Bruce Schneier knows internet security. I know he does, because I do and pretty much everything he writes or blogs about is informative and truthful. Maybe its purpose is to get us thinking and not just believing. His blog written on March 13 tells his readers that Wells Fargo internet customers are hoodwinked into thinking they are connecting to a secure environment when they click on a specific link.
"Click on the "Establishing secure connection" link at the top of this page. It's a Wells Fargo page that displays a progress bar with a bunch of security phrases -- "Establishing Secure Connection," "Sending credentials," "Building Secure Environment," and so on -- and closes after a few seconds. It's complete security theater; it doesn't actually do anything but make account holders feel better."
Wells Fargo is probably a customer of the security software company Symantec where I have worked since 2000. Symantec is the 4th largest software company and the largest security software company in the world . They are trusted by hundreds of thousands of people to keep them safe and secure from the bad guys out to steal their identity, their resources, and their money.
Financial organizations are one of the most targeted industries for hackers. This is serious business. Take a look at this short video from Symantec TV called, "Do You Know?" It calls out the specific number of attacks, who is being attacked, and how - as reported in their widely trusted Internet Security Threat Report, Volume 17.
NBC News and Wire Services reported recently that "U.S. Bank and PNC reported problems with their customer websites...after a financial services security group warned about possible cyberattacks. Meanwhile, SecurityNewsDaily reported that on Tuesday, Wells Fargo may have also been the victim of a sophisticated campaign of distributed denial-of-service (DDoS) attacks.
These reports follow last week's attacks, which affected JPMorgan Chase and Bank of America.U.S. Bank spokesman Tom Joyce told the Associated Press that some customers experienced intermittent delays. He said the bank was working to fix the problem and was working with law enforcement.
In all three cases, each bank received hundreds of complaints from users who could not access their sites. Although Chase and Bank of America stopped short of declaring that they'd been victims of an attack, security experts and at least one politician made the assertion for them."
Financial institutions invest heavily in many kinds of physical security (alarm systems, cameras, guards) and they also invest significantly in software security. It is well known that "defense in depth" or layered security is the most effective methodology and that trusting your security to one vendor is not wise. If Wells Fargo fits the model of other banks, you can bet they have Endpoint and Server Protection, Data Loss Prevention which fingerprints documents and does not allow for copying, pasting, or emailing of sensitive information. They no doubt encrypt everything, have complex systems that have safety checks in place.
Certainly banks have financial assets, but the real value of a bank is in its information. Customers trust banks to protect their personal information as well as their money and believe that when a bank web site tells them they are on a secure site, that they are on a secure site. Banks must not only give their customers confidence that their assets are safe, their business depends on it.
So if Wells Fargo uses a little theater to have their customer believe they are connecting to a secure site - so be it. You can bet your bank account that the CEO of Wells Fargo and the entire security staff has taken every precaution to be sure you will not be compromised when making financial transactions online.
Hey Robin (or Robert), would you show me how to embed a video into a blog? Couldn't quite figure that one out...
ReplyDeleteThe security theater routine kinda makes me mad and makes me realize how willing I am to accept a progress bar as really doing something. It never once occurred to me that people might take advantage of my absolute acceptance of an interface...