Financial institutions today spend hundreds of millions of dollars and dedicate hundreds of employees to combatting cybercrime. The ultimate insult to these defenses would be to have security breached by a simple picture taken on a smartphone.
The idea that this technique could topple banks' massive cybersecurity regimes may sound absurd. But as banks tighten security, attackers are seeking new ways to gain access to sensitive information. One such approach is visual hacking.
A visual hack could involve someone inside a bank branch or back office, such as a customer or delivery person, taking a picture of an employee's computer screen. It could also involve capturing information from documents left in open view on a desk or printer tray. It could even involve someone outside a bank using a high-powered camera to record drive-up teller and ATM transactions.
Technological advancements have made visual hacking easy to carry out. Nearly everyone has a smartphone, and cameras are increasingly powerful and sophisticated. Wearable technology continues to proliferate. We even have drones that can be mounted with cameras and glide by windows unnoticed—once the stuff of science fiction.
Rethinking the Scope of Security Priorities
Visual hacking can be a powerful technique. An experiment recently conducted by the Ponemon Institute found that a white-hat visual hacker was able to obtain sensitive information 88% of the time. The experiment involved an actor playing the role of a temporary office worker or contract worker with a temporary security badge. They went into 43 different office facilities to see what kind of information they could obtain through visual hacking.
The hackers were able to collect confidential information in less than 15 minutes in half of the attempts, and an average of five pieces of private information were hacked per trial.
Although this experiment was not conducted solely at financial institutions, such results should lead banks to bolster administrative security. Organizations need to consider human behavior, workspace organization and new security technologies in order to thwart visual hackers.
A good first step in addressing administrative security is to identify your bank's risks. Consider every opportunity unauthorized individuals have to view sensitive information, whether it's at an employee workstation, at a teller's desk, through an office window or on a device that mobile employees or executives might use in public places.
If possible, information security officers should also consider doing "walkabouts" at different branches and back-office locations. This initial assessment can help officers to identify existing risks and make continuous improvements as part of an ongoing security program. Think through possible scenarios in which mobile employees might work out of coffee shops, commuter trains or planes.
Industry guidance and standards largely focus on physical and digital security, but they do include some guidance in the administrative realm. For example, the Federal Communications Commission's "Cyber Security Planning Guide" advises that computer monitors with sensitive information should not be oriented toward publicly accessible spaces and recommends minimizing and safeguarding printed materials that contain sensitive information.
Among the toughest changes to enforce in any organization is human behavior. Begin with the implementation of new policies and procedures specific to visual hacking, such as only printing sensitive information in "locked print" mode, keeping sensitive information out of plain view and logging out of computers when employees step away from their work stations. Train employees in the new policies and procedures and continue to test them.
Privacy filters may also play an important role in improving administrative security. For example, any computer screens exposed to windows or to customers, including customers using drive-up services, should be protected with a privacy filter that obstructs onlookers' view. Mobile devices or laptops used outside of a bank or office should also use privacy filters to help prevent potential "shoulder surfing" at an airport, hotel lobby or coffee shop.
Lastly, make security a collaborative effort. Utilize the expertise of vendors and firms when needed, and bring your bank's "safeguarding" groups such as privacy, corporate security, information security and risk management together for greater cooperation.
Security threats are becoming more organized and fast-moving. The financial industry's responses must keep pace to address existing and emerging administrative-security shortfalls.
Dan Burks is enterprise chief privacy officer at U.S. Bank and is a member of the Visual Privacy Advisory Council.