3 minute read
Securing the Bank
Tech firm’s research finds security flaw in finance industr y
BY KRIS BEVILL
Jeremy Neuharth is a tech guy who loves finance In fact, he enjoys both industries so much that in 2010 he cofounded a technology company that focuses specifically on providing software solutions to banks and credit unions, primarily through custom software development, but also via online marketing services and website development With just five employees, Fargo-based Sycorr Inc is admittedly small, but it takes it niche role seriously. All Sycorr employees, present and future, attend bankers’ school on the company ’ s dime and must possess a passion for finance. If you want to be a Sycorr employee, “ you better love banking, or you ’ re going to be miserable,” Neuharth says
There is one thing Neuharth doesn’t love about the banking industry, however, and that is the level of technology being applied by industry members. It’s not entirely their fault. As Neuharth points out, financial institutions have had their hands full just keeping up with changing regulations and major back-of-the house technology initiatives, leaving little time or resources to implement the latest technological advancements.
In order to better gauge where the industry is as a whole with regards to technology implementation, Sycorr rolled out a complimentary service earlier this year, called Sycorr Insights, that allows banks and credit unions to see how they stack up against their competitors in areas including social media, mobile responsiveness and web security.
But the company soon uncovered a statistic that was entirely unexpected
Input gathered through the service showed that 97 percent of the more than 11,000 banks and credit unions in the U.S. are susceptible to clickjacking, a method used by hackers to obtain an individual’s password by guiding them to a dummy website that looks nearly identical to the intended site When the unsuspecting user tries to log on to his/her account on the fake website, the hacker obtains the password needed to access the user ’ s account on the real website.
The solution to clickjacking is simple according to Sycorr Five minutes and a simple line of code “x-frame options deny” are all it takes to make a website clickjack-safe, but Neuharth says many banks and credit unions likely inadvertently left themselves susceptible to clickjacking because they have been focusing too narrowly on protecting core data, putting up fire walls and carrying out other more intensive security issues the banking equivalent to installing a high-tech security system in your home but leaving the front door unlocked
Clickjacking is often used in combination with other hack attacks, such as phishing emails, so it’s hard to predict how frequently hackers use clickjacking to steal personal information Still, Neuharth says the statistics Sycorr uncovered were alarming enough that the company chose to risk offending potential customers by going public with the information in order to alert the industry to the issue.
“It’s not like we could go out and help [everyone,]” he says “We felt it was bigger than us trying to get clients.”
A Real Problem?
Clickjacking is just one of many tools in hackers’ ever-expanding toolkits, of course, and financial institutions must constantly work to stay ahead of all the latest attack methods.
Gary Inman, senior vice president, information technologies at Bell State Bank and president of the Nor th Dakota Information Technology Council, says clickjacking is not believed to be one of the most commonly used hack attacks because it is a relatively time-consuming effort for the hacker. And while the Sycorr stats sound concerning, Inman points out that the study examined banks’ public websites, which are not usually the same websites used for Internet banking or financial transactions “So even if you clickjacked a bank’s public website page, you ’ re not necessarily going to directly get in to a transaction system to be able to steal money, ” he says
Still, Inman admits the threat of hack attacks and variety of methods used keeps the IT community on its toes, especially those working to protect clients’ money “Banks are generally all about risk management,” he says “One security breach at a bank can be devastating, so security is at the forefront of pretty much everything we do ”
Inman says banks will most certainly continue to beef up their internal IT teams as they try to prevent becoming the next security breach story “The bad guys are always attempting to be one step ahead of you, so just while you ’ re going to fix and understand the last way they did it, they’re on to their next,” he says “We sometimes call it an arms race Everyone’s just trying to weapon up and figure what they’re going to do next to stay ahead of their enemy. ” PB
Kris Bevill Editor, Prairie Business 701-306-8561, kbevill@prairiebizmag com
