Skip to main content


Sounding the Alarm on Poor Vendor Practices

Red SirenBrian Krebs recently published a blog post on the KrebsOnSecurity website titled What is Your Bank’s Security Banking On where he discusses the security of electronic banking platforms. It's an informative read. 

Managing security standards is an issue we all know exists with vendor relationships, but the issue has now become a mainstream topic that customers will likely hear more of. This provides an opportunity for us to band together and strengthen our vendor management programs. Strong vendors are the foundation of your reputation and customers will no longer tolerate weak security practices in the wake of so many publicized data breaches.

Reportedly, a large core banking provider has required "a large number of banks, credit unions, and other financial institutions" to push customers onto new, updated internet banking platforms. However, this move required financial institutions to create new login credentials for their customers. These institutions were recommended to reach out and ask their customers to reset their account passwords by entering a username plus an additional static identifier - first six of SSN, mix of partial SSN + surname or DOB. Via email.

Krebs makes a few interesting and important points:

  1. Small, regional banks, and credit unions are at the mercy of their core and internet banking platform providers, for the most part.
  2. Sending email notices to your customers with explicit instructions on how to reset their new, temporary passwords – which contain static identifiers involving personally identifiable information – is a really bad idea. Especially when…Equifax just lost all of this information for 150 million Americans.

Information Security: Your Reputation Depends On It

Reputation Balloon PopIn response to the post, SBS recommends these considerations:

  1. Do not send phishing-like emails to your customers. Social Engineering best practices teach us that reputable companies will never send emails to their customers asking them to use or provide confidential or personally identifiable information, click on links to alter account credentials, or take an action of which they have not been informed by other means. Better suggestions for notifying your customers of a need to change or reset passwords:
  •  Do not provide explicit instructions or notifications to your customers that would also allow an attacker to guess a customer’s temporary password. SSNs, dates of birth, driver’s license numbers, phone numbers, and addresses should be treated as an insecure way to validate an identity. Take a page from a bank referenced in Kreb’s article and send new User IDs, organizational IDs, and temporary passwords in two separate physical mailings.
  • Implement multi-channel notifications to inform your customers of a change to their account so they know it’s not a hoax or a phishing email. Let them know how they should expect to receive their new account credentials. Post notices on your online banking landing pages. Set up your online banking platform to pop-up a notification when a user logs in to notify of this change, and make the user click “OK” or “Accept” to validate they have seen this message and should expect other communication.
  1. Hold these major vendors accountable. It's not acceptable for some of the biggest companies in the industry to force their customers to be insecure. Examples include using SSNs and static identifiers as passwords, requiring old versions of internet browsers to run GUIs, or disallowing specific patches for their software to function properly. Report risky practices to your Board through existing Vendor Management processes. Talk with your regulators. Band together and demand change.
  2. Make the security of your customer information a priority. User convenience is certainly important, but ensuring the safety of your customer’s information and money should be the top priority. Whether you’re a small-town community bank or a larger regional bank, your customers can pick up and find another bank that will support their accounts almost instantly. Your institution has Google reviews, Facebook reviews, Yelp reviews, etc. If you are not prioritizing your customer’s security, someone else will. And they’d love to take your customers.
  3. Review the "Analysis" section of the post for some interesting thoughts from industry regulators. One unnamed regulator said, "A lot of smaller institutions often don’t understand the risk involved in online banking, which is why they try to outsource the whole thing to someone else. But they can’t outsource accountability.” The bottom line is that the protection of your customers’ money and information is ultimately YOUR responsibility, no matter what your vendor does or says.
  4. Consider the ideas Krebs provides to help your organization promote good security, including the use of Password Managers (like LastPass) and using verbal passwords to verify identities of customers over the phone. SSN for verification should be removed from our processes. They are all public knowledge and can’t be changed easily like a password can.

Take time to review this article with your institution’s Senior Management and Board of Directors. Discuss a variety of options for handling situations that involve the security of your customers that will arise in the future. Your reputation is tied DIRECTLY to the security of your customers’ information, and in the world of community banking, your reputation is the ONE THING you have to remain competitive in a truly open and national market.

Talk to an expert for more information on how you can better manage your vendor relationships and ensure the security of your organization doesn't get compromised by poor vendor practices.

SBS Resources:

  • {Special Report Hacker Hour} Poor Vendor Practices = Your Next Breach: This webinar reviewed Brian Krebs story and the challenges financial institutions face. There are many things we can do to improve our communications with our customers, strengthen vendor management programs, and reduce risks of sensitive information being disclosed in large data breaches like Equifax. 

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, March 7, 2018
Categories: Blog