Is it safe?

Identity theft resulting in financial fraud costs Canadians more than
$2.5 billion every year, according to the Canadian Council of Better Business Bureaus. Most financial institutions will reimburse losses—but only if they are alerted promptly to the problem. It can also take months for victims to undo the damage to their credit rating.

Identity theft can affect anyone at any time. For example, when you open an email from the insurance or financial services company that manages your savings and investment account, you are directed to a URL for a login page where you can access account information. But you hesitate before clicking on the link. Is this email legit?

This example highlights a major concern of insurance companies trying to protect the privacy and personal information of their customers. Data leakage, the loss of information to unauthorized third parties, can occur with both incoming and outgoing communications. The very best technology and online security systems can only do so much to protect confidentiality. Human intervention is just as important.

Emails are not always secure. They can be intercepted; a company’s computer system can be hacked. Sensitive personal information, such as a bank or RRSP account number or a SIN—the single piece of personal information most valued by fraudsters—should never be sent by email.

On those rare occasions when sensitive information must be emailed, individuals should secure it in a password-protected document and send the password in a separate email.

Individuals must exercise caution if they receive an email with a link to a URL for an online login page. This may be a phishing attempt in disguise. A URL should only lead to a website’s home page or landing page. No one should become conditioned to click on any URL prompts.

As a service to customers, companies should publish a warning message with their emails that cautions about phishing dangers. This message should clearly state that company emails do not contain URL links to login pages.

To protect clients, companies can install extended validation (EV) security certificates on secure (https) websites. When used with newer versions of most browsers, EV security certificates will display green in the URL bar of a trusted website. Regular certificates undergo less rigorous verification and the URL bar may remain white, even on trusted websites. If the URL bar displays red, this means a website may be unsafe; in other words, its authenticity cannot be verified with a trusted public certificate authority.

Identity Access Management
Companies also need client identity management controls to allow easy but secure access to websites and login pages. There are three essential controls.

Secure self-registration This control questions or challenges an individual who tries to access a secure site. Is this individual the person that he or she claims to be? Effective identity verification procedures will determine whether the answer is yes or no.

During the registration process, users are asked to provide personal information to which only they are privy. This information is given to answer an identity verification challenge of their choice. An obvious example might be the name of a childhood sweetheart or a favourite television program.
The best prompts are more detailed or specific. For optimum security, for example, an individual could offer the exact dollar figure in the net income line of a recent tax assessment. A verification challenge should be unique, just like the person who creates it.

Strong password requirements The best passwords combine letters (upper and lower case), characters, numbers and symbols. Many systems will indicate the relative strength of a password when it is registered. Users should always choose a password that is “very strong.”

Robust password self-reset capabilities Long considered a viable safeguard, self-reset capabilities are no longer tamper-proof. Some resets use the same identity challenge and answer questions provided at registration. They also include captchas, the challenge-response programs with moving or warped letters and images to help protect websites from automated Internet bots or web robots. Captchas generate and grade tests that humans understand; however, computer programs with more advanced hacking applications can circumvent captcha protections.

Companies with strong security systems should install code analysis tools and perform intrusion testing to detect vulnerabilities in their networks. They should also survey clients on a regular basis to get feedback as to how well their verification controls are understood and being used.

Data Encryption
Companies also need powerful data encryption tools to protect outgoing as well as incoming information. Confidential data should be encrypted with such protocols as secure sockets layer (SSL), password-protected files (vaults) or pretty good privacy (PGP).

Standard Life, for example, uses data leakage protection (DLP) software to inspect and secure emails, websites, file transfer protocols and removable devices. DLP software logs, alerts, blocks and reports on confidential data to detect or prevent data loss.

Pressure for companies to implement data encryption technology often comes from their clients. They want assurances that their data is secure. Companies need to ensure their clients’ privacy and want to protect their own reputation. Employers often conduct audits of insurance providers to verify the robustness of their DLP software.

It’s Political
The technological aspects of data protection are also becoming top of mind at the political level. American lawmakers recently finalized rules requiring companies to help protect clients that invest, save or borrow money. Financial services and commodity trading companies regulated by the U.S. Securities and Exchange Commission and the Commodity Futures Trading Commission must adopt and implement programs to detect red flags and respond to indicators of possible identity theft.

Canada has legislation to help protect against the misuse of data. The Bank Act contains provisions regulating the use and disclosure of personal financial information at federally regulated institutions. The Personal Information Protection and Electronic Documents Act addresses the ways in which private sector organizations can and cannot collect, use and disseminate data. Individual complaints are heard by the Office of the Privacy Commissioner of Canada, but the commissioner’s conclusions are not binding. Complainants can seek address in the Federal Court. It has the power to order offending organizations to correct their practices, to publicize the steps they will take to do so and to award damages.

In the financial services industry, self-regulation helps protect client information. Banks and financial institutions offering credit cards use a common set of industry tools and measurements to ensure that sensitive information is handled safely. This Payment Card Industry Data Security Standard provides an actionable framework for developing a robust account data security process, including preventing, detecting and reacting to security incidents.

Governments and businesses recognize that data leakage and the misuse of personal information can originate from unauthorized internal sources. Fraudsters have been known to recruit company insiders (think help desk employees) to gain access to sensitive data. Rigorous background checks during the hiring process can alleviate part of the problem. But some companies have gone further and developed clear-desk policies. Employees must store sensitive files in a secure location and lock their computers when they are not at their workstations. And desks must be cleared of all paperwork at the end of each working day.

Under a Cloud
With the growing popularity of cloud computing, new concerns have surfaced about information leakage from “data at rest.” This is the information contained in accessible files stored on databases. At present, few companies encrypt this data. In the future, however, many more can be expected to do so.

In the past, companies built firewalls around computer networks to contain or mitigate threats from external sources. With cloud computing, remote access, social media, mobile apps and “bring your own devices” to work, there are now far too many external and internal access points for organizations to easily contain sensitive data, whether it is at rest or on the go. The boundaries between external and internal access are disappearing fast.

To counteract against possible threats, companies need to “harden” their networks. They can minimize “holes” by building security layers, or internal firewalls, around network servers and databases. They should remove outdated access codes, as well as accounts and services that no longer align with their business objectives. They must rigorously apply security patches or updates. Security must be omnipresent throughout the network—not only at the perimeter.

This concept is known as zero trust. In the future, data will be “wrapped” to control leakage. It will have its own form of security. Systems will be able to record who accessed what data and when. Users will only be able to retrieve sensitive information if they have the required credentials. Data may come with a best-before date. Access will be restricted by allowing files to be opened for a limited number of times or for a specific period of time. It will become harder for users to copy or share files.

Fraudsters can be expected to develop new attack methods in their attempts to breach information networks and steal data. Companies are expected to work just as hard to curtail these threats and prevent data leakage.

Robert Boyer is senior architect, security, with Standard Life Canada. robert.boyer@standardlife.ca

Get a PDF of this article.