DEEP BRAIN STIMULATION AND BANKING

Have you heard about this one? Scientists have discovered that deep brain stimulation in the entohinal area can lead to improved memory. It appears that stimulation in this area of the brain may reset the electric rhythm of cells and memory encoding in the hippocampus. Since the entohinal is an area of the brain that is one of the first to be damaged by Alzheimer's, it also brings new hope that something can be done. For us, we are just glad that as we continue to age and forget things, we one day might be able to go into a body shop and get a brain zap to reset the old noodle and once again remember where we left all of our computer and access passwords. Speaking of a little more deep brain stimulation and computers this morning, we delve into the realm of cyber threats to banking. Make no mistake that the bad guys have figured out the banks are where the money is and they have hatched thousands of ways to try and get to it. In fact, the latest analysis from the Fed indicates the FBI is investigating over 400 reported cases of corporate account takeovers. These resulted in unauthorized ACH and wire transfers from bank accounts of businesses and represent the attempted theft of over $255 million. As with doing so in a more traditional manner off a pier, computer "phishing" happens when thieves throw a line into the stream of information flowing into or out of a computer and attempt to steal information, such as usernames or passwords. The thieves use legitimate looking "bait" in hopes that the potential victim will "bite" on the lure by clicking on a malicious link or opening a malicious attachment. Once that happens, thieves can then steal financial information and passwords. Phishing has become quite prevalent, with the RSA reporting such attacks per month have climbed from about 16,000 last year to almost 39,000 at the end of 2011. In the last 12 months, phishing cost companies nearly $1B in potential losses. Just like its name sounds, "malware" is also really bad news. It is shorthand for malicious software and covers viruses, worms, Trojan horses, spyware, keylogging, dishonest adware and other malicious programs. Malware has surged and the latest data shows more than 1.1mm websites are infected. To get on top of these issues, banking regulators have issued recent supplemental guidance telling banks to focus more energy and resources on protecting data and access. In short, regulators expect banks to beef up online activity risk assessments, customer authentication, have layered security controls and enhance customer awareness/education programs. Banks are now required to conduct at least annual risk assessments, have layered security, have additional controls for commercial accounts and evaluate and amend controls if needed. In addition, banks are required to improve customer education programs to emphasize the importance of cyber security. Risk assessments now have to consider changes in the threat landscape; the bank's own fraud experience; industry fraud trends; the customer base and activity; system or application functionality; risk relative to account type. At a minimum, regulations now require banks to have layered security that includes anomaly detection and response at initial customer login and at initiation of funds transfers to other parties. Layered security typically includes fraud detection and monitoring systems that consider customer history and behavior; use dual authorization through different access devices; use of out-of-band verification for transactions; and incorporate "positive pay," debit blocks and other techniques to limit the transactional use of the account to name a few. Finally, regulators want to be sure banks understand simple techniques are no longer considered safe enough. They expect banks to use more sophisticated techniques such as one time cookies; reviewing a number of characteristics (including PC configuration, Internet protocol address, geo-location); asking multiple challenge questions that do not rely on publically available information (including multiple challenge questions and a "red herring" question that is designed to trick the crook). Nothing will catch all cyber threats, but we hope this deep brain stimulation on the subject at least got you thinking about it.