With increase in online banking, banks now use elaborate ways to protect their data
By Deborah Jeanne Sergeant
Most financial institutions are insured in case of theft. But a newer form of criminal act can rob them of sensitive information: data breaches.
According to the Mobile Ecosystem Forum’s recent Mobile Money Report, 61% of Americans use their mobile phone to perform their banking and of those, 48% use a banking app. Especially since so many people use mobile banking, banks have ramped up their security to further protect their customers.
“Criminals try to obtain data because it has value,” said Dan Phillips, senior vice president and chief information officer with Pathfinder Bank in Oswego. “Some criminals use stolen information to impersonate a customer for access to their money. Others sell stolen data to other criminals.”
To prevent this from happening, banks employ professionals dedicated to cybersecurity who ensure that only people who need to know can access the data and that it’s handled security.
“Non-public information (NPI) is encrypted when stored and when in transit,” Phillips said. “Encryption is a huge piece of protecting information. Pathfinder Bank has extensive processes for using encryption on smartphones, tablets, laptops and of course, desktop computers.
“Any device that has data pass through it or stored on it, must have the ability to keep NPI data scrambled.”
Like other banking institutions, Pathfinder Bank performs scheduled cybersecurity assessments in addition to continuous scanning for computer changes that could represent a threat. Phillips added that the bank frequently evaluates and updates software to ensure that it’s as secure as it can be.
Outside verification of computer configurations and controls also helps, as Pathfinder hires specialty firms to offer third-party verification of its internal computer systems and those of the bank’s business partners.
“A good cybersecurity posture requires constant management of the technology and high levels of employee awareness,” Phillips said.
It can be tough to balance accessibility to customers while maintaining security for their information. That’s why encrypting mobile connections is so important.
“Encrypted data is essentially scrambled until the appropriate computer or phone displays the decoded information,” Phillips said. “Cybersecurity experts use tools to verify that high-value data is truly scrambled and that the ability to unscramble the data resides in appropriate places.”
That’s why configuration is so important. When a computer system isn’t properly configured, that’s when criminals can gain access to vital information.
Additional steps of verification for large transactions — beyond just a user name and password — also help block criminal activity.
Tim Miller, director of information security at Community Bank, said that in addition to firewalls and end point controls that work inside the organization, the bank also uses next-generation computer software that looks at suspicious behavior that is linked to illegal activities and attacks like ransomware or other malware.
“It’s all about having the ability to detect this before things happen,” Miller said.
By allowing the information technology department to identify if criminals are “poking around the network,” he said, it allows Community Bank to remain pro-active about potential attacks.
Of course, basic steps like employee background checks are also vital to preventing stolen data, as well as meeting with colleagues in the banking industry.
“We have peer to peer groups we can bounce ideas off of if there’s widespread phishing attacks and malware attacks,” Miller said. “We can talk with other financial institutions. It’s important for us to work together.”
“The most important means of protecting yourself and your organization against these threats is education,” said Terra Carnrike-Granata, head of the information security team at NBT Bank. “That’s why NBT Bank makes Fraud Information Centers available on both our business and personal websites that provide alerts on the latest threats, information and tips, and details on the steps to take to report fraud.”