= Subscriber content; or subscribe now to access all American Banker content.

WikiLeaks Indirectly Reveals IT Holes in Data and Payments Protection

Bank Technology News  |  December, 2010

Authorities around the world have placed a pretty large bullseye on Julian Assange—in the wake of a large dump of state documents, the WikiLeaks founder faces accusations of everything from terrorism to rape. But the legal fate of Assange—or that of his site—won’t address the issue for banks, which face fresh challenges in identifying improper payments, ensuring data security and protecting their online platforms—whether the threat is WikiLeaks or another organization in the future.

"It’s a very fluid situation. To the extent that banks know payments are being directed to someone affiliated with WikiLeaks, most are shutting the door to the extent that they can," says Julie McNelley, a senior analyst covering risk and fraud issues for Aite Group.

Developments in WikiLeaks saga came fast and furious last week, including Assange’s arrest by UK police, his pursuit by Swiss authorities on rape allegations, and a number of  developments that directly impact card firms, payment companies and banks. PayPal restricted the account used by WikiLeaks, citing its Acceptable Use Policy—which bans use of its service for activities that promote, facilitate or instruct others to engage in illegal activity. MasterCard and Visa also cut off payments. In an apparent retaliation, hackers from a group supportive of WikiLeaks called "Operation Payback" claimed responsibility for a hit on MasterCard’s Website, knocking it offline late last week. Visa and other payments sites was also reportedly targeted. MasterCard and Visa's sites were online as of Monday.

And while no official regulatory move has been made by the U.S. government, there have been calls by current and recently elected members of Congress to brand WikiLeaks a "terrorist" organization, which would make it illegal for banks to process payments on its behalf. McNelley says there’s a chance that some sort of legislation will likely come that provides a level of ìaccompliceî culpability for organizations or firms that facilitate payments. 

In terms of ensuring payment integrity, McNelley says WikiLeaks’ decentralized global network of donors makes it tough to detect "bad" payments via most prevailing "red flag" security and AML platforms—though the effort should become easier as more associates of the network are identified by authorities in the coming weeks.

"Some of these sources are coming to light, and you can put these into screening systems and have payments flagged based on the identity of the [person making the payment or transfer]," she says.

WikiLeaks, and the rumors that it’s holding on to a major revelation about Bank of America, also place renewed attention on the issue of insider data theft. 
McNelley says banks should be re-examining data security practices, but "it’s impossible to seal up every point of compromise."

Security firms such as CREDANT, Ipswitch and TriGeo are offering data protection technology—guarding in particular against the unauthorized use of USB drives to access and copy sensitive corporate information, which could in theory be used as part of a "whistle blowing" leak effort.

Research form CREDANT says that across all industries, 85 percent of companies allow employees to use USB drives despite corporate policy banning them, more than two thirds share USBs with family or colleagues and more than half can’t remember what they have saved on their drives. Also more than half of the respondents say their USBs are unencrypted.

"[USB] devices let front line employees circumvent some controls," says Michael Maloof, CTO of TriGeo. 
The technology offers access controls as a way to fight USB-related exposure, reporting on what PCs inside the enterprise are being accessed. "The technology can detect activity and associate that with corporate polities," says Maloof.