Times are tough. And they’re going to get tougher. And in these desperate times, some will turn to desperate measures.
Identity theft, already an established criminal enterprise thanks to the placing of so much customer data on hard drives and the ability to use the Internet and search for people’s particulars, is bound to increase as intervals between legitimate paycheques lengthen.
At a recent conference covering identity theft and related issues, Brendon Lynch, Microsoft’s director of privacy strategy noted lost or stolen laptops, mobile phones and PDAs account for half of all data breaches which can ultimately lead to identity theft.
That’s bad news for advisors, who are relying on house calls as a way of getting in front of busy clients and placing more and more sensitive customer information on notebook computers that are now prime targets for thieves. On the bright side, notes Don Macfarlane, a financial advisor with Assante Wealth Management in Thornhill, Ont., it’s a bit of work for criminals to get through the passwords.
“I use a notebook computer, but I’d have to be held up at gunpoint to relinquish it,” he says. “So I don’t know if that’s a risk.” Macfarlane did have one laptop swiped, at a former job. The burglers actually crawled through the plenum after hours and left his office littered with broken bits of ceiling tile. “The computer had a leash lock on it,” he notes, “so all they got after breaking it loose were some parts.”
A lucky break, literally.
But not all thieves are thrown off by leash locks. And the smarter ones don’t even crawl through hidden recesses in office buildings anymore. “They just invest in an $800 computer, hide in basements and steal information worth millions of dollars,” says Larry Keating, president and CEO of No Panic Computing, a.k.a. NPC.
Stolen user profiles usually sell in the market for about $17 each, and include a name, address, and possibly a SIN number, date of birth, or some credit card information.
While financial firms are gradually beginning to invest in data security measures, Keating says there’s still a long way to go. “Most of the change is yet to come. Ten to 15 years ago much of the data was stored physically, on paper, and wasn’t easy to sneak out the back door. Now we have memory chips the size of a pinky fingernail, which can store four gigabytes of data.” The latest sticks can store much more than that.
A Step Ahead
Hackers are growing up alongside technology. Ten years ago it was just kids amusing themselves by shutting down servers. Today it’s organized crime, with crooks relentlessly devising new ways of staying ahead. It’s a constantly shifting game.
Keating notes poor computer setup is usually the common vulnerability exploited by hackers. He points out a common mistake many advisors make is to buy notebook computers and neglect to change the default profiles set up by the manufacturers. Failing to do that leaves a door open for hackers to walk right through. It’s imperative, especially for advisors dealing with sensitive information, to enable firewalls, encrypt data, change settings that automatically log onto certain Web sites, reset default passwords, and disable guest accounts that can be accessed by anyone.
Poor wireless security is another open invitation for hackers. They can easily hop onto an unencrypted Wi-Fi network by sitting outside your window or in your office parking lot and picking up your signal. As a rule, you should never enter a password or confidential information on a Web page while sipping coffee at a Starbucks, or waiting at an airport, unless you’re sure it’s a secure connection. Many of the most common wireless encryption standards are easily broken when incorrectly con- figured. “It’s like taping the key to the lock on your front door,” Keating says.
In a recent study conducted by AMI Partners for NPC, Canadian small businesses (those with between one and 99 employees) cited data security as their highest priority, eclipsing basic operational services such as business insurance and accounting. But despite serious misgivings, about one-fifth hadn’t gotten around to securing their own business data (this includes any type of hardware encryption, data protection software, or password protection).
One reason for this laxity, Keating explains, is that small business owners think such security concerns apply only to big businesses. “It’s quite the opposite. Big businesses often have very sturdy security systems. The smaller ones are more vulnerable to security breaches.”
These days, apathy about data security could also stem from the deluge of more immediate advisor concerns, notes Susan Monk, Director, Western Canada, Compliance and Business Development for Peak Financial Group in Vancouver. She says both firms and their clients are worried about getting through the current market downturn to the exclusion of other concerns. “We’re dealing with clients who’re saying, ‘When is this going to end?’ not, ‘Are you guarding my information?’” she says. “I’d be surprised if anyone is upgrading in this environment, because they’re getting pulled in other directions.”
At the same time, she acknowledges criminals are probably plotting while advisors are busy holding clients’ hands. Monk says depressed economic times mean dealers are unlikely to spend money they don’t have to, but perhaps they should consider their own vulnerabilities. “We certainly haven’t had any regulatory body come forth and say, ‘You should be spending more on security,’” she says. “They’re coming forward and saying, ‘You missed a piece of paper.’ ”
The Paper Trail
While hackers are the most likely to raise compliance hackles, when it comes to cyber crime, Joseph Wagle, a business development consultant for Hewlett Packard’s Worldwide Financial Services, says the financial world actually has two culprits: The black hats and the white hats. The black hats are crooks seeking to break the security net of a company. The white hats are the slipshod brokers and advisors who occasionally leave a sensitive customer document unattended at a network printer, or forget to retrieve it.
And interestingly, Wagle notes customers feel more threat from the unwitting white hats than the hardcore black hatters. “The threat of the negligent user is only magnified by the amount of information being generated,” he adds.
J. Andrew Matuszeski, a business development consultant for HP, says imaging and printing are two of the most overlooked fraud opportunities in financial firms. “They’re a compliance nightmare,” he says.
Since network printers tend to be a compliance hotspot, HP has started outfitting them with identity authentication technology (this means documents can’t be printed and retrieved until the advisor is physically standing at a printer and authenticates his presence with a password).
Rick Hyde, CEO of Ticoon Technology agrees there’s an equal risk of exposure of information not stored in bits and bytes.
“In the financial world, physical security is as high-risk as electronic security. Stealing statements from a mailbox can be easier than stealing electronic data. For one, electronic data is much easier to police, secondly only the sophisticated hackers can get to it.”
A dumpster diver sorting through the trash bags of a major bank branch in New York once found paperwork with people’s names, Social Security numbers, addresses, credit history, scores—everything to make an identity thief drool.
It’s true most new products are technology-based, but there are still a lot of legacy systems, such as deposit account openings, which are difficult to retrofit. So despite a leap toward technology, a lot of financial institutions still remain paper-driven. “Actually we’re closer to the beginning than we are to the end of digitization of the financial process,” Matuszeski says. “Even though digital documentation has expanded faster than paper, contrary to popular belief, the amount of paper in financial transactions has grown, not gone down.”
Financial service firms also refrain from going fully hi-tech because their wealthiest clients—the baby boomers— aren’t completely comfortable with technology. “We end up working with a lot of hybrid products where the customer still gets his paper copy, something he or she is comfortable with, but the document immediately goes through the scanner and advisors work with images,” Matuszeski says.
But even if advisors are obsessively careful about not leaving documents unattended, they can still fall prey to the Man in the Middle (MITM) phenomenon— a process whereby hackers divert information meant for your machine to another destination.
To avoid the damage caused by both ingenuity and negligence, Hyde suggests advisors refrain from e-mailing sensitive information, and instead use secure document-distribution channels accessible only to authenticated users. Advisors should also avoid carrying information on their laptops or in file folders. And, if possible, data should be centrally stored.
They must also warn clients about phishers who pose as banks, brokerages or other institutions to send bogus e-mails aimed at acquiring usernames, passwords, credit card details and the like.
Scammers have donned the mantles of major banks to wheedle personal information out of unsuspecting clients through e-mails which state, “Due to the increased fraudulent activity within our site, we are undertaking a review of our member accounts.” They frequently provide a link to a page resembling the bank’s official site and ask for client card numbers or business card numbers and passwords. Sure enough, some fall for it.
In addition to thieves and fraudsters, it’s necessary to keep an eye on contractors who have access to work areas, especially systems specialists hired to update data management. A mole inside such organizations can easily offload enough customer data in a few seconds and do significant damage.
Outsourcing client information to offshore operations also poses a considerable threat. To make outsourced data more secure, HP has started scanning images and randomly jumbling them up so that people processing data in foreign countries don’t have access to the whole image. Once data entry is done, the image comes back inside the firm’s firewall and becomes complete again.
Macfarlane notes his office is quite secure and adds that the advantage of a small office, with only one or two fully licensed advisors onsite, is that there’s little risk in anyone grabbing things. Outsiders are noticed quickly.
“We’re no longer required to change our passwords every month because we don’t work in a bullpen,” he says. “If there were 30 or 40 bodies looking over my shoulder, then it’s a good idea. But the reality is I don’t have people in my office when I log on.”
Coping with Compliance As market turmoil deepens, Keating expects a lot more regulation to hit financial markets. And while it will be difficult to understand every nuance of these rules, when it comes to data security he says most will boil down to two basic things: “Protecting confidential data for fiduciary reasons, and archiving data and retrieving it with a degree of veracity.”
Technology has already started integrating compliance regulations into both front-end and back-end operations. “That is a big change from more than a decade ago,” according to Richard Binnendyk, executive VP of Univeris, “when technology was not as complex as it is today and compliance played a very part-time role.”
Now compliance is interwoven throughout the platform, says Carmine Tullio, president and CEO of Univeris. While compliance has increased technology costs for software providers, he notes requirements to comply with SRO rules have matured the industry operationally, technologically and from a risk-management perspective. “Risk management is not just about providing a code, it’s now about being auditable.”
To deal with audit requirements, HP provides documentation facility every step of the way from “cradle to grave, creation to cremation,” Wagle says. “The entire documentation process is archived and attached to the customer file along with any supporting documents.”
But despite diligent documentation, Keating warns we’re at the very beginning of a compliance nightmare. “Emails written five or six years ago can easily be tampered with or forged. It was much easier to verify the authenticity of a paper trail.”
Matuszeski fears things are going to get worse in the next couple of years. “A lot of things at financial firms are being done in a hurry. If you don’t design your infrastructure from the ground up it’s very difficult to retrofit it later.”
And, it’s looking as if that retrofitting will happen while the industry’s in the midst of managing its worst crisis in three or more decades. Not a good time for a side project, but data security will remain a crucial component for ensuring clients, and the advisors who serve them, maintain both trust and peace of mind in the years to come.