CHICAGO - At the Bank Administration Institute's annual imaging conference, a representative of BankAmerica Corp. outlined security measures that should be taken - but are frequently overlooked - by bankers installing imaging systems.
The logic used to secure imaging systems closely resembles that of mainframe bank systems. However, as more paper documents are converted to digitized images that can be stored and moved using networked personal computers, many of the most common security measures bear renewed significance.
Yet, in spite of the fact the U.S. Secret Service reports that the number of computer crimes against banks is on the rise, experts said many banks ignore the most common security measures as they implement new systems.
To combat this problem, Agnes L. Rhodes, vice president and data processing audit manager at BankAmerica Corp., presented an outline of security features that her bank believes are mandatory parts of any imaging system.
"Every new system that bankers install represents another portal through which illegal information can flow out of the bank," said Jonathan D. Harris, lead data security partner with Price Waterhouse's consulting practice, which is based in New York. "Computer security controls, in many respects, are as important as having a good vault."
According to Mr. Harris, the computer has in effect become a modern-day safe. Computer systems, like safes and vaults, house electronic "money" and - with imaging - copies of documents that are prime targets for theft and espionage.
Among the most frequently overlooked security controls is the area of user identification. It is a given that all users should have unique passwords and identification numbers that are periodically changed.
In addition, any imaging system should limit the number of consecutive failed sign-ons a user can attempt before the systems administrator is alerted.
These controls are designed to guard against computer programs that randomly try thousands of letter and number combinations until active passwords and identification numbers are found.
As additional protection against hackers, Ms. Rhodes recommends that banks make dialin computer lines less enticing to those who are not authorized to use the system.
"Our [dial-in line] screens used to say, |Welcome to Bank of America. We value you as a customer,'" said Ms. Rhodes. "They don't say that anymore."
Instead, the first screen displayed on a computer that connects to B of A via a phone line now features a legal banner warning unauthorized users that they can be prosecuted for trying to access the system.
There are also simple security measures that can guard data against tampering, even when an unauthorized user has gained access to the system. One of the most effective of these is digital time-stamping, which places an identifying mark on a file each time it is used. The marks can be used to ensure that an image file has not been illegally tampered with.
While many security measures are common sense and already part of the main computer operations of most banks, Ms. Rhodes said it is important for the controls to be extended and rigorously implemented each time a new extension of the main system is installed.
Protecting Their Image
In the rush to implement image processing systems, bankers may have overlooked some basic security measures
System users should have passwords and identification numbers that are regularly changed
To thwart automatic dialing schemes, a system should limit the number of consecutive sign-on attempts
Graphic screens that warn hackers that they can be prosecuted for unauthorized system access