Our family has had a PayPal account almost since PayPal has offered them.  It’s remarkably convenient, it provides us great flexibility to shop online using a single payment source and I love that we’ve been able to change funding sources several times over the years.  It’s always conveyed a certain sense of security; I’ve just always felt safe using PayPal.  I’ve even gone so far as to suggest that at some point, if PayPal management grows things just right I could see a future state where paper currency and maybe even actual physical credit cards go away and are replaced by some version of their services.  When I discovered this past year that Home Depot already allows you to use PayPal to make in-store purchases I was convinced I was right.  Now I’m not so sure.

Over the past year or so I’ve been getting the occasional email ping from PayPal regarding our reaching a spending limit.  It’s a fairly high limit for most but considering that we’ve been using PayPal to make purchases going back nearly a decade maybe not as much.  But the message has been quite clear; if we didn’t verify our account before reaching this limit it would be “ the maximum amount of money you can send or use for purchases before you need to become Verified”.   So how you become verified is quite simple – either give up your bank account information or apply for a privately owned credit card.  No, seriously, those are the only two options.

My first thought was that although I liked having the protective layer of a credit card product buffering my PayPal account from my actual money I was okay with providing bank account information.  It’s not like I don’t use that in other places to make payments and so there wouldn’t be any enhanced risk by doing so again.  I wasn’t going to apply for a PayPal-based credit card because I don’t want one or need one and I wasn’t looking for a new credit source anyway, I just wanted to continue using PayPal.  I clicked on the option to provide my bank account information and after the initial screen where they ask for the routing and account details and clicking on “Submit” I was presented with a screen that I still can’t believe exists.  Right there before my eyes was a screen from PayPal in which they ask me to provide my online banking user-id and password so they can verify a series of PayPal generated payments thus confirming my banking details.  Let me repeat that one more time; PayPal asked me to provide them with my online banking user-id and password.

Has PayPal lost its collective mind?  Seriously, have they?

I was stunned, almost to the point where I couldn’t get coherent words to flow.  I immediately fired off an email to PayPal customer support asking them how they could do something so outrageous.  Within minutes I received an automatically generated reply which I always find insulting, as if though I’m not worth an actual intelligent and personal response.  It was a complete regurgitation of everything stated on their website and completely ignored the gist of my email.  I fired off a second email missive, this time way more specific.  Here’s what I wrote:

Ms. Keen was kind enough to share her story with me so that I in turn could share it with you.

Her bad day started with the most basic error in judgement: She responded to a Yahoo-branded email requesting that she confirm her account information or else her account would be closed.  She said that “despite my initial instincts, I fell for it.”  It’s not hard to understand why.  Like most parents with school-age children, she has too much going on, depends on email to keep things moving and if she is anything like my wife, is of a mind to address things as they arise; she was a perfect target for a hacker.

Ms. Keen first became aware that she was about to have a bad day when she received an early morning phone call from a friend indicating they’d received an email from her asking for help.  She attempted to sign on to her Yahoo account to see what was going on but the hackers had changed her password and she was locked out.  She explained what happened next:

“I had to wait for Yahoo to open at 9:00am to resolve the issue and regain access to my account.  Yahoo was extremely helpful and we were able to take the account back quite easily.  The representative I spoke with knew to advise me to confirm if any of my personal information had been changed, which it had.  An alternate email address had been added by the hacker as a way to retain control of my account even after I had gotten back in.  And my understanding is this is how they would continue to log in and check to see if anyone was actually trying to send me money.  If I did not know to delete this alternate email, the hackers could continue to monitor the account and target anyone asking me where to send the money.”

I asked her if anyone actually attempted to send money or respond favorably to the hacker’s phishing attempt and fortunately no one had.  While she did receive a few calls and/or emails trying to confirm if the request was legitimate, because as Ms. Keen explained, “They did indeed want to help me if I really needed it,” no one actually took further action.  Apparently the majority of people who received the phishing attempt knew it was a hoax and ignored it (score one for security awareness in the private sector).

Was there a lesson learned from all of this for Ms. Keen to share?

“Do not respond to emails requesting personal account information, no matter how reputable they may seem,” she said.  ”As Yahoo explained, they would never request that sort of account information from me (they already have it and there is no need for it to be confirmed).”

To which I would add that you could easily replace the Yahoo name with literally any reputable business with which you have an online account.  I would also recommend that you print Rebecca Keen’s advice and tape it to your monitors and keyboards at both work and home for all to see.  Because whether it be the result of a successful phishing attempt, poor judgment or sloppy controls (e.g. sticky notes under the keyboard/phone/stapler, etc.) the number one entry point used by hackers to gain access to sensitive information remains password sharing.

Check back here next week. I have an interesting (if not scary) story to share about how some financial institutions are (mis)managing regulatory requirements.

And so it goes with this week’s post. Here are some nuggets that I’ve gathered over time:

Policy and procedure: I was talking to a client today about password reset lengths. Turns out for one of their products they changed the password frequency to expire after 1,000 days. Their logic was that it was low risk because the application didn’t store NPPI and the security was really only necessary to ensure proper segregation of duties. So I asked them if they had a password policy (they did) and if so were they in compliance with the policy (they weren’t). After a momentary silence, their quiet reply was “good point.” Being the auditor that I am I couldn’t help point out that the worst thing any institution could do was to deviate from a documented policy or procedure, regardless of the reason. Once an examiner discovers something like that, they figure it’s an indication of related issues and wind up digging a bit deeper. Document what it is you do and than make sure you’re doing it; while it may seem simple enough, you’d be surprised how many companies fail on that point.

Pandemic planning: There’s still heightened concern regarding the swine flu and my industry continues to beat the drum about needing to have a pandemic response plan in place. While it’s a valid point, I’ve been polling my clients over the past few months regarding their first hand experiences with the flu epidemic. Only a few have been confronted with any legitimate outbreaks and none of them have experienced an absentee rate that required unusual planning or intervention. While I’m not advocating that a pandemic response plan is superfluous, I am questioning my peers who are pushing this as a top of the list agenda item. For my money I’d rather spend time making sure that a properly vetted and tested business continuity plan is in place and spend less time and effort getting caught up in the hype.

SOX: Banks that are required to be SOX compliant need to take some time to make sure that they’re thinking things through. GLBA is a fairly rigorous and encompassing regulation and extends deeply into a financial institution’s infrastructure. To a certain extent, it serves to drive a bank’s general controls framework, be it informal or otherwise, and as a byproduct goes a long way towards establishing controls typically associated with SOX. So when I encounter clients who are tackling SOX as if though it’s its own separate set of requirements I throw up the caution flag and try and force a reset. While it may be true that larger institutions need to extend significantly from GLBA to controls around financial reporting within the infrastructure, that would only represent a subset. Before doing anything different, the bank should bring in someone who has experience working with both SOX and GLBA to identify the (many) commonalities and produce a consolidated framework so that efficiencies are both identified and realized.

Year-end activities: In my last post I discussed how there’s an uptick in services work this time of year when many banks and credit unions remember that they still need to conduct a wide range of audits and assessments in support of GLBA/NCUA regulations. If you spend some time reading through FFIEC guidance (seriously, it’s not nearly as dry and boring as you might think) there are multiple references to “your most recent audit or assessment.” For those of you who think that the need to conduct this work is suggested rather than required, consider how it looks to your examiner(s) when they discover that your most recent risk assessment was either conducted several years ago or not at all. Do you really think it reflects well on your institution that you haven’t taken a serious look at the myriad risk factors swirling about your infrastructure for any considerable length of time? In a day and age when new threats emerge almost daily if not hourly how can you justify neglecting such a critical task? The examiners expect a current set of reports not only because it’s required but also because it’s a clear indication of solid management and oversight activities.

And on a final note, I’d like to share this link to the FDIC website. You’ll find a video message from Chairman Bair on the current state of both the FDIC and the banking industry. It’s really more of a “happy recap” (with all due respect to Mets fans) of similar messages she’s released over the last year. But I think it’s worth your time (about four minutes total) to hear it for yourself and gain a sense of calm about the security of your own deposits. And for those of you who might think I’m keeping to some sort of schedule regarding Sheila Bair references, as long as she keeps doing the right things I’m going to keep bringing her name up.

]]> http://itknowledgeexchange.techtarget.com/regulatory-compliance/regulatory-compliance-bits-and-bytes/feed/ 0