of BAI. Connect with him on LinkedIn.

Louis R. Carlozo Managing Editor, BAI lcarlozo@bai.org

BAI Banking Strategies

Executive Report

BankingStrategies.com

4 5

To protect sensitive data, businesses must refocus on these best practices. By Rich Blumberg

Businesses would prefer to avoid the attention of cyberhackers, of course. But it seems just about every organization finds itself sitting in the crosshairs. As the number of breaches continues to rise, a prudent strategy for businesses is to have a plan for a quick, effective response if information has been compromised. A data breach response plan proactively outlines the actions a business must take, while it also provides a framework to match against emerging risks and update if the firm’s situation changes.

Developing a data breach response plan that is easy to follow and quick to implement gives businesses the chance to prepare necessary resources in advance and mitigate the damage an exposure can inflict. Leaving key tasks to the last minute is unwise and can impact the timeliness and expense of a breach response. Likewise, hastily pulling the plug on a single server without seeking guidance from an experienced technology expert may not shut down the unauthorized access that caused the exposure—and that leaves the business open to further harm. Worse, it may even erase key information a computer forensics company may need to assist the investigation. Getting a firm’s ducks in a row before a breach is critical; here are four steps to help you reach that goal.

Tap into additional resources

One component of many small business breach response plans is to access the financial and technical support available through a well-structured cyber liability insurance policy. Coverage options vary widely, so a business or its insurance broker must carefully examine its needs before choosing a policy. For firms with lean internal resources and thin financial margins,

the right cyber liability coverage can prove a key asset when implementing a breach response plan.

Assemble the team

Who needs to respond to a breach? Before trying to pull together more than a cursory list of post-exposure action items, the firm must identify those individuals or groups that should be contacted in the event of a potential breach. The team will vary from one business to the next, but most organizations will want to include representatives from the executive group; legal (either internal or an outside consultant); privacy or information security; risk management; information technology; human resources; and public relations.

Given the growing reliance on external partners—cloud providers, payroll processors and the like—firms should also consider vendor touch points and how or when those third parties will contribute to the breach response process. They may need to be included on the contact list or may even be responsible for raising the initial alarm if a breach occurs. It’s also important to ensure that vendor contracts clearly spell out the company responsible when a breach occurs, and who is liable for notifying those impacted. Other vendors commonly take part in the response team, such as media relations consultants experienced in crisis management and notification firms with the needed resources to quickly inform breach victims.

If the business has cyber liability coverage, the insurance company should also be part of the plan. Support services included in many policies will help in the event of an exposure, calling on experts from forensic investigation teams to data recovery specialists.

Countering hackers and attackers:

What is your data breach response plan?

BankingStrategies.com

6 7

Countering hackers and attackers: What is your data breach response plan?

To maximize the value of any applicable coverage, firms must be ready to access available features quickly and through the most efficient channels.

Consider where legal obligations exist

Laws, rules or regulations will likely influence the design and implementation of a business’s incident response plan. Often these state and/or federal laws cover how and when to notify breach victims. Timeframes are strict in many instances, so it’s important to understand all obligations in detail and incorporate them into the response plan.

Businesses that handle particular data types—such as financial information, personally identifiable information or medical data—may have additional mandates that guide their breach responses. It may be necessary to notify one or more regulatory agencies or other oversight groups, and report the incident in one form or another. This may also come with a provision to forward investigative findings for review once the incident has been scrutinized and determinations on cause and scope made.

Create the response plan

With the team in place, it’s time to identify the steps to take when breaches occur. These action items should be general enough to accommodate a range of breach types and triggers. For example, one step may be to shut down access to any compromised technology, whether an unsecured Wi-Fi access point or breached server. Or the response plan may halt a check run if it’s discovered that personalized inserts don’t match an address on the outside of the envelope. Generally, the action items will entail a cursory investigation to find the

cause of the breach, do what’s necessary to quickly plug the leak and then look for solutions to minimize harm and notify victims. Communication channels should also be delineated, identifying those responsible for initiating the response plan and which functional area(s) will coordinate the activities of any third-party vendors. This ensures the right outside experts are ready to go on short notice and also avoids time- and money-wasting duplication of efforts across various sub-teams.

Treat a breach response plan as a living document. The importance of putting a framework around these action steps can’t be understated. A swift, effective response may mean the difference between managing the post-exposure situation to mitigate harm to victims (as well as the business itself)—or bumbling through the process with missed regulatory deadlines, unhappy (and potentially litigious) victims and the company facing ongoing reputational and financial damages. Properly prepared and proactive, compromised companies can stop the reach of the breach.

Rich Blumberg is a business development director for CyberScout.

BAI Banking Strategies

Executive Report

BANK ACCOUNTTAKEOVER

CYBERSCOUT, FORMERLY IDT911, PIONEERED THE BANKING INDUSTRY’S first identity protection program nearly 15 years ago, and today remains at the forefront of fraud and cyber protection. Our name has changed, but our dedication to helping banks and their customers prevent, protect, and recover from fraud remains the same.

In a time of crisis, most fraud victims—78 percent—will call their financial institution for help first. Make sure your institution is prepared to protect your customers.

CyberScout partners with banks nationwide to provide comprehensive fraud monitoring, and identity and data defense services to serve the unique needs of your customers. We also offer product development assistance, as well as sales, marketing and product training to help you:

• Attract new customers and strengthen customer relationships• Generate non-interest income revenue • Stand out from the competition

ARE YOUR CUSTOMERS PROTECTED?

IDENTITY FRAUD AND DATA BREACHES

Visit www.CyberScout.com or call 888.682.5911 to learn more.

EMAIL PHISHINGSCAM

FINANCIALDOCUMENTS STOLEN

THIRD-PARTYVENDOR BREACH EXPOSED PERSONNEL

RECORDS

LOST WALLET

Contact us to see how we can join together in the fight against fraud.

Leaving key tasks to the last minute is unwise and can impact the timeliness and expense of a breach response.

BAI Banking Strategies

Executive Report

BankingStrategies.com

8 9

How many hackers does it take to invade an LED light bulb? It doesn’t matter, because once inside they can defraud you of millions.

That’s the reality banks face as they embrace the operational advantages offered by enterprise Internet of Things (IoT) solutions such as network-controlled lighting, HVAC, door locks and plumbing pipe sensors. But there’s a dark side: relatively weak security protocols due to lethargic standards evolution. To an attacker, this makes a single IoT lightbulb look like a hulking airplane hanger door.

But relying on a cybersecurity approach referred to as “M&M”—yes, as in the chocolate candy—no longer goes far enough. “Banks need to shift their cybersecurity focus from being hardened around the perimeter, but soft on the inside, to being crunchy throughout,” says Dan Cummins, senior analyst for information security at 451 Research.

Fortunately, some smart new kids on the block offer a couple of effective types of cybersecurity solutions that leverage machine learning, a form of artificial intelligence (AI), to plug the human fallibility gap. Neither category of recent arrivals replaces existing perimeter-based defenses. Instead, they’re a component of today’s multi-layered strategies for making your institution crunchy throughout.

That’s crucial because once an attacker infiltrates a business partner, it’s a sure bet they’ll hunt down legitimate credentials used for automated electronic communications such as those with your institution. “You have to assume your supply chain can be corrupted and infiltrated.” says Avivah Litan, VP and distinguished analyst at Gartner.

How AI tightens cracks and cracks down on crooks By Anne Rawland Gabriel

IoT systems that connect to IT networks streamline operations— but also give fraudsters ways to sneak in. Enter new AI-enabled solutions.

BAI Banking Strategies

Executive Report

BankingStrategies.com

10 11

Yet there are new ways to thwart hackers before they dial up fraud. First up is user and entity behavior analytics (UEBA). Essentially, this technology establishes a behavioral baseline for everything—animate or inanimate—that connects to your network. After ascertaining connection norms, these solutions monitor for anomalies and raise an alert when risk levels reach your pre-determined thresholds.

For example: If a person who most often accesses your network on their laptop during business hours suddenly logs in on a Sunday evening from a nearby location, this may not qualify as risky behavior because they could just be working from home. On the other hand, if a light bulb starts

Anne Rawland Gabriel is a contributing writer to BAI Banking Strategies who has spent more than 20 years writing about business and business technologies as a journalist and marketing communications consultant. She is based in the Minneapolis/St. Paul, MN metropolitan area.

How AI tightens cracks and cracks down on crooks

accessing multiple commercial deposit accounts and transferring funds to an external location on a Sunday evening, alarms would most certainly ring.

In a nutshell, UEBA provides the machine learning and advanced analytics needed to find needles in a haystack, says Litan. “For bankers, UEBA does for insider threats what fraud detection has been doing for years—and then some.”

“Bankers are familiar with machine learning for deposit accounts and credit card fraud, but not around employees, contractors or trusted IoT systems,” she continues. “UEBA brings advanced analytics to these other types of threats, making such solutions another critical layer in your security arsenal.”

The other new AI-enabled security strategy layer is threat deception technology. It turns your entire computing environment into an intelligent, self-learning equivalent of a malware mousetrap. Deception solutions lure attackers into engaging with a virtual decoy and, in the process, revealing themselves. Simultaneously, the solution reports the infection to the individual, or group of people, authorized to take action.

Just one of threat deception’s advantages is uncovering the most troublesome type of assault: zero-day. Whether targeted at your specific institution or at a vulnerability affecting many companies, zero-day malware takes advantage of unknown software and hardware weaknesses—often to spectacular affect—that are unknown to the vendor or end user.

On the value of threat deception, Cummins minces no words. “Deception technology is essential in banking,” he says. “It provides high efficacy that what you’ve detected is a real threat and not a false alarm.”

In addition, such solutions permit following a threat’s lifecycle. “As attacks move throughout your systems, they typically uncover ways to escalate their privileges,” says Cummins. “Understanding the tactics and procedures of the current attack allows you to foreclose on the next one, quickly, as you gain a list of items you need to fortify before the next intrusion begins.

Indeed, the need for AI intervention has never been greater.

Regardless whether malicious actors enter via your IoT systems or someone else’s, one major factor for carrying out fraud is time. The longer an attacker pokes around your network, the more likely they are to get away with the cash. Respected studies say hackers now spend around 150 days, on average,

inside a network before they’re detected: plenty of time to gain a foothold, infect multiple systems, harvest vital data and phone it all home.

Traditional threat detection systems also break down because they depend on a human investigating an alert – with any given bank experiencing dozens, hundreds or thousands of alerts every day. But given the accelerating adoption of enterprise IoT, the cybersecurity white hats will likely engineer even more ways to protect your network-connected systems from the black hats.

In the meantime, adopting one of today’s advanced AI-enhanced solutions helps ensure you get some sleep when you turn out the lights.

“Bankers are familiar with machine learning for deposit accounts and credit card fraud, but not around employees, contractors or trusted IoT systems. UEBA brings advanced analytics to these other types of threats, making such solutions another critical layer in your security arsenal.” Avivah Litan, VP and distinguished analyst at Gartner

BAI Banking Strategies

Executive Report

BankingStrategies.com

12 13

It’s been little more than a year—October 1, 2015—since EMV cards were introduced to American consumers. Yet EMV cards—vaunted as a hacker-proof solution to the data breaches and fraud plaguing users of traditional credit cards—have so far not lived up to their promise.

Experts agree that the ongoing challenge of safely using an EMV card centers on verifying the user’s true identity in e-commerce transactions, or any purchase made with the card not present (CNP).

In other words: The chip can’t do its job at the point of sale if the physical card isn’t there, especially if the fraudster can impersonate the owner.

“There is a risk in utilization, and that’s the problem that has really taken off,” warns Ian Holmes, Banking Fraud Solutions Manager at SAS.

Credit card companies “have all been discussing this for a long time. They’ve all been doing this in lockstep and they’re all feeling the pressure” to minimize fraudulent use, Holmes says. “It’s really quite difficult.”

While banks can now re-issue new cards more quickly than before, “There’s a cost-benefit to that. They should really focus on real-time prevention and try to prevent fraud in the first place,” Holmes notes.

Replacing hacked cards “also exposes you to another problem,” that of “non receipt”—i.e., the intended cardholder never gets it, a challenge Holmes calls “vast” in scope.

“The bank doesn’t really know who got the card and American banks are so customer-service oriented they didn’t want to acknowledge this,” Holmes observes. “That’s a great shame and [tightening security around new card authentication] will make the industry safer.”

CVVs on the move

Nor has it helped matters that America’s EMV rollout has been, to say the least, uneven. It’s not unusual, for example, to shop at a hardscrabble thrift store that takes EMV and then go to a boutique retailer that still only takes the magnetic stripe. And no amount of EMV muscle can keep a flimsy magstripe from getting hacked.

By stealing ‘replacement’ cards or fudging online purchases, hackers work the loopholes—and banks need to warn customers, experts say.

By Caitlin Kelly

The chips fall where they may:

EMV cards still vulnerable to fraud

“The bank doesn’t really know who got the card and American banks are so customer-service oriented they didn’t want to acknowledge this. That’s a great shame and [tightening security around new card authentication] will make the industry safer.”

Ian Cole, Banking Fraud Solutions Manager at SAS

BAI Banking Strategies

Executive Report

BankingStrategies.com

14

American cardholders, insistent upon speed and convenience, have found the slower authentication speeds of EMV “very friction full,” says Philip Andreae, vice president of field market at Oberthur Technologies. Founded in 1984, the French digital security firm has taken on EMV challenges in Europe since it went live there more than a decade ago.

Oberthur’s latest wrinkle in card security is a novel one: turning that once-static, three-digit card verification value (CVV) code on the back of credit and debit cards into an ever-changing element.

Thus even when a fraudster has a card in hand and starts to use it, “the value that was on the card when they acquired it is no longer the right value,” Andreae says. “The number on the back of the card has changed.”

Like a Kindle, the ever-shifting CVV uses e-ink, along with a battery that lasts three years. Called “Motion Code,” the technology embeds a tiny computer into every EMV card, enabling up to 72 CVV changes every 24 hours—every 20 minutes on average.

Visa Canada is using the new cards, Andreae says, and is “very supportive of this product” even though the new system has only been in place since 2014. Motion Code is also being used in France by Crédit Mutuel, a retail bank.

Europeans, accustomed to purchasing a charge card, pay €12 (about $12.56) for theirs. The test is barely a month old, but 400 customers a day are buying

the new card, says Andreae—and Crédit Mutuel has between 12 and 13 million customers.

Granted, banks need to factor in higher costs; Motion Code cards cost five to 10 times more to manufacture, between $5 and $15 each. But the new card offers the bank two distinct advantages: They attract Millennial buyers and give bank staff “something to sell and something exciting” beyond the usual mortgage or auto loan, Andreae adds.

Cardholders love the “wow factor,” he adds: “It gains a ‘top of wallet effect’ and that’s significant.” Meanwhile, it reduces fraud and lowers the banks’ cost of managing it, currently estimated at 50 to 120 hours for each fraudulent event.

‘A false sense of security’

While EMV continues to ramp up in the U.S., experts contend that banks must take a more active stand against card fraud by more actively engaging and empowering cardholders.

“Chip cards are not a huge protection for consumers, but a way for banks and processors to push liability off onto the retail sector,” says Ben Woolsey, president and general manager of CreditCardForum. “Consumers are just as vulnerable as they have ever been but these new cards have created a false sense of security for them. They’re supposed to be more secure, so cardholders assume that they are. But it’s really a game of ‘hide the ball.’”

Caitlin Kelly, winner of a Canadian National Magazine Award for humor, is a frequent contributor to The New York Times. She is also the author of “Malled: My Unintentional Career in Retail” (Portfolio 2011) and “Blown Away: American Women and Guns.” A former reporter for the Toronto’s Globe and Mail, Montreal Gazette and New York Daily News, she also blogs about retail, travel and the freelance life on her own site, Broadside.

The chips fall where they may: EMV cards still vulnerable to fraud

15

Woolsey recommends that banks “should take advantage of every touchpoint they have with customers and make them aware of the risks of fraud and of cardholders’ responsibilities. People will check their Facebook five times a day. We need to get in the habit of keeping an eye on our financial accounts because they can leave us vulnerable.”

In the end, EMV may work best in tandem with other new technologies aimed at CNP transactions such as iris recognition, voice biometrics and face recognition. (The latter two methods recently went live on Citi’s banking app.)

The most sophisticated forms of CNP authentication “are just starting to be adopted, even though they’ve been around for a few years,” Holmes says. It might be something as subtle, but distinctly personal to each legitimate cardholder, as knowing exactly “the way you hold your phone or how quickly you type.”

And should those high-tech identifiers soon come to pass, banks will know their customers in myriad ways that even the craftiest hacker can’t.

“Chip cards are not a huge protection for consumers, but a way for banks and processors to push liability off onto the retail sector. Consumers are just as vulnerable as they have ever been but these new cards have created a false sense of security for them.” Ben Woolsey, president and general manager of CreditCardForum

BAI Banking Strategies

Executive Report

BankingStrategies.com

16 17

Back in the good old days, robbers had to show up at banks, guns drawn, to make illicit withdrawals. Good thing that security cameras were in place to catch the bad guys.

But now—in an ironic, 21-Century feat of high-tech swindling—fraudsters can use those same cameras to access millions and millions of dollars, and escape without so much as a single second of video to identify them.

So don’t bet on them getting caught in broad daylight,

and especially not bulb light: Criminals can crack your security through something as innocuous as a lightbulb. In fact, any device hooked up via the interconnected world known as the Internet of Things (IoT) is vulnerable. (See Anne Rawland Gabriel’s story, “How AI tightens cracks and cracks down on crooks,” pg. 8)

How are high-tech fraud perpetrators getting in? Here we reexamine two prominent cases that criminals are no doubt studying closely—perhaps even more so than authorities—along with common-sense preventative measures.

Experts say it’s urgent to turn the focus back on finding and fixing internet vulnerabilities—and do it now—before the oncoming explosion of connected devices.

By Howard Altman

Lights, cameras, inaction threaten banking security

An optical illusion: The mirage of Mirai

A massive attack last October on the Dyn company, which took out social media websites such as Twitter, should serve as a major warning to banks, says Florida cybersecurity expert Stu Sjouwerman, CEO of KnowBe4 Inc. Cyberthugs used compromised security cameras at the internet performance management firm to insert a computer virus called Mirai that kept picking security locks until it found its way inside Dyn’s system.

“There are definitely risks here,” Sjouwerman says. “Any IoT device with insufficient default security built in—and very few have it—is a cyberheist waiting to happen.”

How does the Mirai botnet do its dirty work, exactly? According to the Krebs on Security website, “Mirai

scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”

Vulnerability across the board is potentially massive, says Phil DuMas, who owns CTO Bell Curve Technology and serves as director of research and curriculum development for the non-profit National Cyber Partnership.

“If the bad guys start building combinations of attacks based on compromised devices within a network it will be very, very difficult to stop them short of completely pulling the plug,” says DuMas.

He cites this example: “How about if your camera started capturing login credentials and reported them to somewhere in China? If I were a bad guy that could get hold of an IP Camera, I would use it to watch the login screen or keyboard of the admin logging into the servers, or the CFO at his console, and steal a company blind.”

Yet Dyn went beyond the expected mea culpa to highlight a greater good in a blog about what it calls a “complex and sophisticated attack.”

“The attack opened up an important conversation about internet security and volatility,” wrote Scott Hilton, Dyn’s EVP of Product. “It has also sparked further dialogue in the internet infrastructure community about the future of the internet.”

Indeed, the time for that conversation is now.

“It did not take millions or billions of interconnected IoT devices to bring this company to its knees,” says DuMas.

BAI Banking Strategies

Executive Report

BankingStrategies.com

Lights, cameras, inaction threaten banking security

Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.

18 19

Popular BAI Banking Strategies Articles

Happy ‘grew’ year: Five best sales practices for banks in 20172016 has presented financial institutions with a multitude of growing-edge challenges sure to spill over into 2017.

Millennials embrace banking innovationAs they overtake Baby Boomers as America’s largest generation, Millennials may not automatically equal mobile tech—but in the banking world, it’s getting pretty close.

At the crossroads of cross-sell: Presenting a roadmap for the Board, regulators, and customersWhen cross-sell goes wrong, it also underscores that banks should establish guiding policies and procedures—just as they have for credit, asset liability management, and other areas.

Homebuyers, fast flyers: Welcome to the age of high-tech, high-speed mortgagesIt’s tough in an age of 60-second mobile check deposits to shake the feeling that elements of the mortgage process— as in paperwork, paperwork and more paperwork—move at a glacial pace.

Deposits, withdrawals: Five strategies to reconfigure branches, free up capital and fund growthGiven the expense of regulatory burdens and other financial pressures, how can banks fund new services, delivery channels and technology?

1

2

3

4

5

Mobilizing the mobile future of branch banking: Self-service technologyWhile retailers consistently use technology to redesign and improve the customer experience, why do bankers ignore the possibilities?

The Millennial perennial: How can community banks keep up with customer demands?More than ever before, small businesses will prefer to work with the community banks that keep up with their expectations.

The FinTech honeymoon is over: Now what?The salad days of seemingly unlimited venture capital and explosive growth in FinTech are over.

For bankers enduring work week wear and tear, wearables to the rescuePressures abound in the banking world at every level and executives face endless imperatives to make smart decisions that support stakeholders, staff and consumers.

The future of financial services: Digital, personalized, customer-centricThe digital revolution makes communications significantly more complex for banks, credit unions and other financial services institutions.

6

7

8

9

10

“It was 150,000. Over the next five years it is projected that five billion new IoT devices will be added—and if they are compromised at a rate of even 10 percent, the internet as we know it is in real trouble.”

Router roulette: Parlaying a $40 bet into $80 million

The costliest example of bank vulnerability took place just about a year ago. In February 2016, cyber criminals entered the Central Bank of Bangladesh and tried to make fraudulent transfers of $951 million from its account at the Federal Reserve Bank of New York. The cold comfort was that they didn’t get nearly that far, as most of the payments were blocked.

Still, more than $80 million was taken. Some of the money, $4.6 million, was routed to a casino junket operator in the Philippines, Kim Sin Wong, who has denied any wrongdoing. Meanwhile, most of the remaining stolen funds have not been recovered. How did the hackers get in?

You don’t need thousands of dollars in dynamite to blow up a safe when you can do the digital equivalent of prying open cheap, second-hand routers. Each router in Bangladesh cost about $10, according to Tech Times. And investigators counted just four of them in a window-less office measuring 12 by 8 feet, according to Reuters. This opened the door to sending payment instructions through SWIFT, a messaging system used by banks worldwide.

Scarier still, the attack gives copycats a blueprint to assault equally ill-prepared institutions. Meanwhile, SWIFT warns cyberattacks on banks will only increase.

The IoT “is going to be a huge risk” if banks don’t “deploy a set of rules for qualifying a device before

putting it on the network,” says DuMas. “You would think this is already taking place. But recent events have shown this to not be true.”

Plugging holes before pulling the plug: Six smart steps

It doesn’t have to come to pulling the internet plug, says DuMas, who offers a number of steps banks can take to protect themselves throughout existing systems.

• Never deploy an unknown device. Configure it, test it, deploy it in a sandbox environment and see who and what it talks to when deployed.

• Deploy the IoT on a separate, firewalled network from the rest of the mission critical devices.

• Change factory default usernames for devices, while avoiding obvious passwords (“password1234,” for example).

• Monitor everything. That especially means traffic to and from IoT devices, because they should generate the least amount of data.

• Never put the device directly on the Internet if you don’t want the world to see it. (Ex: https://www.insecam.org/.)

• And lastly, subscribe to the U.S. Computer Emergency Readiness Team (CERT) so you know when your device has been compromised and can follow appropriate steps to secure it.

©2017 BAI. All Rights Reserved. 01/17

Past IssuesFind all BAI Banking Strategies Executive Reports and ongoing retail banking editorial coverage at bankingstrategies.com.

Upcoming Issues

December 2016 A look ahead to U.S. retail banking in 2017

March 2016 Payments for convenience and security

May 2016 Marketing’s new horizon

July 2016 Wealth management for retirement

August 2016 Banking’s digital transition

October 2016 Evolution of the branch

February 2017 Mobile payments on the march

March 2017 FinTech: From disruptor to partner

April 2017 Navigating the compliance curve