Oct. 27: Cybersecurity, password tips, two-factor authentication; blockchain legislation developments

Ever had something stolen? Remember that feeling in the pit of your stomach? It’s not good. Things have become more complex than returning to the bike rack and seeing your Schwinn gone, however.

Do you know how to identify and prevent mortgage fraud in your financial Institution? What do straw buyers and wire transfer fraud have in common? Your financial institution is being targeted by them. Read the CLA Bankers Advisory article to learn more about mortgage fraud trends and how to identify and prevent common fraudster schemes.

Here is “The Untold Story of NotPetya, the Most Devastating Cyberattack in History.” Crippled ports. Paralyzed corporations. Frozen government agencies. How a single piece of code crashed the world. Don’t forget the Yahoo breach of 3 billion user names and passwords, sold around the world.

In the world of cybersecurity, it is often difficult to know how much security is too much. This is important when you consider a recent survey from FICO. It shows how fed up consumers are with the security hoops they need to go through to verify their identity. This is despite the constant barrage of information about data breaches and card compromises. The survey found that 80% of respondents don’t see the need for what they consider unnecessary security procedures and 47% said they are tired of having to answer endless security questions whenever they call customer service departments. Even worse, a startling 64% don’t see the need for complex passwords featuring a mix of numbers, symbols and capital letters. Finally, 48% are frustrated with the use of two-step verification and 71% are frustrated by captcha codes. And 22% of respondents said they would either give up on opening a bank account completely, or give up and try at a different bank, if they had to jump through too many hoops.

It’s an interesting perspective, given that security, or lack thereof, is one of the top things keeping bank executives up at night. With good reason: cyberattacks and data breaches are more common than in any other industry. 45% of financial services organizations have had a data breach in the last 2 years, and the severity and volume of cyberattacks continue to increase, according to a global cybersecurity study by Ponemon Institute.

Certainly, it’s a balancing act. Customers may say they’re willing to forgo security for convenience, but one wonders if they’d say the same after being part of a damaging data breach. Lenders and banks must find a happy medium, a sweet spot between protecting customer information and piling on too many layers of security that could push customers away.

This analysis starts with a risk assessment to ensure the necessary security precautions are in place, while at the same time allowing business to function smoothly and customers to bank effortlessly. Are you utilizing the most appropriate tools, technologies and procedures to meet this multi-faceted challenge? A little research on this could go a long way. But, more than likely, you have already started this.

Artificial intelligence (AI) is an option that is getting more reasonable for community banks and lenders. Your bank may want to explore how AI could help you more seamlessly analyze patterns that smack of fraud. Technology available today has the potential to spot trouble without putting customers through hoops, and this technology is only getting better over time.

To be sure, fraudsters are getting more sophisticated, especially as we move toward an increasingly digital world. All financial institutions will need to continue their diligence to ensure their data security efforts work for them and their customers.

Cybercrime experts will tell you that the most common way into your organization is through email. Hacking email won’t come from Boris Badenov. A borrower working with a real estate agent, title company, mortgage company, will do what they are told from an email that appears legit. And when money is stolen, you won’t know who took it, and will probably never find out. Most people don’t understand sophistication needed to execute a hack.

Cybercrime experts will also tell you that it could have been prevented, primarily through user education. Lenders constantly remind their employees, and drill it in, “Don’t give out your password. Don’t have ‘challenge question’ answers be the truth – but remember your lie. Think before you click. Don’t click on an unknown link.” This is the delivery mechanism that the bad guys are using to obtain our information: “Click here to restore…”

Scott Augenbaum, a retired FBI agent out on the speaking circuit, will tell you that password re-use a huge problem in “mission critical” platforms/accounts (email, social media, iCloud, Microsoft, cell phone, insurance, bank accounts, debit cards, payroll system, sales force platforms, wherever sensitive information is stored).

Companies need to evaluate their human firewall, given that email will be the method of choice of hackers. “Think before you click.” Does your company have a business process in place? Do you routinely send harmless test messages to employees with harmless links that, if clicked on, warn the user not to click on them? You should.

And what about common-sense passwords or easily rememberable phrases? They should be 12 characters, no dictionary words, with special characters. Come up with a special symbol and number. You can start your password with it, and then reverse it at the end of the password. Every company and employee should have pass phrases for mission critical platforms.

And IT departments, along with folks at home, should use two-factor authentication (“2FA”) with remote access. A six-digit code is sent to you. Personal email (gmail, Outlook, iCloud) all offer two-factor authentication. Anyone using Yahoo, or AOL, bail. Usually in email or other consumer accounts, under “Account settings” there is a click tab that allows two-factor authentication. It will ask for your cell phone number when first used. You log off, and then log back in and enter your user name, password, and then a screen pops up with random six-digit code, enter it, and asks, “remember this computer?” Your answer should be “Yes” if your computer is in your control. Your computer will get through in the future without the code being sent each time. But the “bad guy’s” computer can’t, because they don’t have your cell phone whereas trusted devices are okay.

The capabilities of cybercriminals have improved quickly, so new security measures have been improving as well. It has become increasingly difficult to secure customers’ accounts, personal information and even their identities. Now, a handful of banks have begun employing new and updated security tactics known as “invisible biometrics.”

Unlike traditional biometric safeguards, such as swiping a fingerprint, invisible biometrics use sensors or computer coding that are unbeknownst to an individual. The way each person holds their phone, swipes their screen, types on their computer keyboard and even uses their mouse is unique.

Invisible biometric programs can compile databases of thousands of behaviors unique to each individual. In the case of mobile apps, sensors are used to collect information, while computer coding records unique behavioral attributes. These include tracking everything from typing patterns and how fluidly people enter information like passwords or personal details, to how hard they hit the keys on their keyboard, and the way they move their mouse. Because such data is collected without a user’s knowledge, the information compiled is a legitimate depiction of that individual’s true behavior and how it differs from the behaviors of others so it is easier to determine if an illegal attempt to use a bank account is made for instance. These programs essentially look for any digital indicator that shows cybercriminals are trying to impersonate an account owner or steal someone’s identity.

Steve Brown with PCBB writes, “While several banks have already begun experimenting with and employing invisible biometrics, most do not want their usage of these programs to be known. One exception is Royal Bank of Scotland, which has been testing invisible biometrics for more than 2 years on bank accounts for some of its high net worth customers. By doing so, the bank has already been able to successfully identify hacking attempts on such accounts. Not surprisingly, invisible biometrics are rapidly gaining popularity, with roughly a dozen technology companies already specializing in the technology and shopping such security programs to banks.

“By one security expert’s estimates, 500mm passwords and 5B accounts have been compromised. The fight for cybersecurity is far from over. Though invisible biometrics are still far from being mainstream, given ever-increasing sophistication of bad actors and the growing amount of fraud, community banks should at least be aware of this new security tool.”

CliftonLarsonAllen is hosting a webinar on cybersecurity this upcoming week. “Beyond the Firewall: How to Defend Against Cyber Threats”, Tuesday, October 30, 2 – 3 p.m. CT

Switching gears but staying in the technology realm…

I received this note from Debbie Hoffman, CEO & Founder of Symmetry Blockchain Advisors, Inc. “Rob, you recently wrote about how Rep. Tom Emmer, R-Minn., co-chairman of the Congressional Blockchain Caucus, plans to introduce three bills that will call on the US to ‘prioritize accelerating the development of blockchain technology and create an environment that enables the American private sector to lead on innovation and further growth.’ It is important to understand how this legislation could allow blockchain technology to produce further innovation – meaning the features that are currently holding blockchain back.

“One of the largest challenges in blockchain innovation is that the current laws do not directly address the use of blockchain and thus businesspeople, innovators and lawyers are trying to apply old laws to new technology – square peg in a round hole.

“Emmer’s first bill, in particular, ‘expresses support for the industry and its development’ in our nation by supporting ‘a light touch, consistent and simple legal environment.’ The reason this is critical is that currently the law is not clear and there is hesitancy for the innovators to move forward without some distinct established boundaries. While there are many new use cases utilizing blockchain both within and outside of the mortgage sector, an approach of strict legal boundaries does not promote such innovation, while broad, lenient regulation would allow further progression and innovation enabled by blockchain technology. Without any kind of guard rails, nefarious players could dominate the market and therefore some clarity and boundaries are necessary in the form of clear legislation.

“The introduction of these three proposed bills by Representative Tom Emmer allow for increasing clarity of regulation regarding the further progression and development of blockchain technology. Furthermore, these regulations will allow for further innovation as these will clarify any existing ambiguity and provide clear guidelines for operations. ‘Too much regulation will stifle innovation, but the lack of regulatory guidance only leaves investors in the dark as to how their investments may be effected by laws down the road,’ says Dr. Rick Roque, Co-Founder of Menlo Company, a retail mortgage banking management firm. He continues. ‘Having clear guidance and definable parameters around how mortgage debt, for instance, could be more easily accessed by possible tokenized platforms will allow for a broader more democratic way to distribute mortgage debt to a wider range of buyers- the process today is antiquated, non-transparent and inaccessible to a broader audience of capital market players.’ I hope this helps readers understand the significance of such proposed legislation!”

Do you trust “The Cloud”? You shouldn’t. Should you put anything “in the Cloud?” No. Do you do it anyway? Probably. Here’s an entertaining short video from Australia using concepts that even I can understand why you shouldn’t send things there.

Visit www.robchrisman.com for more information on our industry partners, access archived commentaries, or to subscribe to the Daily Mortgage News and Commentary. If you’re interested, visit my periodic blog at the STRATMOR Group web site. The current blog is, “The Rise of the Credit Unions.” If you have both the time and inclination, make a comment on what I have written, or on other comments so that folks can learn what’s going on out there from the other readers.


(Market data provided in partnership with MBS Live. For free job postings and to view candidate resumes visit LenderNews. Currently there are hundreds of mortgage professionals looking for operations, secondary and management roles. For up-to-date mortgage news visit Mortgage News Daily. For archived commentaries, or to subscribe, go to www.robchrisman.com. Copyright 2018 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)


Rob Chrisman