Wednesday, May 17, 2006

Infragard, FFIEC Solutions, Oh My!!!

I was at the NYC Infragard meeting yesterday where the discussion was all about the FFIEC Guidance that was put out in October of 2005 and what it really means and some solutions that had been implemented or were under consideration. I learned a ton while I was there and it was worth the time to be there. Plus I met some great FBI Agents and NYPD guys, as well as other business leaders who were in attendance.

Some of the things I learned while there:

1. The FFIEC guidance is guidance. It is NOT a mandate and is ENTIRELY dependent on a risk assessment

2. The risk assessment must be completed, along with a deployed solution by 12/31

3. The American Banking Association is recommending that their members implement compartmentalized access (zoning) of employees, service providers, contractors

4. Service providers xSP’s will be under heavier scrutiny, but the banks are ULTIMATELY responsible for implementing something based on their risk assessment

5. TNT will be considered a 2nd factor (something you have/machine ID), along with username & password

6. Section 326 of the Patriot Act comes into play

7. Applications/areas/systems covered – Internet banking, loan origination apps, accounting apps, call centers, and telephone banking

The guidance supposedly has to do with protecting the identity of customers and covering banks for high risk transactions (high risk being defined as anything to do with money transfer, so basically everything). But I couldn't help but think that at the end of the day it is another exaple of a governing body of a collection of institutions trying to protect us from ourselves.

There were some interesting data points that I learned as well.

70% of Identity theft is non-electronic and paper based (dumpster diving)

Phishing and farming will continue to grow for a few reasons - it's lucrative for the bad guys, people are suckers, and more people continue to increase their online activity. It's a numbers game basically. The more people that go online, mean more targets, and more chances of catching someone offguard or who has no clue what the internet or email is beyond penis enlargement offers and GEICO ads and popups.

The most interesting thing that I came out of the meeting with was this:

NO ONE IS WATCHING THE CASH REGISTER



By that I mean there is so much focus on customer protection from the internet, when we all should be worrying about the disgruntled guy inside the bank (or Mumbai call center) with access to every piece of financial information of every customer that could be stolen in a single 8 hour shift.

If you are a 'Black ID' merchant or bad guy, then you want access to the most information with the least amount of effort. You will get this from the inside far easier than from the outside. At $2 per ID, getting 500,000 ID's downloaded and burned onto a DVD in 8 hours is not unlikely and guess what - that employee/contractor is gone with a cool million, and can move to North Korea, publish and sell his memoirs online, and make even more.

In the immortal words of Gordon Gekko - 'This is your wake up call, pal. Now get to work'...

2 Comments:

Blogger Web2earn said...

Hello and thanks for the opportunity to post on your blog.

I believe call center and answering service outsourcing is the way to go for many US-based companies who want to cut down running costs and thus increase their overall profits. However, one of the main issues that needs to be dealt with is that of staff training. There are a lot of professional call center training courses that are destined to be attended by the call center agents in order for these people to be more efficient and to be more specialized in their jobs. Most of the call center operation staff is composed by call center industry managers with experience in telecommunications, information technology and business development. Call centers are normally providing a whole range of external services, such as: call center services, contact center and help desk towards the biggest companies in the whole world.

In case you wish to read more about this I invite you to read my study on outsourcing call center services

Warm regards,

M. Rad

Saturday, May 20, 2006 10:45:00 AM  
Blogger markm said...

Great point - training can only do so much for someone with a coke problem, mental illness, huge amounts of strees outside the workplace, or a way to make some serious extra coin selling names.

The issue is still that as good as managers are, they can't know everything about an employee without breaking the law or being a stalker, yet companies are held accountable for having to do just that - know their employees.

Why do you think there are all of these behavioral profiling applications popping up - they can know us without 'knowing' us by our behavior and those with similar behavior - good and bad.

Mark

Monday, May 22, 2006 3:12:00 PM  

Post a Comment

<< Home