Infragard, FFIEC Solutions, Oh My!!!
Some of the things I learned while there:
1. The FFIEC guidance is guidance. It is NOT a mandate and is ENTIRELY dependent on a risk assessment
2. The risk assessment must be completed, along with a deployed solution by 12/31
3. The American Banking Association is recommending that their members implement compartmentalized access (zoning) of employees, service providers, contractors
4. Service providers xSP’s will be under heavier scrutiny, but the banks are ULTIMATELY responsible for implementing something based on their risk assessment
5. TNT will be considered a 2nd factor (something you have/machine ID), along with username & password
6. Section 326 of the Patriot Act comes into play
7. Applications/areas/systems covered – Internet banking, loan origination apps, accounting apps, call centers, and telephone banking
The guidance supposedly has to do with protecting the identity of customers and covering banks for high risk transactions (high risk being defined as anything to do with money transfer, so basically everything). But I couldn't help but think that at the end of the day it is another exaple of a governing body of a collection of institutions trying to protect us from ourselves.
There were some interesting data points that I learned as well.
70% of Identity theft is non-electronic and paper based (dumpster diving)
Phishing and farming will continue to grow for a few reasons - it's lucrative for the bad guys, people are suckers, and more people continue to increase their online activity. It's a numbers game basically. The more people that go online, mean more targets, and more chances of catching someone offguard or who has no clue what the internet or email is beyond penis enlargement offers and GEICO ads and popups.
The most interesting thing that I came out of the meeting with was this:
NO ONE IS WATCHING THE CASH REGISTER
By that I mean there is so much focus on customer protection from the internet, when we all should be worrying about the disgruntled guy inside the bank (or Mumbai call center) with access to every piece of financial information of every customer that could be stolen in a single 8 hour shift.
If you are a 'Black ID' merchant or bad guy, then you want access to the most information with the least amount of effort. You will get this from the inside far easier than from the outside. At $2 per ID, getting 500,000 ID's downloaded and burned onto a DVD in 8 hours is not unlikely and guess what - that employee/contractor is gone with a cool million, and can move to North Korea, publish and sell his memoirs online, and make even more.
In the immortal words of Gordon Gekko - 'This is your wake up call, pal. Now get to work'...