New cyber-security rules could replace the simple username and password identification in much of the banking and insurance industries of America’s financial system.
Options for new security regulations include sending a confirmation number to an individual’s cell phone, using a fingerprint or other biometric authentication, using a separate identification source, like a swipe card, or new requirements for third-party vendors who have access to insurance company databases. These changes could be for employees, third-party vendors, and potentially consumers as well.
Recently, high profile cyber-intrusions were reported at Anthem and JP Morgan Chase, a health insurance company and banking institution respectively.
Law enforcement officials, investigating the Anthem case, believe that foreign hackers used the username and password of an executive to access the personal data of 80 million customers, including names, addresses, and Social Security numbers. Officials, reporting to TIME, suggest that the theft “could have been averted if the company had embraced tougher methods for verifying the identity of those trying to access its systems.”
In the recent breach at JP Morgan Chasethe records of 76 million households and seven million businesses were compromised. Another well publicized incident occurred at retailer Target, whose breach affected 110 million cardholders.
The announcement of new cyber-security rules comes after the New York State Department of Financial Services (DFS) conducted a study on cyber security of 43 regulated insurance companies.
The DFS concluded that “although it may be expected that the larger insurers would have the most robust and sophisticated cyber defenses,” the study concluded that that is not necessarily the case. Findings reflect over-confidence among insurance industry officials, with 95 per cent of companies surveyed believing that “they have adequate staffing levels for information security.” Moreover, the DFS study alleges only 14 per cent of chief executives receive monthly briefings on information security.
According to Benjamin Lawsky, the DFS superintendent, there is “a huge potential vulnerability here” and that the “password system should have been buried a long time ago.” He and the DFS recommend that “regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard consumer data.” In addition, “recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses.”
The full report, found here, emphasizes that “while many big health, life and property insurers boast robust cyber-defenses, including encryption for data transfers, firewalls, and anti-virus software, many still rely on relatively weak verification methods for employees and consumers, and have lax controls over third-party vendors that have access to their systems and the personal data contained there”.
Late last year, a review of the banking sector found similar results.
The American Banker reports that “most of the security breaches that occur in banking today use compromised credentials. [In 2014,] more than 900 million consumer records have been stolen alone, according to Risk Based Security; 66.3% included passwords and 56.9% included usernames.”
How will consumers be affected?
The inadequacy of usernames and passwords is not new; debates have stretched for more than a decade now. The Federal Financial Institutions Examination Council, in 2005, acknowledged that “simple username and password systems were inadequate for transactions involving access to customer information or the movements of funds to other parties.” Tighter measurements were not recommended or made.
Banking and insurance cyber vulnerabilities are a concern not just for the companies themselves but for individuals as well.
New hacking techniques are emerging at an alarming rate, making it much easier now to access usernames and passwords.
Cybercriminals can easily steal identities through methods like “honey potting,” in which individuals will type their username and password into websites claiming to check if their name has been compromised—“distributing phishing messages under the guise of offering help,”
Gmail users back in September 2014 suffered such an incident. According to the International Business Times, 5 million Gmail usernames and passwords were posted onto a Russian bit coin forum; approximately 60 per cent were active accounts. Shortly before, 4.6 million Mail.ru accounts and 1.25 million Yandex email accounts were also illegally accessed.
Game accounts, additionally, are susceptible to hackers. In January, Mine craft account usernames and passwords were leaked online.
Such cases merely illuminate the already-known fact that hacking hits closer to home—potentially our homes. The real danger, as The Hacker News points out, is those “affected users who use the same username and password combination for many online services, like shopping sites, banking, email service, and any social networking.” More times than not, usernames and passwords are consistent throughout online services.
However, there is not a unanimous consensus towards placing tighter security measurements on banking and insurance firms. For example, the Office of the Comptroller of the Currency claims that “different banks need to assess their own risks in determining whether to use additional verification methods.”
Other arguments include that if the New York State DFS or an individual company were to tighten cyber security standards on their own, working with other companies would be difficult, seeing as regulations would differ between states and countries.
Whatever are decided, more secure regulations needs to be established nonetheless.