Should Banks Worry About the NSA?

Recent reports that the National Security Agency has been undermining encryption on the Internet have led to speculation about the security of online banking data. The spy agency has reportedly been installing "back doors" in commercial software and introducing weaknesses to industry encryption standards, according to documents leaked to the media by Edward Snowden.

Weaker encryption is certainly bad news for everyone who cares about data security, but whether or not it has an impact on online and mobile banking is debatable.

Most banking data is encrypted in transit using the standard Secure Sockets Layer and Transport Layer Security protocols. This may be the reason why most financial cyber fraud is conducted through some form of social engineering - tricking people into coughing up their user name and password so that the fraudster can log in pretending he's a customer and transfer funds to an external account. Most phishing and malware attacks fall into this category. In such schemes, there's no need to crack encryption codes.

Nevertheless, there's no question the NSA could, with its vast computing resources, access any bank account it wanted.

"Any encryption can be broken with sufficient processing power," notes Al Pascual, senior analyst of security, risk and fraud at Javelin Strategy & Research. "If you get a big enough server you can crunch the numbers effectively."

However, the government agency is unlikely to want to break into an individual bank customer's online banking session unless that customer is on a list of suspected terrorists, money launderers, or some such. Of course, banks already hand the government information about possible terrorists and money launderers through regulations such as the Bank Secrecy Act.

"The average American citizen has little to worry about from the NSA, especially when it comes to online banking," Pascual says. "The fact that they can do it doesn't mean it's practical that they would."
The broader question is, does weaker encryption and the NSA's "back door" to some commercial software weaken the overall integrity and security of that software and make it easier to game?

"If they made a concerted effort to have institutions continue to use weaker forms of encryption, then that does potentially put data at risk, because processing power grows substantially every year," Pascual says. "Encryption standing still is not a good thing for data security."

The real concern for bank IT staff around the NSA's messing with encryption standards is not about software, but about the hardware they use, according to Jonathan Lewis, director of product marketing for SSH Communications Security.

"Everyone is well aware the NSA has been applying the powers they can put together to crack encryption of communications and data in database," says Lewis. "That's not a surprise. What was a surprise and is potentially damaging was the influence they had in weakening the implementations of products that provide encryption, the way algorithms are implemented in products."

The products he refers to are servers and encryption chips from the large manufacturers. "We're reading reports of hardware providers cooperating with the NSA," he says.

Bank IT executives should have a conversation with their equipment vendors to find out what they know, he suggests.

However, Lewis points out that IT security people need to prioritize what they work on and go after the most likely and costly threats. Large-scale data breaches and phishing attacks should rank much higher on the list than fear that the NSA will wreak havoc on bank software.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER