About

Comment Policy

Disclaimer

Share or Subscribe

Add me to your TypePad People list

Search BLB


  • Google

Stats

Blog powered by TypePad
Member since 03/2004

Web/Tech

April 22, 2013

FDIC's Take On FFIEC's Social Media Guidance

GuidanceI ran across an interview recently that the FDIC's Elizabeth Khalil gave to InfoSecurity's Tracy Kitten about the FFIEC's proposed guidance on social media. Among my take-aways are the following:

  • The push for the guidance came from smaller banks that wanted the regulators to give them some free advice. We all understand the fact that because small banks have less money available to pay for expensive lawyers, they look to leverage off of every free resource they can glom onto. Trade associations aren't free, but if you're paying your dues, you look to them to give you your money's worth. Since banks pay the federal bank regulators assessments, they want some bang for those bucks, as well. I get it.
  • While Ms. Khalil mentioned "reputational risk" as the second major risk of the three she discussed ("compliance issues" was number one and "third party risk" was the third), I think reputational risk layers through much of the regulators' concerns. For example, misuse of consumers' personal information may be a compliance risk issue, and a Facebook vulnerability to hackers is a third-party risk. However, they both can impact the bank's reputation. Bad things that happen in a bank's social media endeavors often pose a reputational risk as an additional risk, and that's a safety and soundness concern which, in turn, is a regulatory compliance concern.
  • None of what's in the guidance is new, and banks that are already engaged in social media activities should already be familiar with the elements of the guidance. If they're not, they better become familiar in a hurry and hope that no one notices.
  • Due diligence on third party service providers that you intend to use is critical. The due diligence needs to be ongoing. A third party's faux pas can bite the bank in the backside as well as the third party. Monitoring is essential.
  • As is the case with online banking security, the regulators encourage banks to educate consumers on social media risks. For example, the regulators will look favorably on a bank educating its social media users on the risk of fraudulent bank sites, how to recognize the real deal from the fraudster, and that they should never give up personal information over social media. 
  • Whether or not a bank is actively using social media to interface with current or potential customers, it needs to have a social media use policy. The bank's employees are using social media, and other people may be saying bad things about you in cyberspace. The bank should have a policy that deals with these issues.

The final guidance is expected to be out in the near future (the comment period closed March 25th), depending on the nature of the comments received.Interested bankers should keep their eyes peeled (although, don't hold your breath).

I'll be giving a breakout session on social media compliance on July 3, 2013 at CUNA’s America’s Credit Union Conference in New York City. If you're a reader and are attending that conference, say hello.

10:01 PM in CFPB, Compliance, Consumer Law-General, Credit Unions, FDIC, FFIEC, FRB, Marketing, OCC, Risk Management, Social Media, Web/Tech | | TrackBack (0)

April 01, 2013

Eductaing Customers About Online Fraud: A Case Study

Educate MeTwo years ago, we discussed the fact that, pursuant to supplemental guidance issued by the FFIEC, financial institutions were going to have take seriously the need to educate their online banking customers about ways to prevent online banking fraud. BankInfoSecurity's Tracy Kitten recently interviewed the heads of social media and information security for Bank of the West about their efforts in this area. In addition to posting educational videos for customers on the bank's web site, the bank is uploading to the bank's Youtube channel in an attempt to make those videos "go viral." In other words, the bank is blending its internal information security technology and social media expertise to do what the bank regulators want them to do: help combat online banking fraud by educating their customers.

While the entire, relatively short, interview is worth a listen, I took away the following points:

  • If you want social media content to "go viral" (for the social media challenged: "circulate widely via social media"), you have to make the content "relevant and compelling." You also must update it frequently. Easier said than done. It's why I believe that banks need to blend their internal talents, the way that Bank of the West is doing. Social media is not the sole province of either marketing or "technologists." It takes folks with a variety of skills to make it rock.
  • To banks like this one, that have been in the social media game for a while, the recently proposed FFIEC social media guidelines are no big deal. They should be well positioned to meet those guidelines with little, if any, modification to their existing procedures. As one of the gentlemen interviewed observed, they've been expecting these guidelines for years.
  • Social media (videos) is only one arrow in the educational quiver. The bank is also using seminars targeted to specific groups of customers (small businesses, primarily, since that's the customer group that is most at risk for online banking fraud losses).
  • Of most concern to information security officers is the movement of organized criminal organizations into this arena. They bring with them the money and skill set (not to mention the ruthlessness) to pull off the most successful heists, targeting not the banks but their customers.
  • Quality is more important than quantity in online education efforts. Throwing everything against the wall and seeing what sticks will likely not be a successful approach.
  • You need cooperation from different areas of the bank to do this successfully. Therefore, you need "buyoff" internally before you launch, not after.
  • Most of these efforts are too new to be able to measure their effectiveness, but using the tools that are available to do so on an ongoing basis is important. If your efforts aren't paying off, then you need to consider tweaking them.

09:34 PM in Banking Law-General, Compliance, Crime, FFIEC, Marketing, Risk Management, Social Media, Web/Tech | | TrackBack (0)

March 07, 2013

The Perils Of Trolling

TrollLast night's post about Tuesday's United Western decision generated an attempt by an "anonymous" troll to leave an abusive comment this morning. I moderate comments, so it didn't make it past the "editor." In addition to some substantial "I hate Kevin" vitriol (some of it scatological), and threats that the regulators (of which the troll intimated he was one) would "get me" for my snark, it contained what I think are outright libelous per se statements regarding the former management of United Western and their outside counsel. The troll used a pseudonym and what I assume to be a phony hotmail account email address. I assume that the troll didn't realize that my blog service captures the unique IP address of all commenters, this IP address being one assigned by Cox Communications to a residence in the Annandale/Falls Church area of the Washington, D.C. suburbs. There's only one location with that assigned IP address, and it won't take more than  a John Doe subpoena to uncover the name of the account holder at that location.

I forwarded the comment and identifying information to United Western's attorneys. I assume that they'll take it from there. I think that it's time to remind the unhinged of the issues I raised in a post in 2007. In addition to other legal (and, if the troll is a lawyer, ethical) violations, the conduct constitutes a federal crime.

Please people: Get a grip. If my blog posts drive you so batty that you feel compelled to engage in illegal anonymous harassment, either seek professional therapy or...here's an idea...don't read this blog.

09:45 PM in Banking Law-General, Blogging, Crime, Ethics, Federal Legislation, Life (In General), Litigation, Practice of Law, Web/Tech | | Comments (0) | TrackBack (0)

February 24, 2013

Vendor Management Is Still A Regulatory Hot Button

Hot ButtonAccording to the FDIC, a common theme in IT examination downgrades is poor vendor management by banks.

Last year, in 46% of the FDIC IT examinations in which bank ratings were downgraded, inadequate vendor management was cited as a causal factor, says Donald Saxinger, senior examination specialist in FDIC's Technology Supervision Branch.

"I'm not saying it was the primal causal factor, but, in 46% of the downgrades, vendor management was cited," Saxinger says. He spoke during the recent ABA Telephone Briefing "Vendor management: Unlocking the value beyond regulatory compliance."

Although the most common “error” that FDIC examiners discovered was the failure by banks to ask their vendors for copies of regulatory examinations, that wasn’t the only nugget contained in the linked article from the ABA Banking Journal. Among the others:

• Vendor management needs to consider all service providers that hold sensitive customer information, not just IT vendors. These include loan workout consulting, appraisal review companies, outside attorneys, and others.

• Make sure to get the proper exam reports about individual vendors. Some banks just obtain reports for the host data center, but not for the specific application that the banks were using.

• Even the proper reports don't cover everything that a bank must consider in its security risk management efforts. For example, one service provider with an otherwise clean report did not have an internal audit program and its business continuity planning was poorly documented.

This is all sound advice, of course, but knowing what you need to ask for is only half the battle. You also need to make certain that the agreement with your vendor gives the bank the right to ask for, and the vendor the obligation to deliver to the bank, copies of the necessary reports. Relying on the goodwill of the vendor in coughing up examination and audit reports, especially when they may contain results that are less than flattering to the vendor, is "unwise."

Here's one more tip: if the report reveals problems, the agreement with the vendor should require the vendor to notify the bank of what action the vendor intends to take to remedy the defects, and should also require the vendor to give the bank periodic progress reports on its progress in correcting those problems.

I'll be doing a webinar on March 6, 2013 on the topic "Technology Service Agreements: Meeting Regulator’s Expectations." It covers regulatory guidance applicable to credit unions, banks, and thrifts, although the same essential principles apply to each. The goal is to discuss the provisions of a technology service agreement that regulators expect (and that sound business judgment requires) be included, and to give financial institutions guidance on how to approach the issues covered by each of those provisions so that the institution meets its regulator's expectations while also meeting the institution's business needs.

09:42 PM in Banking Law-General, Compliance, Contracts, Credit Unions, Electronic Banking, FDIC, FFIEC, NCUA, OCC, Outsourcing, Risk Management, Web/Tech | | TrackBack (0)

February 11, 2013

Social Media Compliance Guidance Finally (Almost) Arrives

FinallyA couple of years ago, I opined that the time was coming when the federal bank regulators would get around to "suggesting" that every bank have a policy in place that governed the use of social media by its employees.

At some point (which may have already arrived), banks aren’t going to have the option of doing nothing. Social media use by employees is proceeding at a rapid pace, and social media governance policies are a wise idea, whether or not the bank is going to jump into the use of social media itself. Not having any policy to govern the use of social media by employees in ways that could adversely affect the bank, or, having a policy in place but not adopting effective tools to monitor and enforce it, might be considered to be unsafe. As a recent client alert from Norris McLaughlin & Norris P.A. points out, the SEC and FINRA are already focused on social media sites and the risks they pose to the businesses they regulate. While the federal banking agencies are currently otherwise occupied, banks should take the trend seriously and be seriously thinking about social media governance.

The federal banking regulators have finally gotten around to specifically addressing social media risks, and the time for seriously thinking about social media governance has arrived for even the most dilatory of banks. On January 22, 2013, the FFIEC issued proposed consumer compliance risk guidance with respect to social media. Included in the proposed guidance is the following admonition:

Financial institutions should be aware that employees’ communications via social media — even through employees’ own personal social media accounts — may be viewed by the public as reflecting the financial institution’s official policies or may otherwise reflect poorly on the financial institution, depending on the form and content of the communications. Employee communications can also subject the financial institution to compliance risk as well as reputation risk. Therefore, financial institutions should establish appropriate policies to address employee participation in social media that implicates the financial institution.

Yes, it's "proposed guidance." The FFIEC is asking for comments, and if you have any, get them in within the 60-day window. Nevertheless, I do not expect that the FFIEC will abandon its position that financial institutions should adopt "appropriate policies" regarding employee use of social media that could impact the institution.

Don't be one of those laggards like the slugs we saw who dragged their heels on multi-factor authentication in online banking. If you haven't already done so, get a sound policy in place. By "sound," I mean well thought out and cognizant of the practical and legal nuances. You'll be glad you did, and so will your regulator.

****************************************************************************************************************************

Chris Dye of Harland Financial Solutions and I are doing a webinar next month for BankersHub on the topic of "de-risking" the legal risk of social media use by financial institutions and their employees. Although special attention will be given to the proposed FFIEC guidance, we'll be ranging beyond that subject.

09:59 PM in Banking Law-General, Compliance, Consumer Law-General, FFIEC, Risk Management, Social Media, Web/Tech | | TrackBack (0)

February 03, 2013

Cyberheists: Big Banks Increase Small Banks' Losses

Cybercrime 4Internet security guru Brian Krebs had an excellent post a few weeks ago about much of the attention on cyberheists may be focused on the security vulnerabilities of small banks and their business customers, the large banks are playing a large role in small banks' losses.

A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.

I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.

Krebs responds to a question often asked of him, whether it's safer for a business to bank with a large bank rather than a small bank, by asserting that it's a difficult question to answer "because banking online remains a legally and financially risky affair for any business, regardless of which bank it uses"

Businesses do not enjoy the same fraud protections as consumers; if a Trojan lets the bad guys siphon an organization’s online accounts, that victim organization is legally responsible for the loss. The financial institution may decide to reimburse the victim for some or all of the costs of the fraud, but that is entirely up to the bank.

That's right. Regulation E does not apply to business customers. That's something that sometimes comes as a shock to small business customers, especially those who were too cheap to hire legal counsel to review the account and other online banking agreements before they were signed. "Forewarned is forearmed" is an old adage with a lot of wisdom behind it. It's not that banks will negotiate the terms of their agreements (most of them will not, especially with small customers), but that customers who understand their legal position going into the relationship are more likely to be concerned about doing due diligence on the bank's security procedures and track record and considering other methods to lessen and cover their risks (I've seen a few who suddenly realize that having a PC dedicated solely to online banking transactions and no other activities is not such a waste of money, after all).

Krebs also points out that since larger banks are more likely to have the resources to settle even large losses to avoid the reputational risk of cyberheists, it may be difficult to know how many instances of loss occur. However, it's reasonable to assume that the large banks spend a lot more money and person-power on security measures than do small banks.

Wearing my cyberthief glasses, if I’m looking at a huge pile of data stolen from thousands of victims, I’m probably more apt to target victims at smaller banks based on one simple assumption: Because I’m going to have a much higher success rate than I would targeting customers of larger institutions.

Krebs takes a shot at technology service providers who service many of the smaller banks for not doing more to secure online banking transactions.

Case in point: Optimumbank’s service provider is Fiserv, one of the largest banking industry service providers. According to Fiserv’s site, at least 52 percent of the nation’s $19 billion in ACH payments are processed using Fiserv software. If this is true, one might think that Fiserv’s systems handled about half of the mule transfers that were sent from Niles Nursing’s hacked bank account.

But according to Murray Walton, Fiserv’s chief risk officer, the software that most of its customer banks run — called PEP+ – is a client solution that does not interact with the company’s data centers. He said while Fiserv does offer an antifraud solution called FraudNet, that tool is designed for online bill pay services that banks can use to detect fraud patterns on consumer accounts.

“There are vendors who can knit it all together for banks, but that isn’t what we do,” Walton said in an interview. “For various and sundry reasons we don’t offer an engine that does the same thing as [an anti-fraud provider like] Guardian Analytics. Realistically, the client and end-user have responsibilities that they can’t abdicate to us. Everyone in this needs to take it seriously and not think that someone else has their back.”

I understand Walton's point, but on the other hand, a small bank's takeaway from those three paragraphs might be "Fiserv doesn't have your back, so look elsewhere." A competing core platform and processing vendor that "does have your back" might have a tag line to use.

Large banks are also lambasted for allowing so many "mule accounts" to be established.

As it stands, the big banks don’t have an incentive to police new accounts for mule activity, because it’s generally not their customers who are getting robbed from this activity, said Avivah Litan, a fraud analyst with Gartner Inc.

“The bad guys shouldn’t be able to set up these mule accounts in the first place,” Litan said. “The bigger banks are not doing a good job of screening for this activity because they’re not the ones eating the fraud on these attacks on smaller bank customers. [The bank service providers] should be spending more money. And the regulators should be coming down on them harder.”

Krebs suggests that, perhaps, "small, regional and local banks can pool their clout and resources to extract more from service providers than what those companies are currently offering." Fat chance. Several years ago, some of the largest users of technology services in the country made a concerted effort to get giant service providers to take more contractual responsibility for the performance, and vulnerabilities, of their technology. It fell flat. Unless the bank regulatory agencies intervene directly with the service providers, they'll continue to do what they do best: collect fees and deny liability.

As for watching your own back as it applies to business customers, Krebs offers some good suggestions, among them:

  • Shop around for banks until you find one that assures you that it uses layered security.
  • Use "Positive Pay" if your bank offers it because it not only deters check fraud but other unauthorized transfers, online and off (I heartily concur).
  • Use Live CD to temporarily covert your PC from Microsoft to Linux for doing online banking transactions.

Krebs also offers an online "best practices" guide for businesses. As with much of his material, it's good stuff.

09:34 PM in Banking Law-General, Compliance, Contracts, Crime, Deposits, Electronic Banking, FFIEC, Litigation, Outsourcing, Risk Management, Web/Tech | | TrackBack (0)

January 17, 2013

PATCO Played Out: A Few Lessons Learned

Lessons_learned

The last time we discussed the PATCO decision, the appellate court had found that the bank's security procedures to defeat account takeover were not "commercially reasonable," but had sent the case back down to the trial court to determine what legal responsibility the customer might have to prevent account takeover. Following that action, the bank and PATCO settled the case, so that burning legal issue was not resolved.

Recently, PATCO co-owner Mark Patterson and counsel Dan Mitchell were interviewed by Bank Info Security's Tracy Kitten about the lessons they think they learned from the case. Among those (along with my observations) are:

  • PATCO approached the bank within the first month of the incident with a settlement proposal that turned out to be a heck of a lot less than what the bank eventually paid in settlement after three years of litigation. Both sides ended up enriching their legal counsel needlessly. Sweet!
  • Community banks seem more willing to settle quickly than do larger banks. Mitchell and Patterson think that's because community banks are more concerned about the reputational risk if the dispute hits the press. Might this be a potential competitive marketing advantage for community banks? "Bank with us! We'll pay for your negligence!"
  • Most cases of corporate account takeover are settled quickly, and off the radar screen. That certainly appears to be accurate from our personal experience. While many lawyers live to engage in disputes, bankers live to make money the old fashioned way: by doing business. It's hard to do business when you're the defendant and your customer is the plaintiff.
  • Prospective litigation costs and reputational risk can be as much of a deterrent to bank customers pursuing litigation as they can be to banks.
  • There's not much case law on these issues. Until there is, there is likely to be much jockeying for position, blustering and posturing by lawyers for both sides, unless responsible business leaders on each side of the table seize control early in the game and keep their eyes on the prize: salvaging the relationship (if possible) without breaking either the bank or the customer.
  • Patterson thinks ACH should not be done by businesses, no matter how allegedly "strong" the security devices or procedures used. He claims that his business will use ACH only for tax payments. The reasons for his revulsion: the one-sided nature of the agreements prepared by the banks, which place almost all liability on the customer. Hey, that's why banks pay us the big bucks, Mark!
  • Patterson and Mitchell do believe that customers have "some responsibility" for protecting their accounts from takeover. However, they claim that banks bear more responsibility than customers because they are "in a better position" to prevent and detect takeovers. While I don't disagree that banks should be more sophisticated in this area than the average small business owner, I'm still not willing to go as far as Patterson and claim that using a dedicated separate PC solely for online banking (and not for cruising Internet porn sites) is cost prohibitive for most small businesses. That simply doesn't pass the smell test for me. On the other hand, I'm an alleged elitist, so perhaps my view is slanted toward my liege lords and masters, "The Banks." Perhaps a refurbished eMachine for $250 is simply beyond the reach of the average small business. If that's the case, how much money would they stand to lose from any of their corporate accounts? Wouldn't cybercrooks just enter, laugh, and leave?

Whether you represent banks or bank customers, Mitchell's final words ring true.

I would bet my bottom dollar that there will be more lawsuits in the future in this area. What types of questions will come up really will depend on the unique circumstances of each case. But given the prevalence of corporate account takeover, you can bet that there will be more cases.

10:05 PM in Banking Law-General, Compliance, Contracts, Crime, Deposits, Electronic Banking, Life (In General), Litigation, Marketing, Practice of Law, Risk Management, State Law, Web/Tech | | TrackBack (0)

January 13, 2013

The Problem With The Cutting Edge

Customer-complaintIn an interview by Tom Fields of Bank Info Security, Matthew Speare, SVP of IT for M&T Bank, talks about a painful truth regarding inflicting pain on cybercrooks who steal from banks: You’ll never be able to beat them. The best a bank can do is make it so painful for the bad guys to try to steal from your bank that they decide to “go down the street” and pick on a 98-pound weakling of a community bank that thinks “multi-factor authentication” means having a password stronger than your social security number.

Other participants in the interview are Christopher Paidhrin, the IT security compliance officer at PeaceHealth Southwest Medical Center, and Elayne Starkey, the CSO for the State of Delaware. Among the new authentication technologies that they discuss are “biomettics,” including iris scans, voice recognition, and fingerprint and palmprint identification techniques. Speare also discusses “soft” tokens as something his bank has experimented with as an alternative to the traditional “hard” tokens. Many of those technologies have been around for a number of years, and in the health care and governmental fields, appear to be gaining acceptance as part and parcel of daily life. That also seems to be the case with authentication technologies that are employed by bank personnel that do not directly impact bank customers.

Speare, however, discusses a problem with the use of such “cutting edge” authentication techniques by bank customers: “the end user experience.”  He asserts that password-based authentication has become so ingrained in the minds of bank customers, even business customers, that adding additional requirements to the authentication process that slow down or otherwise impede the customer in the performance of banking transactions becomes an issue where bank marketing and customer relationship personnel begin to push back, as their customers squawk like we used to squawk to our mothers when we were little kids. “Why do I have to do this? None of the other kids’ mothers makes them do it!”

Here’s my not-so-novel suggestion: spend more time thinking about how to educate your customers as to the benefits of these new techniques and to “sell” them on those benefits, rather than to moan to bank security officers about customer resistance. You could even invite them to a free lunch or cocktail hour seminar at which your favorite lawyer and/or IT security expert could elevate their collective consciousness to a higher plane. Yes, this is more work than simply resisting change and increasing risk to both bank and customer, but we’re now well into the second decade of the twenty-first century, and the criminals are ahead of the banks and so far out ahead of the customers that they're in danger of actually lapping them, so maybe it’s time for everyone to at least try to power on up the sophistication curve. An added benefit is that you could use those sessions to fulfill your duty under the 2011 FFIEC Supplement to its Online Authentication Guidance to educate your customers about how to better protect themselves in a cruel online banking world.

What do you say?

10:04 PM in Compliance, Consumer Law-General, Crime, Electronic Banking, Governance, Life (In General), Marketing, Risk Management, Web/Tech | | TrackBack (0)

September 27, 2012

An Act of War: Against Banks

Cyber_warfareSupporting terrorist groups worldwide is a very bad thing. Killing your own people when they publicly oppose the existing government is a very bad thing. Building a nuclear weapon and threatening to annihilate your neighbors is a very bad thing. Having a president who wears a bomber jacket, sports a three-day growth of beard, and goes by a moniker that sounds like "I'm-A-Major-Whack-Job" is a very bad thing. However, launching denial-of-service attacks on bank webistes is beyond the pale.

The website glitches and outages that affected Bank of America and Chase last week are rumored to be just that sort of attack. In fact, financial fraud sources say both banks were hit with denial-of-service attacks likely backed by Iran.

Experts say banks better brace themselves, and they're right. With the U.S. election approaching, institutions can count on more DDoS attacks sponsored by nation-states.

Nation "states"? It sounds one nation "state" to me. I suppose this is to be expected from a government with whom this country and its ally, Israel, have been waging an undeclared war that, according to some sources, includes the introduction of destructive computer viruses into Iranian computer systems and the delivery of bullets to the heads of Iranian scientists.

The experts were correct about banks bracing themselves for further attacks, because following the date the above-linked blog post was posted, Wells Fargo was also hit. What are banks supposed to do?

A fraud alert issued Sept. 17 by FS-ISAC, the Federal Bureau of Investigation and the Internet Crime Complaint Center, suggests 17 steps institutions should take to mitigate risks posed by cyberthreats...

Among those steps:

  • Educate employees about phishing e-mails and suspicious attachments;
  • Monitor site traffic spikes, which could indicate a DDoS attack;
  • Limit employees' ability to remotely access internal networks and work-related e-mails from personal devices.

[...]

"Traditional preventive measures, such as bandwidth over-provisioning, firewalls and intrusion prevention systems, continue to provide some protection. However, traditional measures are ineffective against today's DDoS attacks," the FS-ISAC says, calling for the use of layered defenses.

[...]

Banks and credit unions should ensure that their tellers and other branch personnel are well-educated about all the security steps the organization is taking and can communicate that information clearly to customers.

As if banks didn't have enough to do merely trying to survive the terror imposed by the CFPB. Now they have to deal with cyber-terror launched by a nation whose leaders make even Liz Warren seem rational in comparison.

09:37 PM in Crime, Current Affairs, Electronic Banking, Life (In General), Risk Management, War, Web/Tech | | TrackBack (0)

September 17, 2012

One More Black Eye For Payday Lenders

Personal dataBrian Krebs posted a provocative entry today on his blog concerning a potential link between a web site that sells personal information on Americans and that may be obtaining much of its information "from a network of hacked or complicit payday loan sites." Just what the payday lending business needed, more bad publicity.

Users can search for an individual’s information by name, city and state (for .3 credits per search), and from there it costs 2.7 credits per SSN or DOB record (between $1.61 to $2.24 per record, depending on the volume of credits purchased). This portion of the service is remarkably similar to an underground site I profiled last year which sold the same type of information, even offering a reseller plan.

What sets this service apart is the addition of more than 330,000 records (plus more being added each day) that appear to be connected to a satellite of Web sites that negotiate with a variety of lenders to offer payday loans.

Krebs has done some decent detective work, which is way more effort than slackers like the author of this blog would ever undertake, unless someone was paying me to do it, of course. He talked to a number of people whose personal information is being sold, and located one who gave him the name of the payday lending "referral" site she used. Krebs has reached out to that site but, to no one's surprise, he's heard nothing in response but the sound of crickets chirping. Anyone interested in that name should read Krebs' blog post.

Krebs also discusses potential criminal liability for selling someone else's social security number without their consent. Any payday lending sites that are engaged in such activities probably understand that they're skating on thin ice and simply don't care. It may also be the case that the payday lending site information systems have been hacked.

Krebs' last piece of advice to individuals is likely sound, but also likely to cause heartburn to banks.

The next time you call your bank or interact with a company that asks you to authenticate yourself by reciting some or all of your Social Security number, birth date, mother’s maiden name — or any other personal information that you may assume is private — remember that services like this exist. Whenever possible, I think it’s an excellent idea to insist that these entities authenticate you using alternative questions and answers that are truly private to you and to you alone.

The potential problem I see with that approach is that it might be difficult to automate a process to obtain truly unique questions and answers on a person-by-person basis. I'm by no means technologically sophisticated enough to know if that's the case, but I suspect it would be more costly to program a process in which truly unique questions were created by the user as opposed to a relatively small menu of standard questions (mother's maiden name; first job, name of best friend, etc.). Nevertheless, the continued activities of those who push the envelope of what's legally permissible continues to create headaches for the law abiding.

10:53 PM in Banking Law-General, Crime, Lending, Life (In General), Privacy, Risk Management, Web/Tech | | TrackBack (0)

Next »

Recent Posts

Archives

More...

Categories