Security Watch, a new feature of American Banker and American Banker Online, is a weekly roundup of news and developments in data security and their impact on the financial services industry. We welcome comments, ideas, and suggestions; e-mail
Companies
Visa International's systems remain "as vulnerable as ever" The New York Times reported Thursday after a visit to the company's operations center.
Protecting the payment chain remains a "Herculean task," the paper said. Perhaps that's because only a third of the 400 small and midsize transaction processors say they meet the credit card industry's security standards, and less than 0.3% of the country's 5 million merchants are known to have taken any compliance steps at all, the paper said.
In addition, a new threat to data integrity has reared its head. JPMorgan Chase & Co. said Monday that it had apologized for addressing a naturalized American citizen of Palestinian descent as "Dear Palestinian Bomber" in a credit card solicitation.
Chase said the mailing recipient was on a list from an undisclosed vendor, and that it would act to improve its screening of these lists.
The incident came after two other companies - Comcast Corp. and Peoples Energy Corp. - also apologized to consumers for inappropriate names that appeared on company mailings. Customer service representatives were found to be responsible for the two errors.
Perhaps such gaffes had something to do with the creation of a new test in India for people recruited into call-center and IT positions at outsourcers. The National Association of Software and Service Cos. said it has instituted a national entry exam aimed at transforming a "trainable" work force into an "employable" one.
Vendors
It appears that there should be a scorecard for scores.
Fair Isaac Corp. announced Monday that MicroBilt Corp., a data provider to smaller retail and community banks, would be the first reseller of Fair Isaac's Falcon ID score, which is meant to help companies verify credit applicants' identity.
Two days later Visa U.S.A. announced it would begin reselling a similar score to its issuing banks. Visa's scores will be generated by ID Analytics Inc., an ambitious newcomer whose management team is largely from HNC Software Inc., which Fair Isaac acquired in 2002.
Visa says it hopes the service will help it attract more banks to its clearing-house portal. (Banks that issue Visa and MasterCard can send their card applications through either card association's fraud-protection clearing house.)
The spate of new fraud-detection tools, which are being developed for consumers as well as banks, have left some people scratching their heads.
ChoicePoint Inc. and other companies that have fallen victim to data breaches are selling fraud-detection plans as well as consumers' information back to them to help them see what may have been compromised.
According to Monday's Los Angeles Times, consumer advocates said that there is little incentive for sellers of personal data to tighten security when they profit from consumers' fears about identity theft.
Legislation
With Congress on summer recess, there was little progress this week on the 13 federal data security bills being debated in Washington, but North Carolina appears poised to become the 12th state to let customers put a freeze on their credit reports.
Gov. Mike Easley is expected to sign the credit report bill, which was approved by both houses of North Carolina's legislature this week. It would also limit the use of Social Security numbers, require businesses to notify consumers about security breaches, and require the shredding of discarded documents with personal information.
The provision to allow consumers to put a freeze on their credit reports, which is included in at least one of the federal bills, has one chief executive up in arms. Tom Chapman, who is retiring this month as Equifax Inc.'s CEO, told American Banker Wednesday that such a provision is "clearly anti-consumer."
"We're going to have to come to grips with what that really means for the consumer in a credit-based economy," Mr. Chapman said.
Consumer advocates say a number of the federal bills could weaken the data-protection laws already enacted by 19 states.
Some of the proposed disclosure standards would give companies authority to decide whether full disclosure is required at all, observers told FoxNews.com in a report posted Wednesday. Critics point in particular to the Financial Data Security Act, which includes a provision that calls for an investigation to be started by a company before deciding if notification is necessary.
Breaches
And the breaches continue - the target this week: The U.S. Air Force.
Social Security numbers and other personal information on 33,000 officers was stolen from a military computer database, various news sources reported Tuesday.
The Air Force said that in May or June someone using a legitimate user's login information broke into an online system designed to help officers manage their assignments and careers. The theft affected roughly one-half of the Air Force's officers.
Where is the stolen information going?
The security firm Sunbelt Software Distribution Inc. said it had uncovered a server storing many megabytes of stolen data from 50 banks, as well as from eBay Inc. and PayPal Inc., the BBC reported Tuesday.
The server contained passwords for online accounts, credit card numbers, and other personal data. The theft used a bug that exploits vulnerabilities in Microsoft Corp.'s Internet Explorer browser, Sunbelt said.
Quotable
"Banks will regulate data protection themselves … they have no reason to want to be insecure." The most valuable thing a bank has is "name and reputation … if they lose trust, people are going to go somewhere else."
David Thomas, section chief, cyber intrusion section, Federal Bureau of Investigation
